• Images
• Videos
• Documents
• Books
• Articles

Features

TestDisk can recover deleted partitions, rebuild partition tables or rewrite the master boot record (MBR).⁴⁵

Partition recovery

TestDisk retrieves the LBA size and CHS geometry of attached data storage devices (i.e. hard disks, memory cards, USB flash drives, and virtual disk images) from the BIOS or the operating system. The geometry information is required for a successful recovery. TestDisk reads sectors on the storage device to determine if the partition table or filesystem on it requires repair (see next section).

TestDisk is able to recognize the following partition table formats:⁶

• Apple partition map
• GUID Partition Table
• Humax
• PC/Intel Partition Table (master boot record)
• Sun Solaris slice
• Xbox fixed partitioning scheme
• Non-partitioned media

TestDisk can perform deeper checks to locate partitions that have been deleted from the partition table.⁷ However, it is up to the user to look over the list of possible partitions found by TestDisk and to select those that they wish to recover.

After partitions are located, TestDisk can rebuild the partition table and rewrite the MBR.⁸

Filesystem repair

TestDisk can deal with some specific logical filesystem corruption.⁹

File recovery

When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. TestDisk can recover deleted files especially if the file was not fragmented and the clusters have not been reused.

There are two file recovery mechanisms in the TestDisk package:¹⁰

• TestDisk proper uses knowledge of the filesystem structure to perform "undelete".
• PhotoRec is a "file carver". It does not need any knowledge of the file system, but instead looks for patterns of known file formats in the partition or disk image. It works best on unfragmented files and cannot recover the file name.

Digital forensics

TestDisk can be used in digital forensics to retrieve partitions that were deleted long ago.¹¹ It can mount various types of disk images including the Expert Witness File Format used by EnCase.¹²¹³ Binary disk images, such as those created with ddrescue, can be read by TestDisk as though they were storage devices.¹⁴

In TestDisk versions prior to version 7, a malformed disk or its image can be used to inject malicious code into a running TestDisk application on Cygwin.¹⁵

File system support

File system support for TestDisk is shown in the table:

Some features, such as partition table editing and PhotoRec "carving", do not depend on the file system at all.

See also

• Free and open-source software portal

• PhotoRec
• List of data recovery software
• List of free and open-source software packages

External links

• TestDisk Wiki
• List of news articles about TestDisk and PhotoRec
• Data Recovery With TestDisk, Falko Timme, HowtoForge
• Digital Forensics using Linux and Open Source Tools

Test Disk Team: Main Contributor: Christophe Grenier. Location: Paris, France. URL: cgsecurity.org. He started the project in 1998 and is still the main developer. He is also responsible for the packaging of TestDisk & PhotoRec for DOS, Windows, Linux (generic version), MacOS X, and Fedora distribution.

References

1. Moggridge, J. (2017). "Security of patient data when decommissioning ultrasound systems". Ultrasound. 25 (1). Leeds, England: 16–24. doi:10.1177/1742271X16688043. PMC 5308389. PMID 28228821. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5308389 ↩

2. Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF) https://www.cgsecurity.org/testdisk_doc/ ↩

3. kumar, Hany; Saharan, Ravi; Panda, Saroj Kumar (March 2020). "Identification of Potential Forensic Artifacts in Cloud Storage Application". 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA). pp. 1–5. doi:10.1109/ICCSEA49143.2020.9132869. ISBN 978-1-7281-5830-3. S2CID 220367251. 978-1-7281-5830-3 ↩

4. Debra Littlejohn Shinder, Michael Cross (2002). Scene of the cybercrime, page 328. Syngress. ISBN 978-1-931836-65-4. /wiki/ISBN_(identifier) ↩

5. kumar, Hany; Saharan, Ravi; Panda, Saroj Kumar (March 2020). "Identification of Potential Forensic Artifacts in Cloud Storage Application". 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA). pp. 1–5. doi:10.1109/ICCSEA49143.2020.9132869. ISBN 978-1-7281-5830-3. S2CID 220367251. 978-1-7281-5830-3 ↩

6. Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF) https://www.cgsecurity.org/testdisk_doc/ ↩

7. Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF) https://www.cgsecurity.org/testdisk_doc/ ↩

8. Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF) https://www.cgsecurity.org/testdisk_doc/ ↩

9. Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, page 373. Syngress. ISBN 978-1-59749-228-7. /wiki/ISBN_(identifier) ↩

10. Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF) https://www.cgsecurity.org/testdisk_doc/ ↩

11. kumar, Hany; Saharan, Ravi; Panda, Saroj Kumar (March 2020). "Identification of Potential Forensic Artifacts in Cloud Storage Application". 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA). pp. 1–5. doi:10.1109/ICCSEA49143.2020.9132869. ISBN 978-1-7281-5830-3. S2CID 220367251. 978-1-7281-5830-3 ↩

12. Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF) https://www.cgsecurity.org/testdisk_doc/ ↩

13. Altheide, C., & Carvey, H. (2011). File System and Disk Analysis. In Digital Forensics with Open Source Tools. Elsevier. https://booksite.elsevier.com/samplechapters/9781597495868/Chapter_3.pdf https://booksite.elsevier.com/samplechapters/9781597495868/Chapter_3.pdf ↩

14. Németh, Z. L. (2015). "Modern binary attacks and defences in the windows environment — Fighting against microsoft EMET in seven rounds". 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY). pp. 275–280. doi:10.1109/SISY.2015.7325394. ISBN 978-1-4673-9388-1. S2CID 18914754. 978-1-4673-9388-1 ↩

15. Németh, Z. L. (2015). "Modern binary attacks and defences in the windows environment — Fighting against microsoft EMET in seven rounds". 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY). pp. 275–280. doi:10.1109/SISY.2015.7325394. ISBN 978-1-4673-9388-1. S2CID 18914754. 978-1-4673-9388-1 ↩

16. Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF) https://www.cgsecurity.org/testdisk_doc/ ↩

17. Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF) https://www.cgsecurity.org/testdisk_doc/ ↩

18. Find filesystem parameters to rewrite a valid BIOS parameter block (analogous to "superblocks" in Unix file systems) /wiki/BIOS_parameter_block ↩

19. Restore the BPB using its backup (NTFS, FAT32, exFAT) ↩

20. Use the two copies of the FAT to rewrite a coherent version ↩

21. Restore the BPB using its backup (NTFS, FAT32, exFAT) ↩

22. Find filesystem parameters to rewrite a valid BIOS parameter block (analogous to "superblocks" in Unix file systems) /wiki/BIOS_parameter_block ↩

23. Restore the BPB using its backup (NTFS, FAT32, exFAT) ↩

24. Restore the Master File Table (MFT) from its backup ↩

25. Find backup superblock location to assist fsck /wiki/Fsck ↩

26. Restore the BPB using its backup (NTFS, FAT32, exFAT) ↩

27. RAID 1: mirroring, RAID 4: striped array with parity device, RAID 5: striped array with distributed parity information and RAID 6: striped array with distributed dual redundancy information ↩