I was messing around in the KDE settings when I noticed that my windows borders were changing, and I didn't change them. I went to change them back and noticed that all but 2 themes were gone. I started switching between windows seeing if they were all changed, and my system was becoming sluggish. I thought maybe this was a problem that a reboot would fix or a login and logout would fix. My system had become too sluggish to reboot it anytime soon so I did a alt+sys req REISUB.


Now I had a new strange problem. My computer wasn't booting Linux. It would try to boot from the usb drive or anything but Linux. I have Slackware with KDE on my usb drive as a live system. I booted it up and discovered that all of my files from 2 drives had been wiped except for very few that might have been in my ram and written to disk right before I issued the reboot.


I suspect it was a buggy script that could have caused it. The important thing for right now is not what caused it but can it be recovered. How much of it can be recovered? I can tell this is not the result of a faulty drive or a reformat. The filesystems on both drives are perfectly intact. There's a bunch of free space that wasn't there before. I've been mounting the drives with read-only and have not written anything to disk.


One drive is a 1 terabyte that was formatted as NTFS because Windows had to be able to access it too. The other drive is is a 200-300 gb SSD with ext4.


I'm about to try photorec. What else do I need to know about recovering the files besides don't write anything new to the disks? How much of it can be recovered? What's the chances of doing a successful recovery? Is there anything besides photorec I should be using?

I use photorec - but not for system files, especially Windoze. Handles NTFS fine. coupla warnings;
- you need to make sure you have a separate target/recovery disk, and ensure photorec is pointed to it.
- you lose all filenames. Can be a PITA, but it is what it is.

Forgot to mention, you can narrow the files that need to be scanned for - so in my case I only care about photos. Saves work later. Oh, and it will take a while - maybe days.

fakie_flip,

I can recommend diskdigger for both Linux and Windows:
https://diskdigger.org/

https://www.techrepublic.com/blog/wi...th-diskdigger/

Note that the free version recovers files one at a time and takes forever, so I advise spending $14.99 on the paid version which is much faster.

Nevertheless it will still take a while on large capacity drives, but it does work.

1 members found this post helpful.

The important thing is definitely "what caused it".
The more info you can provide,the more likely you are to take the correct steps to recover.

Otherwise, yeah, flail about with photorec and see what you can find.

1 members found this post helpful.

Completely agree.
I've been in computer forensics for a long time now. My advice:

• Do not even power on your SSD, before you are going to execute a carefully planned action.
  A trim on on this SSD and you will not be able to recover deleted files.
  Best steps, assuming your drives are not encrypted:

  
  Take out both drives and make dcfldd (much better than dd) images (or another forensically sound format, like EWF), to a large enough drive.
  Be sure to mount the drives READ ONLY (will not protect you against firmware induced trim).
  It's very OK, to use a Windows pc for this and use FTK-Imager (free!) FTK_Imager will show you lots of usefull information about your drive, and deleted files. It's one of my favorite Windows forensics tools.
  Then run Photorec on the images and not on the drives itself. You will be missing file names, so it probaly leaves you with a big puzzle. restorung a running system this way will be a PITA. Getting back user files is more likely.
  In Photorec limit the mime-types to look for as much as possible, for the best results. By working on the images, you can play with this settings to find the optimum. Probably the best to start with lookin in "free space" on the FS only and not "whole disk". Your mileage may vary.
  

  Keep the drives as they are, if you can afford it.
  If you really want to use your own pc:

  
  Boot from a forensically sound Linux distro. Paladin is probably best of breed for this job.
  Attach a larg enough drive to create the images on.
  Paladin includes Photorec
  

And then...? Root cause analysis! You really have to find out what happened. Use the images for that.
Mount the images
Check for root kits and other malware.
Look for suspicious files.
Compare with a fresh install...

You will learn a lot about your system!!!

2 members found this post helpful.

Use your backups to restore them.....you do have backups, don't you(?).

Try Testdisk, if you will have some luck.
https://www.cgsecurity.org/wiki/TestDisk_Download

Photorec is part of testdisk.
See my earlier quote on how to operate in a sound way.
I consider "Try Testdisk" as an advice that may do more harm then good.

Possibly not.
Different tools for different purposes. Perhaps you too are not the embodiment of all knowledge.

Not what?
Strategy in the first place. Tools in the second.
Not perhaps, but certainly.
As you can read, I gave an advice, not the ultimate solution.
If you can tell me what's wrong with my advice, I can learn from that.

1 members found this post helpful.

Wow. I would have thought that nobody would ever want to reinvent RECOVER.EXE. (I've was fortunate enough, back in the day, to never have been so desperate to have to use it to recover from a real problem.) I cringe at the thought of running such a tool on a terabyte of data files.

Oh the potential for damage that can result when a script run from, we can only assume given the extent of the file clobbering, the root account goes awry. Hopefully, there are recent backups.

How much space do I need for recovering 1 terabyte hdd + 300 gb hdd? Do I need identical amount of space?

Ideally you should clone the problematic drive to a secondary location first and work on that, so you'd need more than that.
If you don't do that you need at least as much extra space as all the data you want to recover, but keep in mind that photorec will always recover much more than that.
So, best case scenario, you need 2 extra TB for that 1TB drive only.

I'm looking at possibly buying this drive for the recovery.


https://www.newegg.com/black-seagate...82E16822184784


Other than using it for recovery, it would primary be used for storage, so I think the slower speed is OK for that because it looks like a great bang for the buck and Seagate should be higher quality than the el-cheapo off-brand chinese drive I found.

FWIW, I did something similar a while ago - bought extra storage to be able to properly restore lost data.
Since I had to establish a backup scheme anyhow (lesson learned!) it was just a matter of course.

If you are 100% sure that

• you will use the drive in read-only only
• it has no hardware problems

then, IMO, you can skip the cloning of the drive.
But beware: testdisk can do some read/write operations.