Okay, here’s the deal: I have separate partitions for root and home and a big ntfs partition for data ~700GB. The data partition is mounted to a directory “data” in my users’ home directories. Recently I deleted a user and used the option in YAST to remove their home directory. YAST apparently deleted my entire data partition as well. This is pretty catastrophic for me, not all of that data was backed up, so I’m wondering if anyone can suggest a method to get that back. I haven’t written anything to that partition so presumably it should all still be there.
First of all, don’t do anything more to the partition as your files are still likely to be there. If possible, use dd to copy the data partition to a USB hard drive and then try to recover the lost files.
The Live CD from Download - SystemRescueCd offers a comprehensive suite of programs for recovering files. Being a live CD, it won’t write anything new to your system.
Obviously, downloading and creating the System Rescue Live CD on a friend’s computer prevents any overwriting of important data on your system.
As an addition to the excelent advice above: as it all happened on a non-Linux file system, wouldn’t it be better to try the recovery on a native NTFS system (some Windows). I guess there are more tools dedicated to this task available there.
the ntfs-3g suite is installed on your Linux computer. It contains a sub-suite called ntfsprogs. One of the apps in ntfsprogs is called ntfsundelete. Run the man page and have a look around in there: man ntfsundelete
You can run this inside openSUSE already.
I’d be happy to try whatever on whichever platform, but I don’t know of any appropriate utilities.
It looks like SystemRescueCD has a utility called TestDisk which will allow deleted files to be copied over to another disk or partition. The Ultimate Boot CD has a similar utility (another disk I had lying around) and it looks like ntfsundelete does the same thing. But I don’t have a 700 GB disk or partition - I need to recover the files in place. Or at least that would be the best method. Is that an option?
Secondary question: Is the directory structure of that partition lost? All of the utilities are just listing the files in alphabetical order, which is nuts. There are thousands of files. A graphical utility that would let me go through the directory tree would be really handy here.
Be carefull, for every pure Linux tool you must be sure that it works for a non-Linux file system type like NTFS.
My idea is that you should look into @swerdna’s post. He points you to a NTFS dedicated tool running on Linux.
On 2012-03-26 11:36, shmuck wrote:
> I need to recover the files in place. Or at
> least that would be the best method. Is that an option?
Not advisable, unless you find a Windows util that does.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
All right, I’m still working on this so let me ask a follow-up question: I found a server with some large-capacity storage and decided to use dd to make a copy of the partition before trying anything further. Was thinking that I could boot into Windows at that point and try undeleting in place, with the backup available in case something went wrong.
So I’ve been running dd for the last 24 hours just using the command: “dd if=[partition] of=[target]” and it looks like it’s only done 40 GB so far. At this rate it’s going to take about 18 days and that just… I can’t understand why this is taking so long. Maybe I’ve made a poor choice? Is there any way to speed this up?
I haven’t refreshed my knowledge for a year plus now on what software is available but I recommend you do a search and evaluation of forensics software. There should be free suites and commercial suites which can be very expensive. In general, a forensics suite will provide ready tools for disk imaging, disk inspection, file recovery and file inspection. Note that when you’re running a suite, the tools and components are tested and validated to work well and reliably unlike simply trying to install a package that <should> work.
Beware mounting disks on Windows OS (even native Windows FS), it’s well known that all Windows OS will write a disk identifier… That is why you won’t find any forensics suites running on Windows… only *NIX. Usually this won’t cause an issue, but ordinarily when you want to recover data you really don’t want to write <anything> to the disk.
HTH,
TS
On 2012-03-28 23:56, shmuck wrote:
>
> All right, I’m still working on this so let me ask a follow-up question:
> I found a server with some large-capacity storage and decided to use dd
> to make a copy of the partition before trying anything further. Was
> thinking that I could boot into Windows at that point and try undeleting
> in place, with the backup available in case something went wrong.
>
> So I’ve been running dd for the last 24 hours just using the command:
> “dd if=[partition] of=[target]” and it looks like it’s only done 40 GB
> so far. At this rate it’s going to take about 18 days and that just… I
> can’t understand why this is taking so long. Maybe I’ve made a poor
> choice? Is there any way to speed this up?
Let me see if I understood. You plugged the problem disk into another
computer (directly?). Lets say this is disk /dev/sdY, and the local disk is
/dev/sdX. You are running:
dd if=/dev/sdYn of=somefile_in_sdX
Is that it? And it is running very slowly. How many gigabytes per minute?
Ah, 40/(24*60)= 27MB/min. Wow.
The cause could be (if the connection is direct) read or write errors on
one of the disks.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Sorry, I need to check this thread more frequently.
Yes, that is the dd command that I used. And yes, that’s how slow it was working. However, after I killed dd and tried it with Testdisk it got the whole thing done in about a day. Or about 500 MB/min. Much better. That’s confusing, because I think Testdisk just uses dd, but there you go. It did say, when it was done, that there were read errors.
