Python helper to recover deleted files from USB drives and SD cards (including formatted partitions) using Foremost - a professional forensic file carving tool.
🚀 Battle-tested: Successfully recovered 100% of photos from a camera-formatted SD card where photorec only recovered ~10%.
After extensive testing, Foremost proved far superior to photorec:
- ✅ Recovered 100% of files from camera-formatted drives
- ✅ More aggressive file signature detection
- ✅ Better handling of fragmented files
- ✅ Used by law enforcement for digital forensics
- ✅ Cleaner output organization (files sorted by type)
- Linux
- Python 3.8+
foremostinstalled (sudo apt install foremost)- Root permissions (recommended for raw device access)
sudo ./run.shAutomatically lists devices, prompts for selection, and recovers files.
For stubborn cases (camera-formatted cards, maximum recovery attempts):
sudo ./forensic_recovery.sh /dev/sdXThis runs 3 professional forensic tools in parallel:
- Foremost - Law enforcement file carving tool
- Scalpel - Aggressive header/footer matching
- Sleuth Kit - Filesystem metadata analysis
Each tool uses different algorithms and may recover different files.
Simply run the script without arguments:
sudo ./run.shThe tool will:
- List available removable devices (USB drives, SD cards)
- Prompt you to select a device
- Suggest an output directory with today's date
- Launch foremost to recover all files
- Automatically fix file permissions so you can access them without sudo
Provide device and output path as arguments:
sudo ./run.sh --device /dev/sdb --output ~/recovered_filesThis mode is useful for scripts or when you already know the device path.
The script:
- Verifies the output folder is local and not on the pendrive
- Asks for confirmation before any recovery action
- Launches foremost in unattended mode
- Automatically carves files using forensic algorithms
- Organizes recovered files by type (jpg/, png/, pdf/, etc.)
Why Foremost works better:
- Camera-formatted drives: Foremost recovers 100%, photorec only ~10%
- More aggressive byte-pattern matching
- Better fragmented file handling
- Professional forensic-grade tool
When run with sudo, the tool automatically:
- Detects your original user (not root)
- Changes ownership of recovered files to your user
- Sets readable permissions (0644)
- No manual
chownneeded!
If you have existing recovered files owned by root, use:
./fix_permissions.shContributions are welcome! See CONTRIBUTING.md for guidelines.
This project is licensed under the MIT License - see LICENSE file for details.
- Foremost - Professional forensic tool by Jesse Kornblum
- Scalpel - File carving by Golden G. Richard III
- The Sleuth Kit - Digital investigation framework by Brian Carrier
If this tool helped you recover important data, consider:
- ⭐ Starring the repository
- 📝 Sharing your success story in issues/discussions
- 🤝 Contributing improvements
Disclaimer: This tool is provided as-is. Always test on non-critical data first. Data recovery success depends on many factors including how the data was deleted and whether it has been overwritten.