Last Updated on April 18, 2017 by Dave Farquhar
Windows stores orphan files in a directory called found.000 with a .chk extension. It’s possible to recover data from those orphans. Here’s how to recover chk files, or recover files from found.000.
Identify the problem
There’s a chance you may be a step ahead of me here already, but first, verify functionality of the drive. If it’s an external drive, plug it into a different computer to make sure another computer recognizes it. You want to verify you have a filesystem problem, not a hardware problem.
The process for recovering files is the same whether it’s a flash drive or a conventional hard drive.
In my case, I verified it was a filesystem problem. Then I ran chkdsk on it. If the drive is mounted as drive E:, I would do this from a command line:
chkdsk /f e:
If you get a message that the drive is in use, change drives:
Then run the command.
In my case, it found the root directory was cross-linked. It recovered a bunch of orphan files, and unhelpfully placed them in a hidden directory called found.000. Here’s the cure:
attrib -s -h e:\found.000
He had, if I recall correctly, 1,017 .chk files.
Find a tool
1,017 files is an awful lot to rename and test. If you have a small number, you can test them by hand, but not that many.
So I went looking for a utility and found two tools that identify filetypes and rename them so you can open them. It took a couple of hours to chew through his files, but that’s a lot better than renaming and testing that many files.
A good number of the files will be junk. Others are likely to duplicate other existing files. So a utility like the ones above will match the files to an application that can read it and weed out the unusable bits and pieces. Going through the files and naming them appropriately is still a manual job.
Once you’ve done this exercise, I recommend some strategic searching of the file contents to more quickly identify the most important files. Hopefully whoever you’re recovering files for will remember some key phrases from the most critical documents.
And that’s how you recover files from found.000. Unfortunately it’s not the easiest thing. But I hope I set you on the right path.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.