A tale of woe (lost files)

[Jonno]

I should like to recite a tale of woe from a farmer customer of mine and then
ask a question.

“Sometimes my [Compaq Presario V3000 AMD Turion 64 X2 laptop with 512 MB RAM
running XP Pro SP3] freezes. The only way I can get it to reboot is to take
the battery out. I have done this about five times with no ill effect. When
I did it on Friday, the computer started up as if I had just bought it. All
my files were gone. However all my programmes were still there. My emails
were gone, but my address book was still there.â€

My question is: How can this happen? Apart from the unnecessarily brutal
method of powering down the laptop he has not done anything wrong. He has
not run any restoration software. He just brought the computer over to me.

I slaved the drive and confirmed that under docs and settings the user
(Peter) folder was there, as was Peter’s Documents, but there were no files
in Peter’s Documents. Peter gave me some file names to search for, but the
searches came up blank. I checked the recycle bin and it was empty.

I ran two simple file recovery utilities, Freeundelete, and Erasus Deleted
file recovery. Freeundelete is actually very annoying and I wouldn’t
recommend it to anyone, but Erasus found a small handful of files and folders
and recovered them.

Included in the recovered files and folders was: Documents and Settings\all
users\application data\avg8\log\ and a whole heap of .tmp files. Also
included was : Documents and Settings\Peter\local settings\temp\bye10.tmp\
and a collection of setup files. But that was all.

There was absolutely no trace of any files or file types (.doc, .jpg etc),
which the owner reported to have lost. So I ask again, where have these
files gone, and how can they disappear like that after a simple hanging and
reboot?

 

[Pegasus [MVP]]

I should like to recite a tale of woe from a farmer customer of mine and
then
ask a question.

"Sometimes my [Compaq Presario V3000 AMD Turion 64 X2 laptop with 512 MB
RAM
running XP Pro SP3] freezes. The only way I can get it to reboot is to
take
the battery out. I have done this about five times with no ill effect.
When
I did it on Friday, the computer started up as if I had just bought it.
All
my files were gone. However all my programmes were still there. My
emails
were gone, but my address book was still there."

My question is: How can this happen? Apart from the unnecessarily brutal
method of powering down the laptop he has not done anything wrong. He has
not run any restoration software. He just brought the computer over to
me.

I slaved the drive and confirmed that under docs and settings the user
(Peter) folder was there, as was Peter's Documents, but there were no
files
in Peter's Documents. Peter gave me some file names to search for, but
the
searches came up blank. I checked the recycle bin and it was empty.

I ran two simple file recovery utilities, Freeundelete, and Erasus Deleted
file recovery. Freeundelete is actually very annoying and I wouldn't
recommend it to anyone, but Erasus found a small handful of files and
folders
and recovered them.

Included in the recovered files and folders was: Documents and
Settings\all
users\application data\avg8\log\ and a whole heap of .tmp files. Also
included was : Documents and Settings\Peter\local settings\temp\bye10.tmp\
and a collection of setup files. But that was all.

There was absolutely no trace of any files or file types (.doc, .jpg etc),
which the owner reported to have lost. So I ask again, where have these
files gone, and how can they disappear like that after a simple hanging
and
reboot?

A few comments:
- There is no need to remove a battery on a laptop when it freezes. Pressing
the power button for 5 to 10 seconds would do the trick too.
- When a machine freezes repeatedly then something must be done about the
underlying cause. Quickly.
- Backup devices are cheap. Not backing up important files can be very
painful.
- Since the owner's files are gone and are not retrievable with undelete
utilities, there must be / must have been a malicious program on the machine
that overwrote the files with .tmp files. This is not hard to do.

 

[Jonno]

Thank you for your prompt reply.

- Since the owner's files are gone and are not retrievable with undelete
utilities, there must be / must have been a malicious program on the machine
that overwrote the files with .tmp files. This is not hard to do.

