Viewed from TestDisk ?
http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step
There is a capability in there, once you navigate the
weird interface, to list files on a partition.
http://www.cgsecurity.org/mw/images/List_files.gif
Do *not* accept the new MBR and write it back. That
function is only for cases, where you know what the
disk configuration is, you know there is a definite
problem, you've reviewed the new computed MBR and it
makes sense. For example, when I used it, TestDisk
computed a new MBR and partition table, and did not
notice that the computed partitions overlapped (a no-no).
But that utility is just fine for a quick look, such as
this job.
If you're in a panic, and don't know what key to press,
the key combination <control-C> will exit the program.
*******
You can also review the partition, using a Linux LiveCD.
The reason that is recommended, is Linux does not respect
permissions on the FAT32 or NTFS partitions, so any file
present, will be visible.
The only time you have to watch it, when using Linux,
is if opening perhaps a Windows 7 or Windows 8 System
Volume Information folder. If you make changes in there
from Linux, the system might not boot.
If you know how, it would be safer to mount read only, such as
sudo mount -t ntfs -o ro /dev/sda1 /media/WINXP
When run in read-only mode, that would reduce the chances
of causing damage, if you were working on a Windows 7 or 8 partition.
There is more to setting up than that, and I'm only pointing our
the existence of a "-o ro" capability, for making a mount
read-only.
So, from Linux, again, you can verify the files are there.
*******
Some malware can hide files on a system, by changing things like
the hidden bit. The "unhide.exe" by Grinler, can make some guesses
as to what should be hidden, and what should not be hidden,
and undo what a malware might have done.
http://www.bleepingcomputer.com/for...-a-introduction-as-to-what-this-program-does/
That's not a "hammer". But if you have evidence that just the
hidden bit is set on all the files (by using some other
means to list the folder), then that is an option.
At this point, you're more in the discovery phase.
Is my partition completely ruined ? Did I lose the MFT ?
Was the MFT overwritten ? Did someone reformat my partition on me ?
There are data recovery tools, scavengers you can use, in that
case.
If, on the other hand, TestDisk, or having a look with Linux, shows
the files are all there, then it could just be a "hidden" bit problem
of some sort.
*******
Scavenger programs are not magic. If the files are fragmented,
a scavenger can't bolt them together again. You can try this
one, which scans for file headers it recognizes. But the
files would likely arrive in poor shape, if copied to another
disk this way. (I tested this on an image file, and it worked fine,
but then, the file was not fragmented. I deleted the file, and this
was able to recover it. A pretty easy test case, and not really
a good test.)
http://www.cgsecurity.org/wiki/PhotoRec
The other freebie, for NTFS, is DriveRescue. This site used to have it,
but this site is gone.
http://www.pricelesswarehome.org/WoundedMoon/win32/driverescue19d.html
You can try here, no guarantees.
http://web.archive.org/web/20070101070056/http://www.woundedmoon.org/win32/driverescue19d.html
driverescue19d.zip 1,007,764 bytes
MD5SUM = 63b7e1e8b1701593d5f52c7927d01558
You don't want to do in-place repairs on a dodgy disk, without
some kind of backup of the sectors. So running CHKDSK, would
not be my first priority. First you need to understand a little
better, just what broke. And files magically hiding themselves,
that sounds like malware, rather than the $MFT up and disappearing.
Any utility, that copies the data from the damaged partition, to
another disk, stands a better chance of not making things worse.
HTH,
Paul