man-pages/man8/ntfsundelete.8.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of NTFSUNDELETE</TITLE>
</HEAD><BODY>
<H1>NTFSUNDELETE</H1>
Section: Maintenance Commands (8)<BR>Updated: November 2005<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>

<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

ntfsundelete - recover a deleted file from an NTFS volume.
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>ntfsundelete</B>

[<I>options</I>] <I>device</I>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<B>ntfsundelete</B>

has three modes of operation:
<I>scan</I>,

<I>undelete</I>

and
<I>copy</I>.

<A NAME="lbAE">&nbsp;</A>
<H3>Scan</H3>

<P>

The default mode,
<I>scan</I>

simply reads an NTFS Volume and looks for files that have been deleted.  Then it
will print a list giving the inode number, name and size.
<A NAME="lbAF">&nbsp;</A>
<H3>Undelete</H3>

<P>

The
<I>undelete</I>

mode takes the files either matching the regular expression (option -m)
or  specified by the inode-expressions and recovers as much of the data
as possible.   It saves the result to another location.  Partly for
safety, but mostly because NTFS write support isn't finished.
<A NAME="lbAG">&nbsp;</A>
<H3>Copy</H3>

<P>

This is a wizard's option.  It will save a portion of the MFT to a file.  This
probably only be useful when debugging
<I>ntfsundelete</I>

<A NAME="lbAH">&nbsp;</A>
<H3>Notes</H3>

<B>ntfsundelete</B>

only ever
<B>reads</B>

from the NTFS Volume.
<B>ntfsundelete</B>

will never change the volume.
<A NAME="lbAI">&nbsp;</A>
<H2>CAVEATS</H2>

<A NAME="lbAJ">&nbsp;</A>
<H3>Miracles</H3>

<B>ntfsundelete</B>

cannot perform the impossible.
<P>

When a file is deleted the MFT Record is marked as not in use and the bitmap
representing the disk usage is updated.  If the power isn't turned off
immediately, the free space, where the file used to live, may become
overwritten.  Worse, the MFT Record may be reused for another file.  If this
happens it is impossible to tell where the file was on disk.
<P>

Even if all the clusters of a file are not in use, there is no guarantee that
they haven't been overwritten by some short-lived file.
<A NAME="lbAK">&nbsp;</A>
<H3>Locale</H3>

In NTFS all the filenames are stored as Unicode.  They will be converted into
the current locale for display by
<B>ntfsundelete</B>.

The utility has successfully displayed some Chinese pictogram filenames and then
correctly recovered them.
<A NAME="lbAL">&nbsp;</A>
<H3>Extended MFT Records</H3>

In rare circumstances, a single MFT Record will not be large enough to hold the
metadata describing a file (a file would have to be in hundreds of fragments
for this to happen).  In these cases one MFT record may hold the filename, but
another will hold the information about the data.
<B>ntfsundelete</B>

will not try and piece together such records.  It will simply show unnamed files
with data.
<A NAME="lbAM">&nbsp;</A>
<H3>Compressed and Encrypted Files</H3>

<B>ntfsundelete</B>

cannot recover compressed or encrypted files.  When scanning for them, it will
display as being 0% recoverable.
<A NAME="lbAN">&nbsp;</A>
<H3>The Recovered File's Size and Date</H3>

To recover a file
<B>ntfsundelete</B>

has to read the file's metadata.  Unfortunately, this isn't always intact.
When a file is deleted, the metadata can be left in an inconsistent state. e.g.
the file size may be zero; the dates of the file may be set to the time it was
deleted, or random.
<BR>

To be safe
<B>ntfsundelete</B>

will pick the largest file size it finds and write that to disk.  It will also
try and set the file's date to the last modified date.  This date may be the
correct last modified date, or something unexpected.
<A NAME="lbAO">&nbsp;</A>
<H2>OPTIONS</H2>

Below is a summary of all the options that
<B>ntfsundelete</B>

accepts.  Nearly all options have two equivalent names.  The short name is
preceded by
<B>-</B>

and the long name is preceded by
<B>--</B>.

Any single letter options, that don't take an argument, can be combined into a
single command, e.g.
<B>-fv</B>

is equivalent to
<B>-f -v</B>.

