[TriLUG] Recover deleted video from SD card?

Joseph Mack NA3T jmack at wm7d.net
Sun Apr 27 16:15:29 EDT 2014 

On Sat, 26 Apr 2014, Nathan Yinger wrote:

> Hello,
>
> After sending a Raspberry Pi up on a weather balloon and getting some very
> nice video from the air, I turned the Pi on again and my startup script
> overwrote the video file. Does anyone know how I could recover the lost
> video?

If it's FAT, Norton unerase will do it for you. Otherwise...

Short answer: it's going to be very difficult. I didn't figure out how to do it 
at least.

Long answer: I've done a similar thing. I spent sometime reviewing webpages on 
unix undeletes. There are also bootable CDs that you can forenze your disk with, 
but I never figured out how to use them.

The problem is that most unix deletes free up the inodes (which point to the 
data sectors). You have to umount your disk before the OS writes again to the 
disk, otherwise it will likely overwrite the old inodes. Even if there have been 
no writes, what you have is a disk of sectors from the file of interest, sectors 
from current files and sectors from old deleted files. You make a dd copy of 
your disk. You then have to identify the allocated sectors and remove them from 
your copy. You then need to figure out which sectors are inodes and which are 
data and assemble them into file(s), one sector at a time. Text is relatively 
easy to reassemble. There are tools to recognise inodes, but I couldn't figure 
out how to get them to work.

You can hope that files will be written into free disk space sequentially (by 
sector number) or at least into blocks of sequential writes. So once you've 
found one sector, you look forwards and backwards.

I gave up and kissed my files good bye.

Most of my disks change little over time. Every month now, I run a cronjob like 
this

--
#!/bin/bash
# writes zeroes to disk, to remove old (erased) files etc

#do monthly
mount_points=`mount | grep ext3 | awk '{print $3}' | xargs`

for mount_point in $mount_points
do
         cd $mount_point
         #have mount_point in command, so can see with `ps`
         dd if=/dev/zero of=${mount_point}/zero.zero
         rm zero.zero
         touch zero.touch
done
--

This fills the unused sectors with zeroes. If ever I need to send a disk off for 
file unerase, as least there will not be too much of an accumulation of old 
erased files to sort through

Good luck

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

More information about the TriLUG mailing list