Friday 15 June 2012

Recover Deleted Files From An NTFS Volume Using Ntfsundelete

Ntfsundelete is a part of ntfsprogs, a suite of NTFS utilities based around a shared library. It lets us recover the deleted files from any NTFS volumes without making any changes in the NTFS volume itself.

Generally when a file is deleted from disks, it is some kind of pointer to the physical file that gets deleted and the actual content still remains in the disk unless it is overwritten by new files so it is possible to recover those files.

ntfsundelete has three modes of operation: scan, undelete and copy. By default, it will run in the scan mode which simply reads an NTFS volume and looks for the files that have been deleted.



To use ntfsundelete, you'll have to install the ntfsprogs suite with following command in ubuntu and debian-based distros:

samar@Techgaun:~$ sudo apt-get install ntfsprogs

You'll have to first figure out which drive you want to recover. A handy command for this is:

samar@Techgaun:~$ sudo fdisk -l

Once you know the NTFS volume you want to recover, you can first run the scan mode to list the filenames that can be recovered.

samar@Techgaun:~$ sudo ntfsundelete /dev/sda4

The optional -f switch can be specified for the forceful scanning. There is a nice percentage field which gives the information on how much of the file can be recovered. You can apply the time and percentage filters to scan specific files. For example, you can use the following command to search for the files which can be recovered 100%

samar@Techgaun:~$ sudo ntfsundelete -p 100 /dev/sda4

And, you can apply the time filter to list the files altered/deleted after the specified time. For example, following command will scan and list the files deleted in the last 14 days.

samar@Techgaun:~$ sudo ntfsundelete -p 100 -t 2d /dev/sda4

Other suffices you can use are d, w, m, y for days, weeks, months or years ago respectively.

Once you get the files to be recovered, you can use the -u switch to undelete or recover the files. An example of recovering files by pattern matching is as below:

samar@Techgaun:~$ sudo ntfsundelete -u -m *.jpg /dev/sda4

Similarly you can recover by providing inode or inodes range using the -i switch. You can get the inode values from the first column in the scan mode.

samar@Techgaun:~$ sudo ntfsundelete -u -i 161922 /dev/sda4