Alex W.'s Blog

Using `filetype` to guess CHK files in FOUND.000

What is “FOUND.000”? From https://www.howtogeek.com/282798/what-are-the-found000-folder-and-file0000chk-file-in-windows/

Windows’ built-in chkdsk tool, short for “Check Disk”, creates this folder and file. Windows automatically runs Check Disk when it notices a problem with a file system. Those .CHK files are fragments of corrupted data—rather than deleting any corrupted data it finds, Check Disk puts it in a folder for you.

Most of the programs to work with these are for Windows, so if you’re dealing with these files on macOS (such as from a backup) it can be a bit of a pain.

Here’s a short Python program that uses the filetype module to guess at what they are and rename them:

#!/usr/bin/env python3

import argparse
import os
import sys
import glob
import filetype

parser = argparse.ArgumentParser()
parser.add_argument("dir", help="path to the FOUND.000 directory to analyze")
parser.add_argument("--rename", help="rename the CHK files with the guessed paths", action="store_true")
args = parser.parse_args()

chk_files = glob.glob(os.path.join(args.dir, "*.CHK"))
chk_files.sort()
print(f"Found {len(chk_files)} raw CHK files", file=sys.stderr)

for f in chk_files:
    short_f = os.path.relpath(f, start=args.dir)
    kind = filetype.guess(f)
    if kind is None:
        print(f"Unknown: {short_f}")
        continue
    if args.rename:
        os.rename(f, f"{f}.{kind.extension}")
        print(f"{short_f}\t->\t{short_f}.{kind.extension}")
    else:
        print(f"{short_f}\t{kind.extension}\t{kind.mime}")

It can be used like ./found000.py FOUND.000/ to see what it thinks each CHK file is. To rename them to the standard extension for the detected filetype use ./found000.py FOUND.000/ --rename.