TestDisk is a powerful open-source data recovery tool designed to recover lost or deleted partitions and repair corrupted filesystems. It can recover lost partitions, rebuild partition tables, and restore deleted files across multiple filesystem types. TestDisk is essential for digital forensics, disaster recovery, and data recovery operations in security assessments and incident response scenarios.
sudo apt-get update
sudo apt-get install testdisk
brew install testdisk
wget https://www.cgsecurity.org/testdisk-7.1.tar.bz2
tar -xjf testdisk-7.1.tar.bz2
cd testdisk-7.1
./configure
make
sudo make install
testdisk --version
testdisk --help
| Tool | Purpose |
|---|
testdisk | Partition recovery and filesystem repair |
photorec | File recovery from any storage media |
fidentify | File type identification |
# Start interactive TestDisk
sudo testdisk
# Follow prompts to:
# 1. Select storage device
# 2. Choose partition table type
# 3. Analyze and recover partitions
# List available disks
testdisk /list
# Analyze specific disk
sudo testdisk /dev/sda
# Verbose logging
sudo testdisk /debug /dev/sda
# List all block devices
lsblk
# List disks with TestDisk
testdisk /list
# Show detailed information
sudo fdisk -l
# List partitions
sudo parted -l
# Specify device in TestDisk
testdisk /dev/sda
# For USB devices
testdisk /dev/sdb
# For NVMe drives
testdisk /dev/nvme0n1
| Device | Type |
|---|
/dev/sda | Primary SATA drive |
/dev/sdb | Secondary SATA drive |
/dev/nvme0n1 | NVMe SSD |
/dev/sdc | USB device |
# Intel partition table (MBR)
# FAT, NTFS, ext2/3/4
# GUID Partition Table (GPT)
# Modern EFI systems
# Advanced partition scheme
# Multiple partition types
# Quick search
# Scans partition headers
# Deep search
# Analyzes entire drive
# Ignore geometry errors
# For corrupted MBR
# 1. Connect storage device
sudo testdisk
# 2. Select device from list
# Select /dev/sda
# 3. Choose partition table type
# Intel (MBR) or EFI (GPT)
# 4. Analyze partitions
# Auto or Manual
# 5. View found partitions
# Verify partition types
# 6. Write partition table
# Confirm recovery
| Option | Function |
|---|
Deeper Search | Comprehensive scan |
List Files | Browse recovered files |
Backup | Save partition table |
Write | Restore partition table |
# Launch PhotoRec
sudo photorec
# Follow menu to:
# 1. Select storage device
# 2. Choose filesystem
# 3. Select file types
# 4. Run recovery
# Common file types
# Images: JPG, PNG, GIF, RAW
# Documents: DOC, PDF, XLS
# Video: MP4, MOV, AVI
# Archives: ZIP, RAR, 7Z
# JPG images only
# Select JPG from list
# PDF documents
# Select PDF
# All file types
# Select "All" option
| Parameter | Purpose |
|---|
File Formats | Select specific types |
Filesystem | Target filesystem |
Search Path | Recovery location |
Blocksize | Sector size |
# Create MBR backup
sudo dd if=/dev/sda of=mbr_backup.bin bs=512 count=1
# Create GPT backup
sudo sgdisk /dev/sda -b=gpt_backup.bin
# Export partition table
sudo testdisk /dev/sda /backup=sda.bak
# Restore from backup
sudo dd if=mbr_backup.bin of=/dev/sda bs=512 count=1
# Restore GPT
sudo sgdisk /dev/sda -l=gpt_backup.bin
# Verify restoration
sudo parted -l
# Check ext4 filesystem
sudo fsck -n /dev/sda1
# Check NTFS
sudo ntfsck /dev/sda1
# Check FAT32
sudo fsck.vfat /dev/sda1
# Ext4 repair
sudo fsck.ext4 -y /dev/sda1
# NTFS repair
sudo ntfsck -r /dev/sda1
# FAT32 repair
sudo fsck.vfat -y /dev/sda1
# Create mount point
sudo mkdir -p /mnt/recovered
# Mount ext4
sudo mount -t ext4 /dev/sda1 /mnt/recovered
# Mount NTFS
sudo mount -t ntfs /dev/sda1 /mnt/recovered
# Mount FAT32
sudo mount -t vfat /dev/sda1 /mnt/recovered
# Start file carving
sudo photorec
# Select device
# Select filesystem
# Choose output directory
# Select file types
# Run recovery
# Monitor progress
watch -n 1 'find recovered_files -type f | wc -l'
# Recover images from range
# Specify sector range
# Set file type filters
# Run carving operation
# Example: Last 10GB only
# Set start/end sectors appropriately
# 1. Connect storage to recovery machine
# 2. Run TestDisk
sudo testdisk
