1

I have a bunch of files that were copied to an NTFS volume and then immediately deleted by accident. Nothing else has been done to the volume since. I have tried a bunch of different data recovery tools, and every single one has failed to recover every single file. They see all the files, but the recovered files are full of random gobbledigook. Is there any chance of recovery here? I'm curious about how every single tool I've tried fails in the same way -- is it possible that the latest version of NTFS has altered its structures somehow and the recovery tools don't know how to read it? Is there a particular tool that would be worth trying?

Tools I have tried:

I asked this question previously, and it was promptly closed as a duplicate with a reference to another question:

How do I recover lost/inaccessible data from my storage device?

However, that question doesn't address either of the questions I am asking here:

  • My disk is not failing. That question is all about disks that become inaccessible and may be suffering hardware failure.

  • My question is specifically about why a whole bunch of tools all think they restored my files but failed to restore a single one, immediately after the files were deleted. Has something changed about NTFS in Windows 10 that breaks the tools?

If you want to close this question as a duplicate, please make sure that it is a duplicate of a ticket that isn't about failing hard drives, that is about deleted files, and that is about recovery tools not working.

Jonathan Gilbert
  • 223
  • 1
  • 9
  • If this was on Windows, have you looked into the Recycle Bin? – harrymc Dec 17 '20 at 21:43
  • Was the copy and deletion done under Windows or with another OS? Some older versions of Linux did not handle NTFS well, and may not have created redundant recovery info at the time the files were created. https://unix.stackexchange.com/questions/53451/will-linux-use-ntfs-as-correctly-as-windows – DrMoishe Pippik Dec 17 '20 at 22:49
  • It was done on Windows with a hard delete, unfortunately. No Recycle Bin. – Jonathan Gilbert Dec 17 '20 at 23:35

2 Answers2

0

Hard deletion is just writing zeros to the headers of files that will be deleted, so the filesystem wouldn't display deleted files, because true deletion would take a long time. And the filesystem will record the action. So the files immediately after deletion are still there; In fact, hard deletion just marks the deleted files safe to overwrite so when empty space is used up they would be overwritten.

You say

Nothing else has been done to the volume since

But that still leaves many questions unanswered: It is the volume empty or not empty before the copying? Is the volume internal or external? Have you installed any programs to the volume?......

Everyone of them would change the situation dramatically, there are just too many possibilities, you only said you didn't use the volume, yet it's unclear if the system or anyother program has accessed that volume. They may corrupt your deleted files.

But this is an answer, data recovery is scanning filesystem for deleted files and guessing their headers based on contents of deleted files(provided they haven't been overwritten); I would suggest you to try Wise Data Recovery, it's free and sometimes really works, if you used the other unprofessional softwares and they all see the files, it should be able to see them, too. But don't hold too much hope on it. It just scans recent filesystem records.

If it failes again, try this, it's the most professional tool I know of, unfortunately it isn't free(you have to buy professional version if you want to recover the files): DiskGenius; It scans whole disk for deleted files and can recover lost partitions and it really gets its job done most of the time, but not always;

If all else failed, try the ultimate file recovery tool:HxD, it is free and open source, it's a hexadecimal viewer and editor that can see the hexadecimal data of disks, if you are absolutely sure the files really are there, then the files must also be displayed by HxD, you should be able to guess their headers and manually recover them; Use it at your own risk, any wrong action can bust your filesystem, if that happens, run chkdsk /f X:(X means all partitions on the disk you modified) to fix the filesystem; Generally it's not recommended to use hex editors, but if you really want to use it, don't let the hex scare you, you will make sense of it in years...

Ξένη Γήινος
  • 2,824
  • 6
  • 28
  • 62
  • Thanks very much :-) – Jonathan Gilbert Dec 18 '20 at 02:36
  • "Hard deletion is just writing zeros to the headers of files" No, that does not happen in NTFS. "In fact, hard deletion just marks the deleted files safe to overwrite so when empty space is used up they would be overwritten." No. Upon release of the clusters the clusters occupied by the deleted file are part of the empty space. There is no difference then between other free clusters and the freshly freed ones. – r2d3 Dec 25 '20 at 18:18
0

In NTFS upon deletion of a file the MFT entry (metadata information like name, creation date...) gets marked as deleted and the clusters used by the file are released.

If you delete files by accident you would need to immediately power down the drive because depending on write activity on this drive and the assignment strategy of windows or linux handling the NTFS file system it could happen that those clusters would be immediately reused, thus overwritten. Upon deletion of another file the clusters in question could be even released again making it appear as if they had been untouched.

r2d3
  • 3,298
  • 1
  • 8
  • 24
  • I understand this concept. I am just confused because I already have data recovery tools and ran them within 30 seconds of the deletion having taken place. I realized *immediately* what had just happened. The tool found all the deleted MFT entries, but failed to recover content for any file whose contents didn't fit into the MFT entry itself. 100% failure rate, with no other activity having taken place. :-/ – Jonathan Gilbert Dec 26 '20 at 19:19
  • I doubt your statement " with no other activity having taken place". You were under the impression that no other activity having taken place. But already connecting such a drive to a windows operated computer which immediately makes the drive available ('mount") could have been an error. – r2d3 Dec 26 '20 at 20:09
  • You misunderstand. The computer the events took place on already had access to recovery tools. Without ever shutting it off, without any mounting/dismounting of volumes, I went immediately from the action that deleted the files to running the recovery tool. – Jonathan Gilbert Dec 27 '20 at 18:03
  • I did not misunderstand. You keept the file system as it was online which is not a good idea. You being immediate is different from your file system driver being immediate.. – r2d3 Dec 27 '20 at 18:16
  • It just seems unlikely to me that in the space of seconds, _every single deleted file (thousands of them)_ would have had its data overwritten on a secondary drive... – Jonathan Gilbert Dec 27 '20 at 18:36
  • You deleted files and "without any mounting/dismounting of volumes" you ran your recovery tools. That means you were running them on an online file system. This is not a reasonable procedure. You should do a just examination of what you did instead of searching of justifying your recovery process. One of the easiest diagnostics you could have applied is pulling a SMART report and copying the mishandled drive with ddrescue. This would have provided you a list of broken sectors if there were any. – r2d3 Dec 29 '20 at 00:04