I was trying to set up a family member up with Linux as a windows replacement. I installed MX Linux xfce on their laptop with separate "/" and "/home" partitions.
Through a comedy of errors, the following occurred:
On day one, Timeshift was configured to take weekly snapshots of the system files AND their user home folder.
The initial timeshift snapshot was begun, and then cancelled when they discovered that home files aren't the intended target, but they noticed growing snapshot files, indicating the cancelation wasn't complete.
NCDU was used to remove the files in /home/timeshift
The family member's only copies of three days of paid work in a writing program called Bibisco (Java app) disappeared after reboot
The system was rebooted twice before the cause was discovered and shutdown with minimal (5min) use.
I've never done any ext4 data recovery, but the tools in Kali seem geared toward common and known filetypes (pdf, jpg, etc).
Should I be looking to restore the timeshift files, or the writing documents (with .bibisco2 file extensions)?
Is this a lost cause?
Edit: Thank you everyone for your helpful comments. In the end, time was against us and the choice was made to reinstall. After I realized the document files are just json, I looked in three Kali carving apps and the photorec app, and there were no files to recover. The freah install now has eclone set up to push regular updates from the bibisco folder to the cloud. Lesson learned.
Give testdisk a go, see for example this tutorial. It is a terminal utility, so it might take some time to get used to it. But no one can guarantee that it will successfully recover anything, the deleted files stay on the disk only as long as they are not overwritten.
Do you have any idea why the files disappeared after reboot? One thing that comes to mind is that they might have been saved in /tmp, in that case I believe recovery would not be possible.
Regarding to which files you should recover, try all of them and see if you have any luck.
I highly recommend testdisk, but definitely shut down the machine and use another disk (USB drive?) To boot and avoid mounting the disk that may have your files at all. mount read only if you have to. Save the recovered files to a different drive as well, which can be the same USB drive you're using for recovery. If testdisk doesn't show the files (in my experience, for drives that have significant free space they will almost certainly be there) you could try photorec, the companion app that does signature based file searches.
From my understanding, files cannot be directly stored only in a timeshift snapshot -- they must be first stored on the disk and only then timeshift can make a backup inside the snapshot. But I have never used timeshift myself, maybe I just completely misunderstand how it works.
Deleting the snapshot files lost considerable data including all files created after the aborted snapshot. The reboot that initially uncovered the problem led to a boot in "basic" xfce, and searching for the work files in read only mode from live boot shows no files/folders created in /home/username after the snapshot. It seems to have behaved like a VMware snapshot that had files living in the snapshot.