Mageia forum

hello,

I have a friend, he run 'rm -r /MUSIC D/x', and he wiped more than he expected, because he didn't know he needs the quotes.
He intended to delete files from other partition, called 'MUSIC D', not 'MUSIC'.
He erased about 300 GB. The question is: how could I restore some of that files, because I have no idea on what was erased and Windows undelete tools do not find anything in that freed space.
He claims he did not try to write anything on that disk...
I think rm used ntfs-3g commands in the backgound.
I have successfully restored partitions using ntfs-3g in the past (that's why he trusted me to help him), but this time I don't understand what happened.
I can find some files erased long ago, but nothing of what he deleted this time.

Any ideas?

Thank you.

Have you tried photorec?

Edit: This should be moved to one of the support forums.

Thanks Ken, and moved.

Ken-Bergen wrote:Have you tried photorec?

Although it could be what I need - it is able to scan the unallocated space - I have not enough space on disk to recover ~300GB (photorec asks to recover, it doesn't list them, or I could not find that option). Does it recover any type of file? Does it recover some path too?

Thanks.

photorec just recovers the raw data, no paths and probably no file names and will make it's best guess as to extension.

If the disk had 500GB's of data on it that's the space you'll need on another disk to do a recovery.

If the data is worth the time you go through the pain of examining each file and giving it a meaningful name.
It's up to you and your friend whether you want to spend many perhaps hundreds of hours rebuilding his music collection.

Better use testdisk, as it can scan the drive for the filesystem, as the data is still there. Normally, if you didn't write to that drive afterwards (and i would suggests not mounting it with read/write access again until you recovered all of the data - so mount it readonly) you should be able to let it scan for partitions and then filesystems, and then list the files, and copy all files to ANOTHER drive. You can do this step by step or directory after directory. But you can only recover it to another drive, or maybe another partition on the same drive.

Here's a short guide, it's quite easy: http://www.cgsecurity.org/wiki/Undelete ... h_TestDisk

Thank you.
I must say that it is not the first time I recover files, so I know the risks and what to avoid.
What's weird to me is that deleting files, with shift-del, under Windows, doesn't wipe them, so I could recover them (I'm not talking about this situation, it's just my experience).
This time, doing "rm", seems to make the files totally unavailable.
In the past, I have successfully recovered files using the ntfs-3g drivers, when Windows could not even mount the partition.
Now, there is nothing, although the disk is not zeroed. I have used a dozen of tools.To me, this means that rm+ntfs-3g have done something different than Windows, so these apps could not find the deleted files.
I wish I know what...

msdobrescu wrote:I have used a dozen of tools.

Please provide some more details which tools you already tried and how. Also, have you tried testdisk as mentioned above?

I have tried many free tools for Windows (from Easeus, and tools from here: http://pcsupport.about.com/od/filerecov ... ograms.htm), some trial versions (for Windows also: Tuxera Recovery, Ontrack Easy Recovery, R-Studio), some special (usually commercial) editions of tools that come for the disk brand for free (from Acronis and Paragon, but these are old). On linux just R-Studio, ntfsundelete, testdisk & photorec.
Tomorrow I will get a new disk to try and see what photorec could find.
Ontrack tool still scans now (it could take days...).

How did you use testdisk, and did it at least find the partitions, maybe after a deep scan?

I do not need to find the partitions, I just need to undelete the files on an existing partition.

msdobrescu wrote:I do not need to find the partitions, I just need to undelete the files on an existing partition.

I don't understand what doktor5000 thinks you'll accomplish with testdisk as it's a partition recovery tool.
It's cousin photorec is the file recovery tool.

However photorec works at a raw disk level and you'll need space equal to the entire size of the disk in question for the recovery, not just the size of the deleted files or even the size of the partition they were on.

The recovered files will be in directories like
/recup_dir.1
/recup_dir.2
etc
Probably hundreds or more of them.

Each of those directories will contain hundreds or more of files like
f0195184.exe
f0186016.mp3
etc

You would have to in the case of the music files, play each one, decide what it should be named then copy the renamed files to the appropriate directory.

That's why I said you could spend hundreds of hours recovering.

Hopefully Ontrack can do the job otherwise you'll probably have to tell your friend to chock it up to experience.

Thanks for the concerns.
The Ontrack tool reports 5 days left to scan...
I think there is something wrong.
I need an ntfs free space raw scan, I guess.

Ken-Bergen wrote:

msdobrescu wrote:I do not need to find the partitions, I just need to undelete the files on an existing partition.

I don't understand what doktor5000 thinks you'll accomplish with testdisk as it's a partition recovery tool.
It's cousin photorec is the file recovery tool.

Did you even mind to read the link which i've posted? http://www.cgsecurity.org/wiki/Undelete ... h_TestDisk
And much fun recovering your path structure and filenames with undelete tools you are currently using ...
Also Photorec can not recover all files, only certain filetypes. But as you seem to know better, do as you wish, i'll leave it at that.

doktor5000 wrote:Did you even mind to read the link which i've posted? http://www.cgsecurity.org/wiki/Undelete ... h_TestDisk
And much fun recovering your path structure and filenames with undelete tools you are currently using ...
Also Photorec can not recover all files, only certain filetypes. But as you seem to know better, do as you wish, i'll leave it at that.

Unfortunately I did not which is my loss.

I had been to the cgsecurity.org wiki and after reading the description

TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

made the erroneous assumption that it only worked at the partition level not file level.

Know your tools

So, after analyzing what testdisk recovered, its rate of succes is about 0 in my case.
There are 299 GB though...

Today I've tried ntfsundelete, which seems to find the files, but, although it could get some path, it doesn't do recover that path.
Is there some script to solve that?

Thank you.