File recovery

So someone left us with a corrupt USB stick at work a couple of days ago, no joy with that, but she had a USB stick which was still working which she had deleted the same data off recently, and it hadn't been used since.
After a crapload of mucking around and a lot of reference to

https://help.ubuntu.com/community/DataRecovery
http://forums.gentoo.org/viewtopic-t-365703.html
http://matt.matzi.org.uk/2008/07/03/reconstructing-heavily-damaged-hard-drives/

I combined elements of all the above to the following script which recovered most of the deleted files.

The main trick was the arguments on icat - I was confused for a while because it was finding all the files, but only creating 4kb of them. Turns out I needed the -r -a arguments.

Script is below, run on a file created by the following command

# The -r argument is used to recover only deleted files
ils -r /media/Images/USBImage | awk -F '|' '{print $1}' > /tmp/inodes

#!/bin/sh
imgpath="/media/Images/USBImage"

# This was due to taking the raw disk data rather than just the partition
# The offset was found using autopsy - part of sleuth tools, used for this.
imgargs=" -f fat -o 63 ${imgpath} "
outpath="/media/Images/Recovered/"

for inode in $(cat /tmp/inodes) ; do

	ffind ${imgargs} $inode

	if [ $? -eq 0 ]
	then
		echo "INODE: $inode"
		INODEDIR=$(ffind ${imgargs} $inode | awk -F "* " '{print $2}')
	 	echo "INODEDIR: ${INODEDIR}"
		REALDIR=${outpath}$(dirname -- "$INODEDIR")
		FILENAME="${outpath}${INODEDIR}"
		mkdir -p "$REALDIR"

		# I found this worked better than the method used by one of the links
		# to create directories. What happens is a directory inode may create
		# a file if a later file tries to write to a directory which IS a
		# file, the file is removed and the directory is created instead

		if [ $? -eq 1 ]
		then
			rm -R "${REALDIR}"
			mkdir -p "${REALDIR}"
		fi

		echo "FILENAME: $FILENAME"
		#echo "${imgargs} $inode > $FILENAME"
		icat -r -s ${imgargs} $inode > "$FILENAME"

		echo ""
	fi
done