Best undelete tool for NTFS/FAT?
I was working in windows and decided to reboot. When I reboot, the drive that the windows partition is on is unrecognizable and is not even listed. So I boot into ubuntu. I can not mount the drive and it is never recognized in nautilus. I am pretty sure it is not a mechanical error, for it spins fine, and I can do ‘cat sdg'(sdg being it’s location) and large amounts of data being spewed out. The only way I was able to detect it is through the Disk Utility program, and it is able to display information about the drive, but it says the drive is unformatted and is 500 GB of undefined. How should I go about recovering this?
EDIT: I just ran the analyze function of testdisk and it was able to recognize the three windows partitions. What should I do from here? I only have enough space available to back up one partition (the only one I care about).
EDIT2: In the analyze screen, it lists two partitions as deleted. One of them being the one i want to recover. How would I recover it?
EDIT3: I have successfully recovered all of the partitions using testdisk. The cause of all this turned out to be a trojan, I think. The drive is now functioning again. Thanks for the help.
First off, before you try and recover the partition, if you’ve got enough free space to hold a copy, get an image of what you’ve got left before you start experiment with recovering it. You mentioned /dev/sdg, so the command below is written with that assumption.
dd if=/dev/sdgN of=/wherever/image_file bs=512
Where N is the number for your windows partition. After that, it’s time to break out some software to see what can be recovered. A quick search turns up Active@ Partition Recovery, NTFS Partition Recovery, which are commercial. There is also TestDisk (GPL) (which you found).
Since you’re still able to boot Linux, I’m assuming you have some sort of dual boot setup and that your Master Boot Record is intact (if you’re not using GPT). Sounds like your partition table has some issues, though. Obviously, your Linux partition(s) are fine, but the entries for your Windows partitions must be missing / damaged / deleted. Backing up your partition table is probably a good idea, see these MBR instructions and GPT instructions.
You can always copy the image back to the device file:
dd if=/wherever/image_file bs=512 of=/dev/sdgN
Which you would want to do if whatever recovery program you try attempts an in place recovery and fails, possibly making the problem worse.
Be careful with using dd with raw device files, triple check your command lines and devices, or you could damage another partition or your whole drive.