How to save a ntfs partition which suddenly became empty

windows-7 ubuntu ntfs data-recovery

5,682

Solution 1

You're best looking at some Data Recovery software to recover your important files to another media before attempting any repairs/doing any tests. It sounds very much like a corrupted filesystem/mount point.

Personally I've previously used 'Ontrack Data Recovery' and 'GetDataBack for NTFS' for recoveries such as these.

Your next point would be to run tests to check the consistancy and health of your Hard Drives(s).

Solution 2

Virus?

I examined the executable from your cracked program and surprisingly, only one of the three had any hits on Virustotal at all, and even then, only two potentially false-positives. That doesn’t rule out a virus though.

From your description, it really sounds like your were hit with a virus. That only System Volume Information was left on the drive is particularly telling because it is a specially protected folder which even running as an administrator is insufficient to delete (that is, while it can be done, a typical virus would not be able to attain the required permissions).

Scan for Diagnosis

Did you run a scan of the volume yet? Run chkdsk (without the /f switch) and see what it says. You mentioned that Ubuntu did a check and complained about the volume, and that there was a bootsqm.dat file on it, which implies that chkdsk has been run at some point, but without specific results giving information on the state of the volume, it’s hard to judge the likelihood of successful recovery since the specific damage cannot be assessed. I would point out however that if there are any visible files or folders, as is the case here, then the file-system itself appears to be intact and that the rest of the data has merely been deleted (which again points to the virus).

Professional Recovery

There are professional data-recovery firms that can attempt to recover your data, but they cannot perform magic. There are limits to what they can recover, and even if you are lucky, chances are it will end up being quite expensive (especially if you expect to get back the full 105GB).

Recovery Tactics

Your best bet is to run a battery of recovery-programs. Download, install, and run a whole bunch of data-recovery tools (on the Ubuntu/Windows systems of course, not the problem volume). You can Google for data-recovery, undelete, and unformat to find lots of options. Choose the ones that have good reviews.

Run them set each one to save the recovered files to a different location (e.g., C:\Recover\Recuva, C:\Recover\Undelete360, C:\Recover\PhotoRec, etc) Make sure to try both the basic scan and the deep-scan. The basic scan will use any information it can get from the file-system (e.g., filenames, folder structure, file sizes, etc.) as a guide and will provide you with the best results, metadata wise. The deep-scan will search the disk directly and search for any files of known type and will give the best results data wise, but will have no filenames, dates, sizes, etc.

In your case, since basic scans do not work, it looks like the file-system was wiped, meaning that all filenames, directories, dates, sizes, permissions, etc. are gone. Your only hope now is to run multiple tools in deep-scan mode. However this has some implications: (1) all files will be recovered to a single dump and they will have the current date and their sizes are rounded up (meaning that they will contain some junk at the end), and (2) any files you had that are of a type not know to the program cannot be recovered. As such, you are even more advised to run multiple programs since some may recognize types that other do not.

Post-Recovery

Once you feel comfortable that you have gotten at least one copy of every file you possibly can, run a duplicate-file checker (set to content-mode) to weed out the duplicates and winnow down the files to a (hopefully) manageable size. I recommend AllDup for numerous reasons.

Abandon hope all ye who enter here

Be aware that there is no click-it-and-be-done-with-100%-satisfaction solution. You will have to do a bunch of work yourself and there is no guarantee that you can get anything back, let alone all of it. On April 25 2011, I accidentally deleted 8,000-9,000 graphic files taking up 978MB from a FAT32 volume. I ran the aforementioned battery of recovery programs (almost a dozen of them). It is now almost 1½ years later and my folder of “recovered” files is 9.59GB, containing 39,723 files. Further, I locked down the source volume for over a year and avoided using it at all (which was quite annoying every time I ran out of space). I have made a lot of progress in cross-referencing files, checking them for corruption, moving them, and so on (I’ve probably processed a good 1,000-2,000 files), but I still have a long way to go. I have already had several files that were no good and had to be replaced; some could be re-downloaded, others were lost forever.

Silver Lining

Losing files sucks. There’s no beating about the bush or soft-peddling; it just sucks. If the files happen to be ones that you downloaded, then you can use your browser’s history to help recover them, but if they are files that you created yourself, then it hurts particularly badly. Take this incident as motivation to learn about your system and tools. When I got hit with the Chernobyl virus in May, 1999, I opened a book and learned all about the FAT32 file-system so that I could examine my disk and recovery my files. When I deleted those photos, I researched recovery-programs (and started designing my own). When my data-drive had a problem last week, I was thankful that I had a full directory listing of every single file along withe their names, dates, sizes, etc. from just a couple of days earlier (though I would have been happier if my last backup was more recent).

While you work at recovering your data, take this opportunity to plan and deploy some sort of backup system. You don’t have to make a duplicate copy of everything either; just backup the files you create, and keep an inventory of the file you have downloaded (along with a full browser history for the URLs). That way you can be safe while keeping the storage overhead to a feasible level.

