Page 1 of 2

TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 21 May 2023, 21:34
by Caine
Hi guys, thanks for this nice tools, the problem:

- Main disk shared between MAc OSX partition and BootCamp partition
- Bootcamp windows accidentally restablished (not recovery, restablished, deleting users data, folders, etc)
- TestDisk finds almost everything, with folder structure included (almost 50.000 files) however seems that all files are corrupted, I can't open one of the singles files correctly, bad format pdfs, text files with weird characters.... etc.

In the other hand PhotoRec finds also the files but as you know I dont have folder structure or proper name, so it is very difficult to find what I want, but the files are correct and I can open them.

Thanks.

Alex

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 22 May 2023, 15:15
by recuperation
That is an interesting problem. But as there is no case description apart from that the undelete process failed, I am completely in the dark.

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 24 May 2023, 22:23
by Caine
Oh, I really apologize, let me know what do you need and for sure I will provide it for you. Logs, screenshots, whatever...

Thanks in advance.

Alex

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 24 May 2023, 22:44
by recuperation
Caine wrote: 21 May 2023, 21:34 Hi guys, thanks for this nice tools, the problem:

- Main disk shared between MAc OSX partition and BootCamp partition
I consider this as an error-prone configuration due to Windows behaviour of not shutting down completely.

- Bootcamp windows accidentally restablished (not recovery, restablished, deleting users data, folders, etc)
I don't have a Mac and do not know what "Bootcamp windows accidentally restablished" means and how that affects storage.
- TestDisk finds almost everything, with folder structure included (almost 50.000 files) however seems that all files are corrupted, I can't open one of the singles files correctly, bad format pdfs, text files with weird characters.... etc.
The obvious questions here are, what is the partitioning scheme, how many partitions, what is their size, what is their file system, where is the lost data located, what are the file types, what is the length of the lost files, are there long videos or other long files that Photorec recovered and which can be opened?

Here is a questionnaire, not all questions might apply, but this gives you an idea what you missed out:

viewtopic.php?p=37346#p37346

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 24 May 2023, 23:12
by Caine
I consider this as an error-prone configuration due to Windows behaviour of not shutting down completely.
No the case, what happened is that I configured my personal computer within my company managed computers through Microsoft, recently due to a problem I tried to remove my computer from the allowed devices and believe or not the computer itself started the process of "Reset" the PC, as soon as a restart happened all the Users folder in windows was gone.
I don't have a Mac and do not know what "Bootcamp windows accidentally restablished" means and how that affects storage.
For sure not well explained on my side, again sorry:
- 1 x 250 GB Disk
-----Partition 0 -> 150 GB with HFS+
-----Partition 1 -> 100 GB Bootcamp partition with NTFS

As commented before when running windows the computer itself started a Reset windows process, I used before the word "Restablish" because of a direct translation frim ly side.

Image
The obvious questions here are, what is the partitioning scheme, how many partitions, what is their size, what is their file system, where is the lost data located, what are the file types, what is the length of the lost files, are there long videos or other long files that Photorec recovered and which can be opened?
Absolutely... here we go!!

partitioning scheme:

2 Partitions, lost data in partition 1 - Basically the lost data is the C:\Users folder of Windows bootcamp system

- 1 x 250 GB Disk
-----Partition 0 -> 150 GB with HFS+
-----Partition 1 -> 100 GB Bootcamp partition with NTFS

File types, mainly I would like to recover the documents folder:
- PDFs
-Office documents
-JPGs

File lenght


Less than 10 MB generally speaking with exceptions

are there long videos or other long files that Photorec recovered and which can be opened?[

I would say no

I sent you a private msg with the log of TestDisk

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 25 May 2023, 00:03
by Caine
1.Which operating systems can be booted from your computer where the incident happened?
List them all!

- Mac OSX Big Sur 11.7.4
- Windows 10

2. Which version of Testdisk do you use?

-Latest one 7.2

3.Do you prevent/reduce write access to the failed drive/file system?
[Yes/no]
Yes

4. If yes, how is that done?

[X] I am booting the Mac system in the Partition 0

5. Is the broken drive a drive where an operating system resides on or is it a data drive?

A drive where the OS resides

6. What technology is your disk (HDD, SDD, USB stick, Compact Flash card, SD card,...)?
SDD -APPLE SSD AP0256M

7. What is the size of your disk?
250 GB

8. Who is the maker of your failed drive?
Interesting question, they are propietary

9. What is the model?
APPLE SSD AP0256M

10. Is the drive something you bought "naked" one or does it come with a housing and a connector for a computer (p.e. like "WD My Passort")?
No, present in the computer.