# 3. Select device (e.g., /dev/sdb)
# 4. Choose partition type (Intel or EFI)
# 5. Run Deeper Search
# 6. Verify found partitions
# 7. Write partition table
# 8. Reboot system
# 9. Verify recovered partition
sudo parted -l
# 1. Run TestDisk or PhotoRec
sudo photorec
# 2. Select device
# 3. Choose target filesystem
# 4. Specify output directory
# 5. Select file types
# 6. Run recovery process
# 7. Monitor progress
# 8. Access recovered files
ls -la recovered_files/
# 1. Boot from recovery USB
# 2. Connect external drive
# 3. Analyze damaged drive
sudo testdisk /dev/sda
# 4. Recover partition table
# 5. Mount partitions
sudo mkdir -p /mnt/sda1
sudo mount /dev/sda1 /mnt/sda1
# 6. Extract critical data
rsync -av /mnt/sda1/ /external_drive/
# 7. Use PhotoRec for additional files
sudo photorec
# 1. Create forensic image
sudo dd if=/dev/sda of=forensic_image.dd bs=4M status=progress
# 2. Analyze image with TestDisk
testdisk /dev/loop0 # After loop mount
# 3. Recover deleted files
sudo photorec /dev/sda
# 4. Document findings
ls -la recovered_files/ > recovery_log.txt
#!/bin/bash
DEVICE=$1
OUTPUT_DIR="/mnt/recovery_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
echo "[*] Starting recovery for $DEVICE"
echo "[*] Output: $OUTPUT_DIR"
# Run PhotoRec in batch mode
# Note: TestDisk/PhotoRec have limited CLI batch support
# Interactive mode is typically required
echo "[*] Mount device for manual recovery"
sudo mount "$DEVICE" "$OUTPUT_DIR"
#!/bin/bash
RECOVERY_DIR=$1
echo "[*] Recovery Statistics:"
echo "Total files: $(find "$RECOVERY_DIR" -type f | wc -l)"
echo "Total size: $(du -sh "$RECOVERY_DIR" | cut -f1)"
echo "[*] File type distribution:"
find "$RECOVERY_DIR" -type f | sed 's/.*\.//' | sort | uniq -c
echo "[*] Largest files:"
find "$RECOVERY_DIR" -type f -exec du -h {} + | sort -rh | head -10
#!/bin/bash
RECOVERY_DIR=$1
REPORT_FILE="recovery_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "Recovery Report"
echo "Generated: $(date)"
echo "================================"
echo ""
echo "Statistics:"
echo "Total Files: $(find "$RECOVERY_DIR" -type f | wc -l)"
echo "Total Size: $(du -sh "$RECOVERY_DIR" | cut -f1)"
echo ""
echo "File Types:"
find "$RECOVERY_DIR" -type f | sed 's/.*\.//' | sort | uniq -c
echo ""
echo "Largest Files:"
find "$RECOVERY_DIR" -type f -exec du -h {} + | sort -rh | head -20
} > "$REPORT_FILE"
echo "[*] Report saved: $REPORT_FILE"
# Create forensic image before recovery
sudo dd if=/dev/sda of=backup_image.dd bs=4M status=progress
# Verify image integrity
md5sum backup_image.dd > backup_image.md5
md5sum -c backup_image.md5
# Log all commands
script -a recovery_session.log
# Record device information
sudo fdisk -l > device_info.txt
sudo parted -l >> device_info.txt
# Document findings
date > recovery_notes.txt
echo "Recovery performed on $(date)" >> recovery_notes.txt
# Hash original storage device
sudo md5sum /dev/sda > original_hash.txt
# Hash recovered data
find recovered_files -type f -exec md5sum {} + > recovered_hashes.txt
# Document all actions
echo "Recovery timestamp: $(date)" > chain_of_custody.log
# TestDisk requires root
sudo testdisk /dev/sda
# Or use sudo for all commands
sudo photorec
# Check device detection
lsblk
sudo fdisk -l
# Reconnect device
# Try different USB port
# Check with dmesg
dmesg | tail -20
# Consider drive size vs free space
# Large drives take time
# Monitor progress
watch -n 10 'df -h'
# Can pause and resume
# Save recovery state
# Verify filesystem integrity
fsck -n /dev/sda1
# Try different recovery options
# Use Deeper Search
# Test different filesystem types
# Consider professional recovery if critical
# Never write to source during recovery
# Mount read-only
sudo mount -r /dev/sda1 /mnt/
# Use external storage for recovery
# Verify target has space
df -h /target_directory
# Always backup original partition table
sudo sfdisk -d /dev/sda > partitions.bak
# Backup boot sector
sudo dd if=/dev/sda of=bootsector.bak bs=512 count=1
# Verify backup
ls -la *.bak
- ddrescue — Data recovery with error handling
- Autopsy — Digital forensics framework
- Sleuth Kit — Forensic analysis toolkit
- photorec — File carving (included with TestDisk)
- fsck — Filesystem checking and repair
