Recently a member of the family had their laptop crash on them… Taking with it of course a very important document.

They ran a “Restore to factory default” which supposedly backed everything up and reinstall the OS/OEM Software as it came from the factory. Unfortunately, this did not work so well… Most stuff had been backed up and restored, but that one very important file was no where to be found.

I was enlisted to try to find the file (It really was that important)… Here are my steps:

1. I had a copy of CAINE lying around, so booted off that.
2. Mounted the internal HDD Read-only
3. First tried an undelete using TestDisk:

1. That didn’t work, so then ran a complete scan of the disk using PhotoRec, dumping the results to an external drive

1. Filtered the results to .DOC files using find “*find . -iname .doc“
2. Searched the results using a *grep -ir keyword ** (At this stage I was convinced it was a .doc file 😉
3. Still had no luck! Was almost considering giving up.
4. Ran a grep through everything
5. Found in a desktop.ini file, a reference to the file I was looking for! Success at last! Also discovered that the keyword I had been looking for was spelt wrong in the file name.
6. Did a grep for the misspelt filname
7. Found a Registry entry which indicated to me the original location, and that the file was actually a .docx after all…. le sigh
8. Filtered my PhotoRec results to .docx
9. Converted the docx to txt so could easily search
10. Searched for the keyword, and…
11. SUCCESS! 😀

It wasn’t the latest copy of the file, but said family member was very, very happy that I was able to get it back… And I got to do some actual file recovery… win-win!