I did not take the hard drive out and plug it into another system. I don’t really have another system handy that I can do that with, this is my desktop at home. In fact I still need to use this computer so this has been doubly awkward. I’ve done the best I can to see that that partition doesn’t get written too, but there have been a couple things like the Windows **** that tsu2 mentioned. That’s only 20 KB though. There are some much bigger files written to the drive and I’m not certain where they came from but it was before I booted into Windows, so I assume SUSE. Several files with $ in their names: $AttrDef at 2.5 KB, $Bitmap at 25 MB, $MFT at 263 MB, etc. That… upsets me, but there’s nothing I can do about it now. Still, it’s less than 400 MB total out of more than 700 GB, most files should still be intact.
They should be intact, but that’s not what the file recovery software is telling me. Let me ramble a bit, because this recovery stuff is new to me. There seem to be two methods employed by these recovery suites: one reads the the existing (deleted) file structure in the partition and the other does a signature based search, looking for recognizable file types. The FOSS option for the first method seems to be Testdisk, for the second method it’s Photorec. Per the advice of people in this thread, I’m now booted into Windows and trying some of the Windows based tools, but they seem to function the same way.
The first method is fairly quick and is turning up a little over 2,000 files. The advantage with this method is that they come with file names intact, so I know what they are, but none of the software that I’ve tried preserves the directory structure so they’re all just in a lump and most of them seem to be corrupt anyway. The second method takes several days and is turning up somewhere north of 300,000 files, including many which are not corrupt. That’s good. None of the files have names though, and there’s still no directory structure. That’s bad. That’s really bad - there’s no way that I can manually sort through 300,000 files.
When I started this, I said to myself, “Don’t panic now, everything’s still there. You just need to find the right program to flip the delete flag and all will be well again.” I’m finding that this is not the case. What happened to all my files? And the directories, and their names? This seems like it should be simpler than it is turning out to be, and worse than I had feared.
What about ntfsundelete ? Why didn’t You try that in the first place ? 
Best regards,
Greg
On 2012-04-07 00:06, glistwan wrote:
>
> What about ntfsundelete ? Why didn’t You try that in the first place ?
>
Looks promising, worth a try.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2012-04-03 15:46, shmuck wrote:
>
> Sorry, I need to check this thread more frequently.
>
> Yes, that is the dd command that I used. And yes, that’s how slow it
> was working. However, after I killed dd and tried it with Testdisk it
> got the whole thing done in about a day. Or about 500 MB/min. Much
> better. That’s confusing, because I think Testdisk just uses dd, but
> there you go. It did say, when it was done, that there were read
> errors.
Read errors do cause very slow speed, because each failed sector is tried I
don’t know if 5 or 10 times, again and again. To “repair” this you need to
trigger remapping those sectors to a good sector; this is done usually by
the disk hardware, transparently, when you write to a bad sector. It can
also be done when formatting. But you can do nothing of that.
Normally I would recommend using smartctl to verify the disk health, or the
disk manufacturer utility for this (like seagate’s seatools).
Another possible cause of low speed that I forgot is sector misalignment on
new disk using 2Kb sector instead of the traditional 0.5K. I know little
about this, but it can hardly be your case, as the disk was in use previously.
> When I started this, I said to myself, “Don’t panic now, everything’s
> still there. You just need to find the right program to flip the delete
> flag and all will be well again.” I’m finding that this is not the case.
> What happened to all my files? And the directories, and their names?
> This seems like it should be simpler than it is turning out to be, and
> worse than I had feared.
I don’t know. It is a windows disk, so windows people would know if there
is an utility that can simply undelete files like that. Photorec does that,
recover files without structure. Maybe that’s the only way to do it.
Testdisk works on another level, finding lost partitions and is faster - if
it works.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
ntfsundelete seems to be a method 1 option similar to Testdisk. I got about 2200 files with it, no directories. Testdisk, by the way, turned up 2100 files, so they’re not identical but similar. Testdisk also turned up a few directories, which was nice, but very few and not all of them had real names, just numbers.
@robin_listas
Thanks for the info about the slow reads, but Testdisk did manage to make an image in reasonable time, so I’m over that hurdle. When you say that Testdisk finds lost partitions you aren’t using the same meaning of the word partition that I am, are you? There’s only one partition in question here (“slice” in BSD parlance).
On 2012-04-08 15:26, shmuck wrote:
> @robin_listas
> Thanks for the info about the slow reads, but Testdisk did manage to
> make an image in reasonable time, so I’m over that hurdle. When you say
> that Testdisk finds lost partitions you aren’t using the same meaning of
> the word partition that I am, are you? There’s only one partition in
> question here (“slice” in BSD parlance).
Well, yes, you have only one, that is not the case here. I simply mention
that testdisk has that usage.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
> Save . . . said my data was stored on servers in FL. How do I get my
data back?
i’d recommend you ask that question to the makers of ‘Save’
there are plenty of “data recovery” pros on the net who will take your
hard drive and put its data on another… its about $800 per disk, no
kidding.
its a lot cheaper and easier to just backup to a safe, on machine location…
what operating system are you using?
–
dd http://goo.gl/PUjnL
On 01/15/2013 05:36 AM, dd wrote:
>
> its a lot cheaper and easier to just backup to a safe, on machine
> location…
that typo was supposed to be “backup to a safe, OFF machine location.”
–
dd