How to save a ntfs partition which suddenly became empty

One ntfs partition of my laptop was suddenly wiped out without any notice to me, when I rebooted from Windows 7 to Ubuntu 12.04 today. I am in need of help to save my files on that partition, which are important and unfortunately haven't been backed up yet.

My laptop has two operating systems: Windows 7 and Ubuntu 12.04. with a ntfs partition shared between the two operating systems for storing some data files (109GB, about 97%of which has been used).

I have almost always been using Ubuntu, but today I happened to have to work under Windows. Following is a record of what happened in the time order, numbering according to which operating system I was in at each stage.

  1. When I started into Windows 7, right before being able to log in, it took a while and two reboots to configure the Windows. I thought it was normal, since last time when I was using Windows two weeks ago, it took very long and several reboots to update Windows, since the last time I used Windows before then was in November last year.

    Then after finally being able to log in Windows 7, I installed Libre Office, MathType (I got it from http://dl.portablesoft.org/down/?id=2515, which I originally thought was a trial version, but later I learned was a cracked version and felt wrong. I made a copy of it at dropbox http://dl.dropbox.com/u/13029929/MathType_6.8_PortableSoft.rar, not for distributing it but to list it there just in case it will help to identify the problem), and MikTex. I then edited some .doc files in the ntfs partition under both Microsoft Office with MathType, and Libre Office.

  2. When I finished working under Windows and rebooted into Ubuntu, Ubuntu did some filesystem checking and reported that the ntfs partition was not able to be mounted.
  3. Then I rebooted again into Windows, and found that

    • the ntfs partition had been emptied, i.e. all the data files were gone, and only one system file bootsqm.dat and one system directory System Volume Information were there, with their last updated time being the time when I first rebooted from Windows to Ubuntu (in fact, it is 4 hours in advanced than the actual time of that rebooting , see immediately below)

    • Also I noticed that the time shown by Windows is not correct for my time zone (UTC-05:00) Eastern Time (US & Canada)), which is 4 hours in advance than the correct time (my current time is 3am, but the computer shows 7am).

  4. Same things happened when I rebooted into Ubuntu again:

    • the ntfs has been emptied and left with only one Windows system file bootsqm.dat and one Windows system directory System Volume Information.

    • the time shown by Ubuntu is 4 hours in advance than the correct time.

I wonder what I can do to retrieve my data files back on the ntfs partition?

If I am not able to do it myself, will some professionals be able to help me out?

Thanks a lot!

PS: I didn't think I did any thing that required emptying that partition. But there were quite some works I did during that stage right before the reboot from Windows to Ubuntu when the problem occured. Did I make any mis-operation?


You're best looking at some Data Recovery software to recover your important files to another media before attempting any repairs/doing any tests. It sounds very much like a corrupted filesystem/mount point.

Personally I've previously used 'Ontrack Data Recovery' and 'GetDataBack for NTFS' for recoveries such as these.

Your next point would be to run tests to check the consistancy and health of your Hard Drives(s).


Virus?

I examined the executable from your cracked program and surprisingly, only one of the three had any hits on Virustotal at all, and even then, only two potentially false-positives. That doesn’t rule out a virus though.

From your description, it really sounds like your were hit with a virus. That only System Volume Information was left on the drive is particularly telling because it is a specially protected folder which even running as an administrator is insufficient to delete (that is, while it can be done, a typical virus would not be able to attain the required permissions).

Scan for Diagnosis

Did you run a scan of the volume yet? Run chkdsk (without the /f switch) and see what it says. You mentioned that Ubuntu did a check and complained about the volume, and that there was a bootsqm.dat file on it, which implies that chkdsk has been run at some point, but without specific results giving information on the state of the volume, it’s hard to judge the likelihood of successful recovery since the specific damage cannot be assessed. I would point out however that if there are any visible files or folders, as is the case here, then the file-system itself appears to be intact and that the rest of the data has merely been deleted (which again points to the virus).

Professional Recovery

There are professional data-recovery firms that can attempt to recover your data, but they cannot perform magic. There are limits to what they can recover, and even if you are lucky, chances are it will end up being quite expensive (especially if you expect to get back the full 105GB).

Recovery Tactics

Your best bet is to run a battery of recovery-programs. Download, install, and run a whole bunch of data-recovery tools (on the Ubuntu/Windows systems of course, not the problem volume). You can Google for data-recovery, undelete, and unformat to find lots of options. Choose the ones that have good reviews.

Run them set each one to save the recovered files to a different location (e.g., C:\Recover\Recuva, C:\Recover\Undelete360, C:\Recover\PhotoRec, etc) Make sure to try both the basic scan and the deep-scan. The basic scan will use any information it can get from the file-system (e.g., filenames, folder structure, file sizes, etc.) as a guide and will provide you with the best results, metadata wise. The deep-scan will search the disk directly and search for any files of known type and will give the best results data wise, but will have no filenames, dates, sizes, etc.

In your case, since basic scans do not work, it looks like the file-system was wiped, meaning that all filenames, directories, dates, sizes, permissions, etc. are gone. Your only hope now is to run multiple tools in deep-scan mode. However this has some implications: (1) all files will be recovered to a single dump and they will have the current date and their sizes are rounded up (meaning that they will contain some junk at the end), and (2) any files you had that are of a type not know to the program cannot be recovered. As such, you are even more advised to run multiple programs since some may recognize types that other do not.

Post-Recovery

Once you feel comfortable that you have gotten at least one copy of every file you possibly can, run a duplicate-file checker (set to content-mode) to weed out the duplicates and winnow down the files to a (hopefully) manageable size. I recommend AllDup for numerous reasons.

Abandon hope all ye who enter here

Be aware that there is no click-it-and-be-done-with-100%-satisfaction solution. You will have to do a bunch of work yourself and there is no guarantee that you can get anything back, let alone all of it. On April 25 2011, I accidentally deleted 8,000-9,000 graphic files taking up 978MB from a FAT32 volume. I ran the aforementioned battery of recovery programs (almost a dozen of them). It is now almost 1½ years later and my folder of “recovered” files is 9.59GB, containing 39,723 files. Further, I locked down the source volume for over a year and avoided using it at all (which was quite annoying every time I ran out of space). I have made a lot of progress in cross-referencing files, checking them for corruption, moving them, and so on (I’ve probably processed a good 1,000-2,000 files), but I still have a long way to go. I have already had several files that were no good and had to be replaced; some could be re-downloaded, others were lost forever.

Silver Lining

Losing files sucks. There’s no beating about the bush or soft-peddling; it just sucks. If the files happen to be ones that you downloaded, then you can use your browser’s history to help recover them, but if they are files that you created yourself, then it hurts particularly badly. Take this incident as motivation to learn about your system and tools. When I got hit with the Chernobyl virus in May, 1999, I opened a book and learned all about the FAT32 file-system so that I could examine my disk and recovery my files. When I deleted those photos, I researched recovery-programs (and started designing my own). When my data-drive had a problem last week, I was thankful that I had a full directory listing of every single file along withe their names, dates, sizes, etc. from just a couple of days earlier (though I would have been happier if my last backup was more recent).

While you work at recovering your data, take this opportunity to plan and deploy some sort of backup system. You don’t have to make a duplicate copy of everything either; just backup the files you create, and keep an inventory of the file you have downloaded (along with a full browser history for the URLs). That way you can be safe while keeping the storage overhead to a feasible level.

Also get some security software (Windows 7 already has Windows Security Essentials) and keep it active and updated.

Oh, and avoid the cracked software.