Consecutive Undelete Operations: Different Amount of Data

Using TestDisk to undelete files
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
deryo
Posts: 1
Joined: 10 Jul 2014, 10:52

Consecutive Undelete Operations: Different Amount of Data

#1 Post by deryo »

Hi there.

A friend of mine deleted a folder with many (!) files and folders in it. I recovered the files with testdisks undelete option. As the process took very long I went to sleep and let testdisk do the magic. On the next morning testdisk seemed to have copied everything. 'Seemed', because testdisk did not show anything like 'copy succesful'. It just showed the file list. Unfortunately I chose not to save a log file before.

To be sure that everything worked fine I restarted testdisk and did the same job again but saved the files to another location. (This time with a log file.) To my surprise the undeleted amount of data was much less than in the first run! I did it a third time and the amount was even lesser! (<-- Is this correct English?)

To sum it up:
  1. run: approx. 60 GB of Data was undeleted (no log)
  2. run: approx. 39 GB of Data was undeleted (log available)
  3. run: approx. 16 GB of Data was undeleted (log available)
That poses at least two questions:
  1. Why does the the amount shrink/diminish with consecutive undelete operations?
  2. Is the data I recovered from the first run ALL the data that was lost? Or is this also only a subset?
To 1.: I thought of TRIM taking action but as far as I know magnetic hard disk drives ignore TRIM. And I don't think the USB driver is supporting trim neither. I thought of Windows doing some stuff by itself, creating temp files or a recycle bin but I can't imagine it does that on USB connected drives. And also the difference in the amount of data seems too much. Does Windows do any NTFS file system cleanup on a regular basis? Could it be automatic defragmentation?

To 2.: I have no idea how to find that out. I first thought that I could use photorec on that partition and then look at the differences but photorec will not recreate the directory structure nor the file names. With 700+ folders and 16,000+ files this would be a real pain. Also photorec would find all the other files that have not been deleted on that partition and that's about 300 GB across thousands of files and hundreds of folders!

Could somebody shed some light on question 1 and does anybody have proposals on question 2?

Thanks in advance!

DerYo-->

Technical info:
  • The disk has 4 partitions: 1. FAT32 (Boot), 2. NTFS (System), 3. NTFS (Data), 4. EFI
  • The deleted folder was on partition no. 3.
  • The partition was NTFS-Formatted.
  • The disk was attached with a USB2SATA-converter to a machine running Windows 8.1.
  • The disk is a classic magnetic drive.
User avatar
remy
Posts: 456
Joined: 25 Mar 2012, 10:21
Location: Strasbourg, France.
Contact:

Re: Consecutive Undelete Operations: Different Amount of Dat

#2 Post by remy »

Was the disk mounted ? Was the recycle bin emptied ? Did you try to recover the deleted files and write them to the disk where that were erased before ?
Locked