Long named options can be abbreviated to any unique prefix of their name.
<DL COMPACT>
<DT id="1"><B>-b</B>, <B>--byte</B> NUM<DD>
If any clusters of the file cannot be recovered, the missing parts will be
filled with this byte.  The default is zeros.
<DT id="2"><B>-C</B>, <B>--case</B><DD>
When scanning an NTFS volume, any filename matching (using the
<B>--match</B>

option) is case-insensitive.  This option makes the matching case-sensitive.
<DT id="3"><B>-c</B>, <B>--copy</B> RANGE<DD>
This wizard's option will write a block of MFT FILE records to a file.  The
default file is
<I>mft</I>

which will be created in the current directory.  This option can be combined
with the
<B>--output</B>

and
<B>--destination</B>

options.
<DT id="4"><B>-d</B>, <B>--destination</B> DIR<DD>
This option controls where to put the output file of the
<B>--undelete</B>

and
<B>--copy</B>

options.
<DT id="5"><B>-f</B>, <B>--force</B><DD>
This will override some sensible defaults, such as not overwriting an existing
file.  Use this option with caution.
<DT id="6"><B>-h</B>, <B>--help</B><DD>
Show a list of options with a brief description of each one.
<DT id="7"><B>-i</B>, <B>--inodes</B> RANGE<DD>
Recover the files with these inode numbers.
<I>RANGE</I>

can be a single inode number, several numbers separated by commas &quot;,&quot; or a
range separated by a dash &quot;-&quot;.
<DT id="8"><B>-m</B>, <B>--match</B> PATTERN<DD>
Filter the output by only looking for matching filenames.  The pattern can
include the wildcards '?', match exactly one character or '*', match zero or
more characters.  By default the matching is case-insensitive.  To make the
search case sensitive, use the
<B>--case</B>

option.
<DT id="9"><B>-O</B>, <B>--optimistic</B><DD>
Recover parts of the file even if they are currently marked as in use.
<DT id="10"><B>-o</B>, <B>--output</B> FILE<DD>
Use this option to set name of output file that
<B>--undelete</B>

or
<B>--copy</B>

will create.
<DT id="11"><B>-P</B>, <B>--parent</B><DD>
Display the parent directory of a deleted file.
<DT id="12"><B>-p</B>, <B>--percentage</B> NUM<DD>
Filter the output of the
<B>--scan</B>

option, by only matching files with a certain amount of recoverable content.
<B>Please read the caveats section for more details.</B>

<DT id="13"><B>-q</B>, <B>--quiet</B><DD>
Reduce the amount of output to a minimum.  Naturally, it doesn't make sense to
combine this option with
<B>--scan</B>.

<DT id="14"><B>-s</B>, <B>--scan</B><DD>
Search through an NTFS volume and print a list of files that could be recovered.
This is the default action of
<B>ntfsundelete</B>.

This list can be filtered by filename, size, percentage recoverable or last
modification time, using the
<B>--match</B>,

<B>--size</B>,

<B>--percent</B>

and
<B>--time</B>

options, respectively.
<P>
The output of scan will be:
<P>
<PRE>
Inode  Flags  %age     Date    Time    Size  Filename
 6038  FN..    93%  2002-07-17 13:42  26629  thesis.doc
</PRE>

<TABLE BORDER><TR><TD><TABLE>
<TR VALIGN=top><TD><B>Flag</B></TD><TD><B>Description</B><BR></TD></TR>
<TR VALIGN=top><TD>F/D</TD><TD>File/Directory<BR></TD></TR>
<TR VALIGN=top><TD>N/R</TD><TD>(Non-)Resident data stream<BR></TD></TR>
<TR VALIGN=top><TD>C/E</TD><TD>Compressed/Encrypted data stream<BR></TD></TR>
<TR VALIGN=top><TD>!</TD><TD>Missing attributes<BR></TD></TR>
</TABLE></TABLE>

