Understanding undeleted files

[johnrose]

Hello,
I am running Ubuntu 22.04 in dual boot with Windows 11. I very stupidly completely deleted all the files in my Windows NTFS system partition totaling around 50 GB (including packages installed under Windows but happily not my user data which is in another partition). I would very much like to undelete these files and insert them in the original directory hierarchy, in order to avoid having to completely reinstall Windows and Ubuntu.

I have tested the testdisk file undelete functionality on a sample of the deleted content (about 1GB containing around 1500 files). It seems to work very well but instead of my original structure of directories and files I get:
* about 650 files with names in the form $$DeleteMe[filename][32 character hex number]
* a directory called $Extend/$Deleted with sub-directories whose names are 24-character hex numbers, each containing one or more apparently well formed files with correct filenames, and also a few files whose filenames are 24-character hex numbers and whose content is unclear (a total in both categories of about 750 files).

At least in this sample, there is no clear information on directory names and relationships (perhaps coded in the hex numbers?). In order to use this output to regenerate my file structure I have to understand the above data which hopefully has all of the original content. Could someone help me in understanding the testdisk output?

Thanks and best regards, John

[cgrenier]

To rename all your files, use the following rename_deleteme_files.py python script

Code: Select all

#!/usr/bin/env python3
import glob
import os
import re

for fn in glob.glob('$$DeleteMe*'):
    matchObj = re.match(r'\$\$DeleteMe(.+)[a-f0-9]{32}', fn)
    if matchObj:
        print(fn, matchObj.group(1))
        os.rename(fn, matchObj.group(1))

To run this script, go in the directory holding the files to rename and run "python3 rename_deleteme_files.py".
If python3 isn't installed, you can install it via the Microsoft Store (It's free) or via python.org.

[johnrose]

Thanks Christophe,

Your program correctly renames the approximately 650 files with names in the form

$$DeleteMe[filename][32 character hex number]

. The approximately 735 files (which were already named correctly coming out of testdisk) are still within the

$Extend/$Deleted

directory in sub-directories whose names are 24-character hex numbers, as are the 15 files whose filenames are 24-character hex numbers and whose content is unclear (perhaps some sort of Windows archive file?).

Although the content in this sample represents only perhaps 2% of the total data in the partition, it looks to me that we have not progressed in getting the directory names and relationships which would be needed the organise the files into an operational system. Is this something that testdisk can or could do?

Cheers,
John

[johnrose]

I have now run the file undelete function on my entire accidentally deleted NTFS partition which contained my Windows 11 system in dual boot, including applications installed under Windows. The results are corrupted: directory structure incomplete and most files (although with content apparently OK) with coded filenames.

Since after the deletion I stupidly rebooted and aborted from the Windows recuperation USB drive, which wrote a small amount of data to the partition, the ability of testdisk to perfectly restore a deleted file system could not be tested. It would be interesting to learn from other users about their experiences with such a problem.

It took me a while to understand that, at the end when you are asked to choose the recipient directory for undeleted files, in addition to navigating up and down in the user's personal directory, you can use the left arrow to come up a level to /home, then another time to the root and then any directory in any mounted partition can be chosen (would be nice to mention this in the menu).

Thanks to Christophe Grenier pour his tremendous work on testdisk.

Very best, John