Also get some security software (Windows 7 already has Windows Security Essentials) and keep it active and updated.

Oh, and avoid the cracked software.

5,682

baz

Elitists are oppressive, anti-intellectual, ultra-conservative, and cancerous to the society, environment, and humanity. Please help make Stack Exchange a better place. Expose elite supremacy, elitist brutality, and moderation injustice to https://stackoverflow.com/contact (complicit community managers), in comments, to meta, outside Stack Exchange, and by legal actions. Push back and don't let them normalize their behaviors. Changes always happen from the bottom up. Thank you very much! Just a curious self learner. Almost always upvote replies. Thanks for enlightenment! Meanwhile, Corruption and abuses have been rampantly coming from elitists. Supportive comments have been removed and attacks are kept to control the direction of discourse. Outright vicious comments have been removed only to conceal atrocities. Systematic discrimination has been made into policies. Countless users have been harassed, persecuted, and suffocated. Q&A sites are for everyone to learn and grow, not for elitists to indulge abusive oppression, and cover up for each other. https://softwareengineering.stackexchange.com/posts/419086/revisions https://math.meta.stackexchange.com/q/32539/ (https://i.stack.imgur.com/4knYh.png) and https://math.meta.stackexchange.com/q/32548/ (https://i.stack.imgur.com/9gaZ2.png) https://meta.stackexchange.com/posts/353417/timeline (The moderators defended continuous harassment comments showing no reading and understanding of my post) https://cs.stackexchange.com/posts/125651/timeline (a PLT academic had trouble with the books I am reading and disparaged my self learning posts, and a moderator with long abusive history added more insults.) https://stackoverflow.com/posts/61679659/revisions (homework libels) Much more that have happened.

Updated on September 18, 2022

Comments

baz over 1 year
One ntfs partition of my laptop was suddenly wiped out without any notice to me, when I rebooted from Windows 7 to Ubuntu 12.04 today. I am in need of help to save my files on that partition, which are important and unfortunately haven't been backed up yet.

My laptop has two operating systems: Windows 7 and Ubuntu 12.04. with a ntfs partition shared between the two operating systems for storing some data files (109GB, about 97%of which has been used).

I have almost always been using Ubuntu, but today I happened to have to work under Windows. Following is a record of what happened in the time order, numbering according to which operating system I was in at each stage.
1. When I started into Windows 7, right before being able to log in, it took a while and two reboots to configure the Windows. I thought it was normal, since last time when I was using Windows two weeks ago, it took very long and several reboots to update Windows, since the last time I used Windows before then was in November last year.
  
  Then after finally being able to log in Windows 7, I installed Libre Office, MathType (I got it from http://dl.portablesoft.org/down/?id=2515, which I originally thought was a trial version, but later I learned was a cracked version and felt wrong. I made a copy of it at dropbox http://dl.dropbox.com/u/13029929/MathType_6.8_PortableSoft.rar, not for distributing it but to list it there just in case it will help to identify the problem), and MikTex. I then edited some .doc files in the ntfs partition under both Microsoft Office with MathType, and Libre Office.
2. When I finished working under Windows and rebooted into Ubuntu, Ubuntu did some filesystem checking and reported that the ntfs partition was not able to be mounted.
3. Then I rebooted again into Windows, and found that
  - the ntfs partition had been emptied, i.e. all the data files were gone, and only one system file bootsqm.dat and one system directory System Volume Information were there, with their last updated time being the time when I first rebooted from Windows to Ubuntu (in fact, it is 4 hours in advanced than the actual time of that rebooting , see immediately below)
  - Also I noticed that the time shown by Windows is not correct for my time zone (UTC-05:00) Eastern Time (US & Canada)), which is 4 hours in advance than the correct time (my current time is 3am, but the computer shows 7am).
4. Same things happened when I rebooted into Ubuntu again:
  - the ntfs has been emptied and left with only one Windows system file bootsqm.dat and one Windows system directory System Volume Information.
  - the time shown by Ubuntu is 4 hours in advance than the correct time.
I wonder what I can do to retrieve my data files back on the ntfs partition?

If I am not able to do it myself, will some professionals be able to help me out?

Thanks a lot!

PS: I didn't think I did any thing that required emptying that partition. But there were quite some works I did during that stage right before the reboot from Windows to Ubuntu when the problem occured. Did I make any mis-operation?
- Nicole Hamilton over 11 years
  
  During the two reboots the first time you started Windows, did this look like the usual stuff after Windows Update has run? If so, that would be benign. But I'm concerned about your having installed "MathType (a cracked version)". By definition, that didn't come with a digital signature so who knows what was inside it. I'm suspecting a virus but there's just not enough information so far.
- baz over 11 years
  
  @NicoleHamilton: (1) The Windows update two weeks ago looked normal to me. The Windows configuration today when I first booted into Windows was a bit unexpected, because during the update two weeks ago, I let Windows to reboot several times so that the update seemed to complete. (2) The cracked version of MathType was supposed to not require any installation, and it did work as expected. it was downloaded from dl.portablesoft.org/down/?id=2515.
- Nicole Hamilton over 11 years
  
  If the reboots were merely unexpected but otherwise looked like genuine normal Microsoft Windows messages, I would not be concerned. I can't judge the site but when I clicked the link, McAfee instantly blocked all the d/l links. (I don't mean to sound too judgmental, but I do think pirated sw is wrong and that it exposes you to dealing with people who don't mind doing things that are wrong.)
baz over 11 years

Thanks! I would like to upvote your quick response, but my reputation is too low to do that. In "before attempting any repairs/doing any tests", is data recovery software possible to attempt such repairs/do such tests?
baz over 11 years

Also there is only one HDD in my laptop. Can I install data recovery software on a different partition instead of a different HDD?
HaydnWVN over 11 years

A different partition would work, but a better easier option would be a pen drive/external hard drive incase this is a drive failure. The recovery software is just for recovering files, not repairs to filesystems/drives (it doesn't matter where it's installed). Your next step would be to run a Hard Drive diagnostic for your make of hard drive, I would use Hirens Boot CD for this. After that look at filesystem errors by running Checkdisk (chkdsk).
baz over 11 years

Thanks, Synetech! "only one of the three had any hits on Virustotal at all, and even then, only two potentially false-positives." Do you mean none of the three executables is detected as virus by your Virustotal?
baz over 11 years

Also do Windows' chkdsk and Ubuntu's check modify the partition, which makes recovery more difficult?
baz over 11 years

Also do you have recommendations for professional data-recovery firms ?
baz over 11 years

I just finished a deep scanning by Recuva (the free version, not the paid version). It does find back many files (not sure if all), and allow me to "Restore folder structure". But the restore fails because "Maximum path length exceeded". The files were created with too deep paths on the ntfs partition while I was under Ubuntu, and I guess it is their paths that are too long to be handled by Windows.
Synetech over 11 years

Virustotal scans files with multiple antivirus tools. The files I checked were not detected as bad, but that doesn’t mean they aren’t (they may have been packed/encrypted, preventing them from being detected). chkdsk only makes changes if you use the /f (for “fix”) switch. It’s safe to use it without the it. I don’t know about Ubuntu’s scanner, but I would think it is similar. I don’t know any recovery firms since I do my own recovery, but Google for data recovery, optionally adding your town. Try PhotoRec instead.
Synetech over 11 years

I’m surprised it gives any filenames or directories at all instead of just dumping everything into a single folder and giving them successive numeric names. SteveO, Can you view the files in the results page (before recovering)? Do they look correct?
baz over 11 years

@Synetech: (1) Recuva does found the files that were deleted. Since they cannot be recovered due to maximum path length exceeded, I cannot view the content. (2) But I tried another software R-studio. It found almost all my lost files and can restore folder structure. I recommend you to try it for your data loss problem too. Also see my two new questions regarding using R-studio, if you are interested.
baz over 11 years

(3) Deep scanning in these applications can recover folder structures, and can search all the files and do not need to specify file type or file name for searching. So it seems that you think it in a different way?
baz over 11 years

The two questions about Rstudio are here superuser.com/questions/473820/… and superuser.com/questions/473816/…
baz over 11 years

@NicoleHamilton and Synetech: Thanks! What does it mean that the time shown by both Windows and Ubuntu has been changed to be 4 hours in advance? I now start to worry about the cause of my partition being wiped out, virus, disk failure, corrupted filesystem,...?
Synetech over 11 years

I’ve already tried RStudio; it was one of the 8-12 programs I tried, and like all of the others, it had some good results, some bad. If it can get you all of your data back, then count yourself extremely lucky and make sure to backup from now on. :-)
baz over 11 years

@Synetech: I haven't written anything to the partition, unless Windows did. I also made an image of the partition as soon as I could. Then I ran RStudio on the mounted image. That probably explains why I am able to get most of my files back. (1) What was RStudio bad in your case? (2) I heard there were some professional services www.krollontrack.com, and www.drivesaversdatarecovery.com with relatively good reputation. But they charge high > $1000. Can they possibly have their own not-revealed secretes that will do better job than those programs we have tried? Or just rip off our money?
baz over 11 years

@NicoleHamilton: So Windows has extended the maximum length of paths. But there is still limitation. How about Linux (Ubuntu)? I upvoted your answer in another post, but wasn't able to comment due to my low reputation.
Nicole Hamilton over 11 years

@SteveO: Correct. There's still a limitation, but at 32K characters, the argument Microsoft is making (you decide if you agree) is that it's big enough to satisfy most needs. It sounds trivial to resolve any relative names and paste the \\?\ prefix onto a path, so you might wonder why every application vendor wouldn't do this. But it's more work than you'd think. The library I wrote to do this for my own product took just over 1900 LOC. Re: Linux, others would be better qualified to answer.