Wednesday, 24 April 2019

windows 10 - How can I efficiently recover a permanently deleted folder at once?


There was a folder on my hard drive that I want to recover after I deleted it. How can I restore an entire folder from the file system?


I have tried some tools to recover deleted files listed in these articles:



However these programs appear wasteful because they seem to recover files without a directory structure. I don't want to preview and then recover each file individually, but I would just like to specify a folder to be restored.


How can I restore a deleted folder at once?



Answer



Most tools shown on those websites are file carvers. In order to develop a strategy for data recovery you need to understand the two main different categories of tools for recovering files:




  1. File carvers → They scan any kind of disk and try to recover known file types by checking for specific signatures. For instance, JPEG files always start with bytes FF D8. This method only works for non-fragmented files and you don't get any clue about a file's name or location.




  2. Tools that work at the file system level → They read (possibly damaged) partitions by looking at the directory tree and then use the information specified there to access files. For this reason they can access any file as long as it is listed in the file system.




In principle you might think that carvers are basically useless, due to their limitations. However, this is not correct. Carvers can recover non-fragmented files on any kind of file system, even if you don't know its format. Also, they can recover non-fragmented files after their metadata (file records) have been completely removed from the file system.


In your case, the scenario is the following:



  • you have a recently deleted folder

  • you want to rebuild its directory structure

  • you need to restore all the elements inside


Thus you won't make any use of file carvers and you should avoid them. You need a tool that "speaks" NTFS (the file system used by Windows).



You could try to recover the files from Windows directly, however that would be a terrible idea. The more you use your OS, the more likely you are to overwrite them with new data.


For this reason, stop using Windows now and boot your PC using a Linux live DVD or USB (basically any modern version will do, no matter if it is Ubuntu, Fedora or anything else). If you don't have a live DVD or USB ready, use another computer to create it or buy a magazine that includes a Linux DVD. Do not use your PC to create the bootable medium as that would write a lot of stuff on your hard disk during the operation.


When you have loaded the system, connect an external USB drive to store the recovered files.




Disclaimer: I am the developer of RecuperaBit. Moreover, the following part is based on my previous answers posted here on Unix & Linux Stack Exchange and here on Ask Ubuntu.



Identification of the correct drive


Run sudo lsblk to identify your main NTFS partition (let's say the C: drive). The output might look a bit like this example:


$ sudo lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 32G 1 disk
├─sda1 8:1 0 500M 1 part
└─sda2 8:2 0 31.5G 1 part
sr0 11:0 1 2.8G 0 rom /cdrom
loop0 7:0 0 2.1G 1 loop /rofs

This tells me that this drive has a small 500 MB partition (the Windows boot loader) and a larger one of 31.5 GB over the whole 32 GB disk. Hence I now know that the C: drive of the virtual machine I am testing is /dev/sda2.


Using TestDisk


Your partition is not damaged, since you only deleted some files. Therefore you can try to use TestDisk which is an excellent piece of software for data recovery.


If you are running a Debian-based OS (including Ubuntu) you can install it with the following command:


sudo apt-get install testdisk

After this step, run it on the drive:


sudo testdisk /dev/sda2

Follow the on-screen instructions. Basically you need to press Enter until it asks you for a partition table type (None because we are scanning a single partition).


When it shows you a list stating that the partition is NTFS, you will see some options at the bottom. Select List to show its contents. You should be able to browse the files and navigate where the original directory was.


Note that, due to how Windows handles the recycle bin, the directory might be found in C:\$Recycle.Bin and not in its original place. Basically, look for it until you find it.


If you find it, highlight it with the arrow keys and then press C. This will enter the copy mode. You need to navigate to the external USB drive (it will be somewhere in /media/, i.e. inside media in the root directory of the Linux system) and then press C again to select it as the destination directory.


Done, you have copied the whole folder!


If you don't find it, the index records of the parent directory of the deleted folder might have been cleared so the folder you are looking for is not listed anymore.


In that case, follow the next session.


Using RecuperaBit


My MSc thesis was about reconstructing heavily damaged NTFS drives. When index records get damaged or overwritten, files and directories disappear from the directory tree even though they can still be recovered.


This is why I developed RecuperaBit, which uses a bottom-up approach for NTFS reconstruction. Follow these steps to recover your folder:



  • Create a directory named recuperabit_output in your external USB drive.

  • Download RecuperaBit from GitHub and extract it into a folder.


  • Run it passing the drive and the path where to store the recovered files as arguments:


    sudo python /path/to/RecuperaBit/main.py /dev/sda2 -o /path/to/the/external/USB/drive/recuperabit_output


  • Let it scan the drive by pressing Enter.



  • Type csv 0 list.csv to generate a list of files.


  • Open the resulting CSV file with LibreOffice to find the identifier of the directory. Example:


    enter image description here


    If I wanted to recover System Volume Information, that would be directory 31.




  • Go back to the RecuperaBit console and type restore 0 31 where 0 means the first partition, i.e. the only one you are analyzing.




There you go, you now have your files in the external USB drive, under recuperabit_output/Partition0.


No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...