Posted inLinux

Recover Linux Partitions and Data: A Practical Guide to TestDisk and PhotoRec

Linux tutorial - IT technology blog
Linux tutorial - IT technology blog

Quick Start: Installation and Execution

In an emergency and need the tools immediately? Open your terminal and install this kit based on your distribution:

# Ubuntu, Debian, Kali Linux
sudo apt update && sudo apt install testdisk -y

# CentOS, RHEL, AlmaLinux
sudo dnf install epel-release -y
sudo dnf install testdisk -y

# Arch Linux
sudo pacman -S testdisk

Once finished, you’ll have two main “weapons”: testdisk to revive partitions and photorec to dig up individual files. To start, simply run the command with sudo:

sudo testdisk

Understanding the TestDisk & PhotoRec Duo

Many newcomers often confuse the purposes of these two. Although they come in the same package, they solve two very different problems:

  • TestDisk: Specializes in partition tables. If you accidentally delete a partition or a drive suddenly reports as “RAW”, TestDisk will scan and rebuild the structure. The data inside will reappear without needing to be copied elsewhere.
  • PhotoRec: Focuses on scanning data blocks to find files. It ignores the filesystem, so even if a partition is formatted or severely damaged, PhotoRec can still recover data. The only downside is it doesn’t preserve original filenames or folder structures.

Recovering Partitions with TestDisk

Suppose you just accidentally deleted /dev/sdb1 containing all your source code. Don’t panic, stay calm and follow these steps:

Step 1: Create a Log
Open sudo testdisk and select [ Create ] to start a log file. This is extremely helpful if the scanning process encounters errors halfway through.

Step 2: Specify the Disk
Use the arrow keys to select the hard drive with the missing partition, then press [ Proceed ].

Step 3: Identify Partition Table Type
TestDisk usually auto-detects the correct type (often [Intel] for MBR or [EFI GPT] for modern machines). Just leave it as default and press Enter.

Step 4: Quick Search
Select [ Analyze ] then [ Quick Search ]. TestDisk will search for traces of old partitions on the disk surface.

Step 5: Review and Write
A list of found partitions will appear. Press P to preview the files inside. If it’s the data you need, press Enter and select [ Write ] to save the partition table.

After 3 years of managing over 10 Linux VPS, I’ve learned a painful lesson: always double-check your command before pressing Enter. At the [ Write ] step, one moment of carelessness in selecting the wrong drive can wipe out all customer data instantly.

Recovering Data with PhotoRec

If the partition is back but files are still missing, or if you accidentally ran rm -rf, PhotoRec is your last hope.

sudo photorec /dev/sdb
  1. Select Target: Select the partition where the files used to exist.
  2. Filter Formats: Press s to deselect all, then only check the necessary extensions (like .jpg, .pdf, .py). This can save up to 70% of waiting time.
  3. Start Searching: Select [ Search ].
  4. Filesystem Type: For Linux, choose [ ext2/ext3/ext4 ].
  5. Destination: CRITICAL NOTE! You must save the recovered files to a DIFFERENT drive. If you save them to the drive you are recovering from, the old data will be overwritten and lost forever.

Advanced Techniques for Tough Cases

If Quick Search doesn’t yield results, don’t give up. Use [ Deeper Search ]. This mode meticulously scans every sector. Although time-consuming (sometimes taking 3-4 hours for a 1TB drive), it can find partitions lost months ago.

Another case is a Superblock error preventing Linux from mounting the drive (often due to sudden power loss). You can recover from a backup Superblock:

# Access: TestDisk -> Advanced -> Select Partition -> Superblock

The tool will list backup locations. Use the fsck command along with these addresses to repair the filesystem.

Real-World Troubleshooting Experience

Everyone panics when data is lost. But as a technician, you need to stay cool and follow these rules:

  • Prioritize Read-only: umount the partition immediately. The longer you wait, the easier it is for system processes to overwrite empty blocks with new data, narrowing your recovery chances.
  • Clone the Drive (Disk Image): For mission-critical data, do not work directly on the drive. Use the dd command to create an image file and perform recovery on that instead.
    • sudo dd if=/dev/sdb of=/home/user/disk_image.img conv=noerror,sync
  • Keep a Live USB Handy: Always have a Bootable USB (SystemRescue or Ubuntu Live). You cannot recover a boot partition while running the OS from it.
  • Check Drive Health: A lost partition can sometimes be a sign of Bad Sectors. You should use smartctl to check before attempting long-term data recovery.

In reality, no tool guarantees 100% success, especially with SSDs and their TRIM mechanism. Therefore, instead of gambling on TestDisk, get into the habit of performing regular backups for critical data.

Share:
Tags: