+ 0 Votes Well... seanferd 3 years ago The first thing to do would be to not use the drive at all and slave it to another machine, or boot from live media, before poking around. A raw disk image backup would be even better. If you use the OS at all, especially using the internet or installing anything, you are likely to render deleted items unrecoverable. So, not knowing how you approached recovery, I might only suggest that you may have corrupted the files which were only deleted before. Have you tested the drive itself with the vendor's utility? It could have some bad sectors, or it could be failing. A chkdsk might also tell you if something is wrong with the filesystem. Indeed, it is odd that your user files but nothing else were killed. That sounds like a drag and drop accident more than anything else. But as you note, the files disappeared before your eyes, so maybe there is ransomware involved, and you should be scanning for malware with some different tools, best done with the OS offline, or at least in Safe Mode. (But installing anything on the drive itself lowers any chances of file recovery.) + 0 Votes Files Mysteriously Deleted bni1369 3 years ago Have you checked the permissions on that drive? Sometimes, files will not show up unless you take 'ownership' of that drive. Just a thought. + 0 Votes You could attack this with one of the many Rescue Disc's OH Smeg 3 years ago I personally like the Trinity Rescue Kit here http://trinityhome.org/Home/index.php?front_id=12&wpid=5 F Secure http://www.f-secure.com/en/web/home_global/support/installers I have had great success with these in the past but there are numerous others available. Michael Kassner wrote an article on Rescue CD's and how to use them a while ago but I currently can not find it after the site redesign. The only one I can find is this one which was prior I believe. http://www.techrepublic.com/blog/security/rescue-cds-tips-for-fighting-malware/3803 Col + 0 Votes It may be too late but.. Chi-7 Updated - 3 years ago As mentioned above, the first thing is to take the drive off line and via external enclosure or USB to SATA / IDE adapter mount it as read only and make a "bit copy" of the drive, this copy becomes the surgical subject, preserving the original. In my world of Linux "Sleuth Kit / Autopsy" would be the tool of choice to examine the slack space which is where files deleted from the file allocation table are assigned, the fear is once anything is written to the drive the slack space has been altered, the more fragmented the drive, the more widespread the possibility of file corruption. As previously mentioned could be a drag and drop incident, ransom ware or deleted / corrupted user profile which would destroy the file permission, definitely a 64 oz. coffee and possibly pint of "old #7" project. best of luck! + 0 Votes Files Mysteriously Deleted bni1369 3 years ago Have you checked the permissions on that drive? Sometimes, files will not show up unless you take 'ownership' of that drive. Just a thought.