ntfs-3g unrecoverable files deleted just now
 

Hi,
this is my first post but many times I founded here the answer to my question. :)
I Have a laptop (Sony Vaio) with triple-boot: vista, xp, mandriva 2010 with gnome.
Today the update of Vista was unsuccesful and that os is broken, so I started to copy my files to an external hard drive.
Unfortunately the usb cable went out before I dismounted the hard drive but after I deleted the files from the internal hard disk. :(
How could I undelete these files? ntfsundelete and testdisk are unable to find them.
I'm afraid of rebooting the laptop, because I don't want that the sectors could be overwritten.
Thank you in advance and sorry for my english.

google ddrescue.

The sectors doesn't get overwritten unless you actually make a new partition over the old ntfs partition.

Tools like dd, ddresuce, dcfld, dd_rescue and linen are used to make bit-by-bit copies of hard disk space. Making a hard disk copy ensures data is kept stored and enables one to work more safely but these tools themselves do not perform any undeletion. So if that's your only advice for undeleting files then you should read before you post. OK?


Replaying a journal log on partition mount, writing a system event log on bootup, automagical system update checking and logging in are examples of (in)voluntary activity on the system which all can cause freed blocks to get re-allocated.


Do you have any previous backups?
What type(s) of files are we talking about?
From which main folder?
Did you ensure all files where still there when you tried to back them up?
How did you access the drive to back files up: from Linux or from Windows?
How much files percentage-wise did you estimate you copied to your external drive?
Did you power down the machine and the external drive immediately after you noticed you removed the USB cable?
What is the file system of the partition you copied the files to?
Can you verify the integrity of that partition without mounting it?
Can you install testdisk and photorec in Mandriva, attach the external drive (but don't mount partitions) and see if running 'testdisk /debug /log' on the external drive shows the partition(s)?
If it does, can you list files (P key)?
Same for the Vista partition (no need to mount it)?
Please attach the testdisk log as plain text.

The most important files are eclipse and netbeans workspace folders. I have an old backup without the new projects for what I am working in these days, the projects are for university.
I copied and deleted the files from linux, the external hard drive is ntfs.

On my laptop the partitions are:

- Recovery Partition, primary (boot), 8 GB
- Vista Partition, primary (NTFS), 100 GB
- Xp partition, primary (NTFS), 40 GB
- mandriva logical units (ext3, swp, ext3) in extended partition, 40 GB

I shutted down the machine long time after the tragedy (4 hours). The external drive is western digital my passport 2.5" and is powered by the same usb as for data :(
The external disk wasn't working, so no partition is broken. Under madriva how could I check the ntfs integrity?

Since two days I worked on Vista partition only from linux and XP. By Xp I executed GetData "Recover My Files" and it founded the files but with numbers for name, I suppose is the MFT entry address.

Now I'm trying Advanced NTFS Recovery under XP, under linux ntfsundelete founded several files but not what I'm searching for.


how does ntfs-3g works in deletion of directories?

In my situation is better if I search deleted files and directory under linux or under windows xp?

Many thanks!

Have you tried Photorec?

Video: Recover Deleted Files with Photorec
http://www.youtube.com/watch?v=X91sKWXqW6w

Mcrsft prdcts AFAIK by default use a dynamically resizing swap file, have a lot of background services reading and appending to logs, regularly write the registry and when logged in there'll be reads and writes in users homes as well. Your summary shows Vista occupying only one partition so this means all reads and writes use the same unallocated space and if enough processes get started that push other processes into swap this increases the rate at which unallocated space needs to be reclaimed. By that measure continuing to work 4 hours before backing up files is long.
Working from any mcrsft prdct that mounts a partition writable allows for journal replays, meaning any "dirty" state corrections are beyond control (in ext3 you would use "-o ro,norecovery,noload" to prohibit loading and replaying the journal), but mounting a NTFS partition from within Linux using ntfs-3g does IIRC not allow for journal replays on NTFS.
So your initial copying from Linux to external NTFS would have been a good choice if you used ntfs-3g with "-o ro" but since you managed to delete files after copying you did not. Working from within XP definitely was not a good choice. Given what you did your primary goal is not to recover files using photorec (which I already mentioned, right?) testdisk, ntfsundelete or fls but to make a copy of that partition to a file using 'dd'. That file must not reside on your external (NTFS formatted) disk or your laptop hard disk. Creating a backup of what is left should not be seen as a promise or guarantee that you will be able to salvage any remnants but, with all due respect, as a safeguard against further fsck ups.

I think that chances of partial recovery are slim and I'm also kind of confused by your account so far. In your OP you stated you started to copy files from within Linux to your external (NTFS formatted) disk before severing the USB connection but in your reply you state "the external disk wasn't working".
- How long do you estimate you copied files over before disconnect?
- Did you mount your external (NTFS formatted) disk writable?
- Did you attempt to "repair" that partition?

I remained in linux 4 hours, and I never used vista since deletion.
Exactly what happened is so: I choosed to boot mandriva linux, I attached the external hard drive, I copied some files and folders residing in vista partition and deleted them.After then I moved a bit the laptop and I noticed that the mounted volume icon disappeared from desktop.
I guessed that the usb connection was lost because the plug was partially removed, I discovered indeed that the usb cable is broken.
The transfer is lasted few minutes, I still should go on with my backup.
Sorry, with "no working" i mean "not running", just to explain that there wasn't data transfer in that moment. Now the external hard drive (with another usb cable) is ok.
I mounted the external drive with write permission.
Testdisk don't find my searched files through deleted files.

In Vista partition the deleted directories were located in root directory (i.e. C:\eclipseProjects), is this because testdisk photorec and ntfsundelete can't find them?

Could I copy the entire Vista partition with dd to another NTFS external hard drive and then mount that file under linux?

Still not completely clear but let's work with what we have. If you boot Linux and run 'fdisk -l' your hard disk might be /dev/hda if it's (E?)IDE but I'll hazard the guess it's SATA so it'll hopefully be the first device or /dev/sda. Your Vista partition is the second primary one so that'll be /dev/sda2 else substitute the right name in the next examples.

To backup your Vista partition mount your external USB drive with write permissions. Let's for example say the file system is mounted at mountpoint "/media/usbdisk" (else substitute the right name). Now (as root) issue 'dd if=/dev/sda2 bs=2048K of=/media/usbdisk/vista.dd' and let it finish. To mount that partition you could run 'losetup /dev/loop0 /media/usbdisk/vista.dd'. Note that for running tools like testdisk or photorec the loop-mounted partition does not need to be mounted with ntfs-3g to be accessible.

To run testdisk on your Vista partition in recovery mode (asserting your external USB drive is mounted with write permissions) 'cd' into the directory where you want to backup the files ("/media/usbdisk" from our previous example). Do not mount your Vista partition (not necessary anyway) but just run (as root) 'testdisk /debug /log /dev/sda2' (or substitute "/dev/loop0" from the previous example). Inside testdisk select sda2, select "None", select "Analyse", select "Quick Search", now type "p". If by now you see a directory named "eclipseProjects" enter it and notice the fourth column (size). If any files are not zeroed out then move one directory up, select "eclipseProjects" again, press "c" and answer "y". This should copy the whole "eclipseProjects" tree to your external USB drive partition. When done press "q" often enough to exit testdisk.

Now the reason you always run testdisk with the "/debug /log" arguments is that now you have a "testdisk.log" on your external USB drive partition as well. So if anything went wrong you can attach it to your next reply as plain text.