11. If possible, provide a logfile from smartmontools!
I will try for sure

12. What has been the partitioning scheme used on the failed drive (MBR (old partition table style), GPT, Superfloppy)
GUID

13. How many partitions have been on the broken drive, what was their size, what was their file system?
2 partitions, explained in previous post

14. Is your drive visible in your operating system (Windows: Disk management, Linux use lsblk command, get information using hdparm command)
Yes

15. Is the partition scheme containing your partitions still visible?
Yes

14. Describe the supposed event when your system went from "OK" to "broken"!
Already explained in previous pst / Rest PC windos procedure

15. Is your disk showing signs of failures such as
-clicking noises -> No
-permanent reboot (spindel speed up followed by a stop) -> NO
-no spindel speed up -> NO

16. Do you use encryption, if yes, which one?
NO

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 25 May 2023, 11:10
by recuperation
Caine wrote: 24 May 2023, 23:12 No the case, what happened is that I configured my personal computer within my company managed computers through Microsoft, recently due to a problem I tried to remove my computer from the allowed devices and believe or not the computer itself started the process of "Reset" the PC, as soon as a restart happened all the Users folder in windows was gone.
If your computer is company managed, configuration changes should be out of your scope.
" remove my computer from the allowed devices" I don't know what that should mean. Did you disconnect your computer from the company network?

It appears to me that your personal data was deleted and the (re-)installation process has overwritten free space which formerly belonged to your personal files.
There is no plausible reason for a situation where the deleted files that have been restored by Testdisk are dammaged but can be read by Photorec.
It may be that the undelete function of Testdisk ignores the state of the clusters that the file entry of the deleted file is pointing to. That will ensure that you can restore a file even when a part of it has been overwritten. Depending on the content of the file the file may become unreadable or not.

When undeleting a file on a NTFS file system the related clusters should be in a state of being free in the cluster bitmap because deletion marks the affected clusters as free.
Unfortunately that is not a sufficient indication that a recovered, undeleted file is unchanged, because a cluster might be used after the deletion of the file by the creation of another file. If that newly created file is deleted afterwards the affected clusters will be marked as free again but their contents will have changed.

There is other commercial software (don't know which one) that will inform you about the state of the file when undeleting it.
I would try out commercial software for undeleting purposes hoping to have a higher chance of untouched files.

I pretend that unreadible files created by the Testdisk undelete function will not become readible when its content is being found by Photorec on the disk.

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 25 May 2023, 21:07
by Caine
Thank you very much for your reply.
If your computer is company managed, configuration changes should be out of your scope.
" remove my computer from the allowed devices" I don't know what that should mean. Did you disconnect your computer from the company network?
No basically my case is this one but with a bad ending story, basically there is a way in Microsoft Teams to allow the organization to manage your device, when you remove it for the managed devices list this can happen.
https://learn.microsoft.com/en-us/answe ... my-organis

Well I will keep trying, in the TestDisk logs there are a lot of lines with different errors like:
  • Couldn't create file xxx
  • Couldn't create output file xxx
  • Truncation not performed because file has an inconsistent $MFT record.
  • File has resident data.
The log --> https://drive.google.com/file/d/1XgGk54 ... share_link

Thanks again for your time.

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 26 May 2023, 08:54
by recuperation
Caine wrote: 25 May 2023, 21:07 Well I will keep trying, in the TestDisk logs there are a lot of lines with different errors like:
  • Couldn't create file xxx
  • Couldn't create output file xxx
  • Truncation not performed because file has an inconsistent $MFT record.
  • File has resident data.
That is not an error. It tells you that the complete data fits into the MFT (master file table) record.
[/list]
The log --> https://drive.google.com/file/d/1XgGk54 ... share_link
Thanks again for your time.
Are you trying to restore your files to your Bootcamp partition?

Re: TestDisk "Undelete" founds almost all files and folder structure but seems that all files are corrupted

Posted: 26 May 2023, 12:29
by recuperation
recuperation wrote: 25 May 2023, 11:10 It may be that the undelete function of Testdisk ignores the state of the clusters that the file entry of the deleted file is pointing to. That will ensure that you can restore a file even when a part of it has been overwritten. Depending on the content of the file the file may become unreadable or not.

When undeleting a file on a NTFS file system the related clusters should be in a state of being free in the cluster bitmap because deletion marks the affected clusters as free.
Unfortunately that is not a sufficient indication that a recovered, undeleted file is unchanged, because a cluster might be used after the deletion of the file by the creation of another file. If that newly created file is deleted afterwards the affected clusters will be marked as free again but their contents will have changed.

There is other commercial software (don't know which one) that will inform you about the state of the file when undeleting it.
I would try out commercial software for undeleting purposes hoping to have a higher chance of untouched files.
I received the confirmation from Christophe Grenier that the undelete function of Testdisk will use all clusters that the file entry is pointing to regardless if those clusters are taken or not.