This theory is plausible, but if a malicious program simply changed the file
type to .tmp:

1) I would have expected the files to be in the folder Documents and
Settings\Peter\my documents\ rather than \local settings\ or \application
data\.
2) I would also expect to see the something in the style: originalname.tmp,
in which case searches for “originalname†would yield results. But I was
given the original names of many files and folders and searches under these
names all came up blank.

Thanks again, but does anyone else have any theories on this one?

 

[Paul]

I should like to recite a tale of woe from a farmer customer of mine and then
ask a question.

“Sometimes my [Compaq Presario V3000 AMD Turion 64 X2 laptop with 512 MB RAM
running XP Pro SP3] freezes. The only way I can get it to reboot is to take
the battery out. I have done this about five times with no ill effect. When
I did it on Friday, the computer started up as if I had just bought it. All
my files were gone. However all my programmes were still there. My emails
were gone, but my address book was still there.â€

My question is: How can this happen? Apart from the unnecessarily brutal
method of powering down the laptop he has not done anything wrong. He has
not run any restoration software. He just brought the computer over to me.

I slaved the drive and confirmed that under docs and settings the user
(Peter) folder was there, as was Peter’s Documents, but there were no files
in Peter’s Documents. Peter gave me some file names to search for, but the
searches came up blank. I checked the recycle bin and it was empty.

I ran two simple file recovery utilities, Freeundelete, and Erasus Deleted
file recovery. Freeundelete is actually very annoying and I wouldn’t
recommend it to anyone, but Erasus found a small handful of files and folders
and recovered them.

Included in the recovered files and folders was: Documents and Settings\all
users\application data\avg8\log\ and a whole heap of .tmp files. Also
included was : Documents and Settings\Peter\local settings\temp\bye10.tmp\
and a collection of setup files. But that was all.

There was absolutely no trace of any files or file types (.doc, .jpg etc),
which the owner reported to have lost. So I ask again, where have these
files gone, and how can they disappear like that after a simple hanging and
reboot?

There is a freebie here you can try. It is a scavenger, and puts the recovered
stuff on another disk. It is best generally, if a utility does not
try to "repair in place", because then it isn't messing up the original
problem. (My personal preference, is to start by copying the disk, sector
by sector, to another disk. That way, if the original disk dies, there is
still something to work with.)

http://www.cgsecurity.org/wiki/PhotoRec

The easiest way to make a file disappear, is to unlink it from a directory
structure. Removing a pointer to the file, makes it seem like it is gone.
As long as the sectors holding the data haven't been touched, the file
could still be there. A utility that recovers the file, won't know the
correct file name, and might not know the right extension to put on
the file. While the user may get a file back, it may take significant
work to figure out what each file is. And in some cases, if you've been
editing a document, the recovery tool may recover every interim copy
of the file that was ever made. So then, you'd have to go through
20 relatively identical files, in an attempt to find the "most
recent" one. So even when a scavenger is successful at recovering
"something", the real work starts after that. There can be so much
garbage recovered, as to make it a waste of time to wade through it.

Purposeful erasure is the most successful, because it goes after
the sectors that hold the data. If you "secure erase" a document,
not only do you remove the linkage to the sectors, you also overwrite
each data holding sector with all-zeros, to reduce the ability to
recover it. But in general terms, the OS/filesystem shouldn't be
going to that much trouble on its own. If the disk hasn't been used
much since the files disappeared, then I'd expect a scavenger to
find something in the pool of supposedly "free" sectors.

Paul

 

[Bill in Co.]

"Easeus Data Recovery" might be another option - it's a step up from "Easeus
Deleted File Recovery", but it's not free, but it does find more. Of
course, if you been using the machine since the chances of recovery keep
diminishing.

I should like to recite a tale of woe from a farmer customer of mine and
then ask a question.

"Sometimes my [Compaq Presario V3000 AMD Turion 64 X2 laptop with 512 MB
RAM
running XP Pro SP3] freezes. The only way I can get it to reboot is to
take the battery out. I have done this about five times with no ill
effect.
When I did it on Friday, the computer started up as if I had just bought
it.
All my files were gone. However all my programmes were still there. My
emails were gone, but my address book was still there."

