Summary: A deleted Office Open Document XML (.DOCX) file was recovered from a USB drive.

Methods: The drive was imaged using GNU ddrescue and the file was found and recovered two different ways. Photorec was used to data carve the file and Sleuthkit was used to recover the file from the filesystem.

Details:

$ mkdir recovery
$ cd recovery

The drive was imaged:
$ sudo ddrescue /dev/sdc1 loopfile log

Photorec was run on the image and the file was recovered as a zip file.

$ photorec loopfile

Alternatively, the deleted files were listed using fls:

$ fls loopfile -r -f fat -i raw
r/r 3: test (Volume Label Entry)
r/r * 5: sample.docx
r/r * 7: sample.pptx
r/r * 9: sample.xlsx

The .docx file was recovered using icat:
$ icat -r -f fat -i raw loopfile 5 > sample.docx

Discussion:

DOCX (.docx, Office Open XML) documents are zip file types and can be recovered using methods used to recover .zip files.