Recover lost files from usb stick

Sometimes when we make a mistake and accidentally delete files from usb drive or do a partition format of usb, most people believe that it's for good and that we should let go, but in some cases files can be successfully recover and the day could be saved!

Generally there are two cases we could try recovery and hope for the best are:

1. When files were removed
2. We've done flash disk (flash usb stick) format [quick format only]
3. USB Flash stick format was performed [quick format] and some other files were written afterwards.
If you are happy user of Ubuntu OS (or unix in general), and  your case is one of the 3. files most likely could be recovered. In case 1 and 2 files can most certainly be recovered and in case 3 we depend on luck (we hope that files that were copied afterwards were not written on sectors containing files we are hoping to recover.

To do this under linux there is one wonderful little program called foremost which does the job.
Here is a download link: http://foremost.sourceforge.net/

Under Ubuntu you can install this via aptitude, to install type following in command shell:

$ sudo apt-get install foremost

Now that you have this program ready and installed, you can start recovery of your lost files.
For more info on command options of this wonderful software check out man pages

$ man foremost 

Ok now in order to recover lost files all you need to do is plugin you usb flash stick, find right device mapping and start recovery. To find usb device mapping (if you've already mounted usb flash stick onto file system) type

$ sudo mount 

Output should show mapping of all devices to corresponding paths on files system. For me when I insert flash usb, mapping of devices is /dev/sdc

Now to recover all lost files using foremost you enter following command:

$ sudo foremost -i /dev/sdc -o /media/recovery/ 

If you want to recover specific files (naturally faster) add -t flag with specified file type:
For instance if you want to recover all of office files like *.ppt *.doc other Word or Access files
you can use following command

$ sudo foremost -i /dev/sdc -o /media/recovery/ -t ole

Upon execution program will start to recover desired files and progress will be shown in terminal
like so:

Processing: /dev/sdc
|*****************************************************************************|

Now that file recovery is done you look into the magic hat and see what it brings you, if you're in luck (for case 3.) files should be recovered under /media/recovery/ path. Keep in mind that foremost runs under root privileges so you'll have to change the ownership of recovery folder in order to copy recovered files. Under recovery folder you'll see audit.txt file which contains results of foremost recovery. Output looks something like this:

Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sat Jun 21 22:37:38 2014
Invocation: foremost -i /dev/sdc -o /media/ddr/recover/ -t ole 
Output directory: /media/ddr/recover
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: /dev/sdc
Start: Sat Jun 21 22:37:38 2014
Length: 7 GB (8004304896 bytes)

Num Name (bs=512)       Size File Offset Comment 

0: 00396638.ole       8 KB  203079117  
1: 00397608.ole       8 KB  203575709  
2: 00556587.ole     378 KB  284972979  
3: 10493472.xls      41 KB 5372657664  
4: 14399168.doc     396 KB 7372374016  
5: 14399968.doc      83 KB 7372783616  
6: 14400160.doc      45 KB 7372881920  
7: 14400672.doc     134 KB 7373144064  
8: 14400960.doc      18 KB 7373291520  
9: 14401056.doc      23 KB 7373340672  
10: 15154976.doc      78 KB 7759347712  
11: 15155200.doc      79 KB 7759462400  
12: 15155424.doc      80 KB 7759577088  
13: 15155648.doc      82 KB 7759691776  
14: 15155872.doc      85 KB 7759806464  
15: 15156096.doc      87 KB 7759921152  
16: 15156320.doc      87 KB 7760035840  
17: 15156608.doc      89 KB 7760183296  
18: 15156832.doc      90 KB 7760297984  
19: 15157056.doc      90 KB 7760412672  
20: 15157280.doc      90 KB 7760527360  
21: 15157504.doc      90 KB 7760642048  
22: 15157728.doc      91 KB 7760756736  
23: 15157952.doc      91 KB 7760871424  
24: 15158176.doc      92 KB 7760986112  
25: 15158400.doc      93 KB 7761100800  
26: 15158624.doc      93 KB 7761215488  
27: 15543062.ole       8 KB 7958048205  
28: 15544040.ole       8 KB 7958548893  
Finish: Sat Jun 21 22:43:38 2014

29 FILES EXTRACTED

ole:= 29
------------------------------------------------------------------

So I've been able to extract 29 ole files which is great considering I was in case 3 scenario of this tutorial.

Also keep in mind that best way to copy recovered files is via command shell using cp command and view them later as standard user. (Because when trying to access file directory in my case /recovery/doc gui based file system navigator shows as if doc is not a directory and it is, you can see it via terminal. To workaround this you copy files via terminal to some other location like:

we are at /recovery/doc/ path.

$ sudo mkdir -p /home/username/recovered_files/
$ sudo cp *.* /home/username/recovered_files/

And that's it now all of your recovered files are in /home/username/recovered_files directory (substitute username with your own username)

Hope this helps I've done some amazing job at recovery using this simple method, it's efficient and it works well.

Good luck at file recovery and check out post on how to make a bootable usb stick under linux