A relative deleted unneeded files on internal memory of their Android 6 phone (Samsung Galaxy S5 mini), only to discover later that all camera images had been wiped as well. I was asked to recover them.
Recovering files on a harddisk or SD card is easy; simply start PhotoRec and let it scan the partition. I wanted to do the same with the phone's internal data partition.
Partition data
Since Android 3 or 4, it is not possible to mount the partitions via USB anymore because that meant that the phone itself could not acccess the partition during that time. Instead MTP was invented which abstracts from the file system.
Another way to get the data is to use adb shell to stream the user data partition file /dev/block/mmcblk0p21 via USB into a local file. At first you need root access, which I got with CF-Auto-Rootö
At first I used a simple cat to get the data:
$ adb shell su -c "cat /dev/block/mmcblk0p21" | pv > mmcblk0p21.raw
At first I thought that the data were encrypted, but Adebar told me that encryption was not enabled (docs/deviceInfo.md).
Unfortunately, adb shell replaces newlines with windows newlines which breaks binary data. Several pages on the internet recommended using sed to strip those carriage returns out, but that also breaks legitimate CRs. Adebar and others used stty raw to switch to binary-friendly output:
$ adb shell "su -c 'stty raw; cat /dev/block/mmcblk0p21'" | pv > mmcblk0p21.raw
But data were broken again; file did not recognize the ext4 partition and photorec did only find text files. Using hexdump -C mmcblk0p21.raw showed me my problem:
sush: stty: not found
It seems on Android 6 there is no stty anymore :/ Fortunately, adb has an undocumented command exec-out that does binary-safe data transfer:
$ adb exec-out "su -c 'cat /dev/block/mmcblk0p21'" | pv > execout-mmcblk0p21.raw
With that, file recognized the ext4 fs and photorec did at least find the images that were not deleted.
TRIM and deleted files
photorec was not able to recover any deleted image files. This is when I learned about TRIM:
Flash storage devices can only write data into empty blocks. Before overwriting a block, they must empty it first.
This slows down the process, so the operating system tells the flash
storage devices This area is empty
when a file gets deleted logically.
The flash device will then fully empty the blocks when it has nothing
else to do.
This is why the recovery software could not restore anything; the flash storage had fully deleted the data in the meantime. Maybe there would have been a chance if my relative would have immediately switched off the phone when recognizing the error. But so those data are lost forever.
Other notes
One Way to Use a Linux Computer to Recover Files from an Android Device is outdated. It describes Android 4 which did not implement TRIM.
I believe that TRIM is not used on SD cards. The photos thus would have been recoverable when they had been stored on a SD card.