My question is: How can this happen? Apart from the unnecessarily brutal
method of powering down the laptop he has not done anything wrong. He
has not run any restoration software. He just brought the computer over
to
me.

I slaved the drive and confirmed that under docs and settings the user
(Peter) folder was there, as was Peter's Documents, but there were no
files
in Peter's Documents. Peter gave me some file names to search for, but
the searches came up blank. I checked the recycle bin and it was empty.

I ran two simple file recovery utilities, Freeundelete, and Erasus
Deleted
file recovery. Freeundelete is actually very annoying and I wouldn't
recommend it to anyone, but Erasus found a small handful of files and
folders and recovered them.

Included in the recovered files and folders was: Documents and
Settings\all
users\application data\avg8\log\ and a whole heap of .tmp files. Also
included was : Documents and Settings\Peter\local
settings\temp\bye10.tmp\
and a collection of setup files. But that was all.

There was absolutely no trace of any files or file types (.doc, .jpg
etc),
which the owner reported to have lost. So I ask again, where have these
files gone, and how can they disappear like that after a simple hanging
and reboot?

A few comments:
- There is no need to remove a battery on a laptop when it freezes.
Pressing
the power button for 5 to 10 seconds would do the trick too.
- When a machine freezes repeatedly then something must be done about the
underlying cause. Quickly.
- Backup devices are cheap. Not backing up important files can be very
painful.
- Since the owner's files are gone and are not retrievable with undelete
utilities, there must be / must have been a malicious program on the
machine
that overwrote the files with .tmp files. This is not hard to do.

 

[Twayne]

I should like to recite a tale of woe from a farmer customer of mine
and then ask a question.

"Sometimes my [Compaq Presario V3000 AMD Turion 64 X2 laptop with 512
MB RAM running XP Pro SP3] freezes. The only way I can get it to
reboot is to take the battery out. I have done this about five times
with no ill effect. When I did it on Friday, the computer started up
as if I had just bought it. All my files were gone. However all my
programmes were still there. My emails were gone, but my address
book was still there."

My question is: How can this happen? Apart from the unnecessarily
brutal method of powering down the laptop he has not done anything
wrong. He has not run any restoration software. He just brought the
computer over to me.

I slaved the drive and confirmed that under docs and settings the user
(Peter) folder was there, as was Peter's Documents, but there were no
files in Peter's Documents. Peter gave me some file names to search
for, but the searches came up blank. I checked the recycle bin and
it was empty.

I ran two simple file recovery utilities, Freeundelete, and Erasus
Deleted file recovery. Freeundelete is actually very annoying and I
wouldn't recommend it to anyone, but Erasus found a small handful of
files and folders and recovered them.

Included in the recovered files and folders was: Documents and
Settings\all users\application data\avg8\log\ and a whole heap of
.tmp files. Also included was : Documents and Settings\Peter\local
settings\temp\bye10.tmp\ and a collection of setup files. But that
was all.

There was absolutely no trace of any files or file types (.doc, .jpg
etc), which the owner reported to have lost. So I ask again, where
have these files gone, and how can they disappear like that after a
simple hanging and reboot?

Have you tried running chkdsk? It's most likely the table/s have been
corrupted and chkdsk may be able to get access back to the ones not
already over-written.
CAVEAT: Chkdsk can, under the right corruption circumstances, render
the computer completely unbootable and ususable. Normally though, if
that happens there was no way of recovering anything anyway.

If possible: Put the drive into another computer and copy the whole
thing onto that computer for safekeeping. Don't bother copying \windows
or \program files or \docs and settings; you're after data, not the OS.
IF the data isn't already over-written, that will keep the problem
from getting worse by providing a backup which you can then use to make
copies of to work on.

Twayne`

 

[Jonno]

Many thanks for that. The computer has returned to the owner, but I have
forwarded your post to him. He had done a full backup in March, so I think
he will restore to that.

Meanwhile, I shall try out the link, and keep it for another time.

 

[Jonno]

Thanks Twayne. I did run chkdsk, but it didn't uncover much.

: