PhotoRec Guides & Troubleshooting

Step-by-step recovery workflow, permissions, disk images, and when to use TestDisk first.

1. Before you start: prevent overwrite

  • Stop using the device immediately once you discover deleted or missing files. Any new writes (saving files, installing software, browsing) can overwrite the data you want to recover.
  • Do not install PhotoRec (or any recovery tool) onto the same drive you are recovering from. Install or extract to another drive or partition.
  • Choose a different destination drive for recovered files. Never save recup_dir output to the same partition or physical device you are scanning.

2. Run PhotoRec with the right permissions

To recover files from a physical disk, USB key, memory card, or CD/DVD, PhotoRec needs sufficient rights to access the device.

  • Windows: Run PhotoRec from an account in the Administrator group. On Windows Vista and later, right-click photorec_win.exe and choose Run as administrator.
  • Linux / BSD: Run as root (e.g. sudo ./photorec_static).
  • macOS: If you are not root, PhotoRec may offer to restart itself using sudo; enter your Mac user password when prompted.

Permissions are required because direct access to physical disks is restricted by the operating system for safety. Without it, PhotoRec cannot read the raw sectors needed for carving.

3. Step-by-step recovery workflow

Select disk

PhotoRec lists available media. Use the arrow keys to select the disk that contains the lost files, then press Enter. On Linux, using the raw device (e.g. /dev/rdisk*) can be faster than /dev/disk*.

Select partition / source area

Choose the partition that held the lost files, or the whole disk if partitions are lost. You can open File Opt to change which file types to recover, and Options to change recovery options (e.g. Paranoid, Keep corrupted files, Expert mode). Then choose Search to start.

Options

Paranoid (default) verifies recovered files and rejects invalid ones. Enable bruteforce for more fragmented JPEGs (CPU-intensive). Low memory can help on systems that run out of RAM during recovery. Keep corrupted files saves files that fail validation in case you can repair them later. Expert mode lets you force block size and offset (e.g. when the file system is lost or reformatted).

Choose file families / formats

In File Opt, enable or disable the types you need (e.g. JPEG, TIFF/RAW, ZIP, Office). The full list has hundreds of formats; see File formats recovered by PhotoRec.

File system type & scan area

Unless the source is ext2/ext3/ext4, choose Other. Then choose whether to search only unallocated space (deleted files only, for FAT/NTFS/ext2–4) or the whole partition (for corrupted file systems or when you need all carved data).

Choose destination folder

Select a directory on a different drive (e.g. another internal drive, USB drive, or network location). On macOS, external volumes are often under /Volumes; on Linux, /media, /mnt, or /run/media. On Windows, use the arrow keys to go to .. until you see the drive list (C:, D:, etc.), then select the destination and confirm with Y.

Monitor progress and results

Recovered files are written to recup_dir.1, recup_dir.2, etc. You can browse them even while the recovery is still running. When done, a summary is shown. If you interrupt, PhotoRec can resume on the next run.

PhotoRec recovery steps: disk and partition selection
Selecting the disk and partition before starting the search.
PhotoRec recovery steps: destination and progress
Choosing the destination folder and monitoring recovery progress.

4. Recover from disk images

You can run PhotoRec on a raw disk image (e.g. image.dd) or an EnCase E01/EWF image instead of the physical drive. This is safer for forensics and repeatability: work on a copy, not the original.

Examples:

  • photorec image.dd — raw image
  • photorec image.E01 — EnCase EWF image
  • For split EnCase files: photorec 'image.???' (path as appropriate)

5. Handling encrypted volumes and RAID devices

Many devices are autodetected, including Linux software RAID (e.g. /dev/md0) and file systems encrypted with cryptsetup, dm-crypt, LUKS, or TrueCrypt (e.g. /dev/mapper/truecrypt0). PhotoRec must see the decrypted or assembled device—unlock or assemble the volume first using your OS tools, then run PhotoRec on that device. Use only on systems and data you are authorized to access.

6. When PhotoRec is NOT the best first choice

For lost or deleted partitions, or for undelete on FAT or NTFS when the file system is still intact, TestDisk is often faster and can recover original filenames. Try TestDisk first in those cases; use PhotoRec when the file system is damaged, reformatted, or when you need signature-based carving.

This site focuses on PhotoRec; both tools are in the same CGSecurity download and documentation.

7. Antivirus warnings explained

Recovery utilities that access disks at a low level can trigger heuristic detection in antivirus software. PhotoRec is a legitimate, open-source tool—not malware. To reduce false alarms and ensure safety:

  • Download from the official CGSecurity site and verify checksums.
  • Scan the downloaded archive before extracting. If the hash matches the official list, a heuristic alert is often a false positive; you can still report it to your AV vendor.

After recovery, CGSecurity recommends scanning recovered files for malware—PhotoRec may restore previously deleted infected files.