<P>
<P>
The percentage field shows how much of the file can potentially be recovered.
<DT id="15"><B>-S</B>, <B>--size</B> RANGE<DD>
Filter the output of the
<B>--scan</B>

option, by looking for a particular range of file sizes.  The range may be
specified as two numbers separated by a '-'.  The sizes may be abbreviated
using the suffixes k, m, g, t, for kilobytes, megabytes, gigabytes and terabytes
respectively.
<DT id="16"><B>-t</B>, <B>--time</B> SINCE<DD>
Filter the output of the
<B>--scan</B>

option.  Only match files that have been altered since this time.  The time must
be given as number using a suffix of d, w, m, y for days, weeks, months or years
ago.
<DT id="17"><B>-T</B>, <B>--truncate</B><DD>
If
<B>ntfsundelete</B>

is confident about the size of a deleted file, then it will restore the file to
exactly that size.  The default behaviour is to round up the size to the nearest
cluster (which will be a multiple of 512 bytes).
<DT id="18"><B>-u</B>, <B>--undelete</B><DD>
Select
<B>undelete</B>

mode.  You can specify the files to be recovered using by using
<B>--match</B>

or
<B>--inodes</B>

options.  This option can be combined with
<B>--output</B>,

<B>--destination</B>,

and
<B>--byte</B>.

<P>
When the file is recovered it will be given its original name, unless the
<B>--output</B>

option is used.
<DT id="19"><B>-v</B>, <B>--verbose</B><DD>
Increase the amount of output that
<B>ntfsundelete</B>

prints.
<DT id="20"><B>-V</B>, <B>--version</B><DD>
Show the version number, copyright and license for
<B>ntfsundelete</B>.

</DL>
<A NAME="lbAP">&nbsp;</A>
<H2>EXAMPLES</H2>

Look for deleted files on /dev/hda1.
<DL COMPACT><DT id="21"><DD>
<P>
<B>ntfsundelete /dev/hda1</B>

<P>
</DL>

Look for deleted documents on /dev/hda1.
<DL COMPACT><DT id="22"><DD>
<P>
<B>ntfsundelete /dev/hda1 -s -m '*.doc'</B>

<P>
</DL>

Look for deleted files between 5000 and 6000000 bytes, with at least 90% of the
data recoverable, on /dev/hda1.
<DL COMPACT><DT id="23"><DD>
<P>
<B>ntfsundelete /dev/hda1 -S 5k-6m -p 90</B>

<P>
</DL>

Look for deleted files altered in the last two days
<DL COMPACT><DT id="24"><DD>
<P>
<B>ntfsundelete /dev/hda1 -t 2d</B>

<P>
</DL>

Undelete inodes 2, 5 and 100 to 131 of device /dev/sda1
<DL COMPACT><DT id="25"><DD>
<P>
<B>ntfsundelete /dev/sda1 -u -i 2,5,100-131</B>

<P>
</DL>

Undelete inode number 3689, call the file 'work.doc', set it to recovered
size and put it in the user's home directory.
<DL COMPACT><DT id="26"><DD>
<P>
<B>ntfsundelete /dev/hda1 -u -T -i 3689 -o work.doc -d ~</B>

<P>
</DL>

Save MFT Records 3689 to 3690 to a file 'debug'
<DL COMPACT><DT id="27"><DD>
<P>
<B>ntfsundelete /dev/hda1 -c 3689-3690 -o debug</B>

<P>
</DL>

<A NAME="lbAQ">&nbsp;</A>
<H2>BUGS</H2>

There are some small limitations to
<B>ntfsundelete</B>,

but currently no known bugs.  If you find a bug please send an email describing
the problem to the development team:
<BR>


<A HREF="mailto:ntfs-3g-devel@lists.sf.net">ntfs-3g-devel@lists.sf.net</A>

<A NAME="lbAR">&nbsp;</A>
<H2>AUTHORS</H2>

<B>ntfsundelete</B>

was written by Richard Russon and Holger Ohmacht, with contributions from Anton
Altaparmakov.
It was ported to ntfs-3g by Erik Larsson and Jean-Pierre Andre.
<A NAME="lbAS">&nbsp;</A>
<H2>AVAILABILITY</H2>

<B>ntfsundelete</B>

is part of the
<B>ntfs-3g</B>

package and is available from:
<BR>


<A HREF="http://www.tuxera.com/community/">http://www.tuxera.com/community/</A>

<A NAME="lbAT">&nbsp;</A>
<H2>SEE ALSO</H2>

<B><A HREF="/cgi-bin/man/man2html?8+ntfsinfo">ntfsinfo</A></B>(8),

<B><A HREF="/cgi-bin/man/man2html?8+ntfsprogs">ntfsprogs</A></B>(8)

<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="28"><A HREF="#lbAB">NAME</A><DD>
<DT id="29"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="30"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DL>
<DT id="31"><A HREF="#lbAE">Scan</A><DD>
<DT id="32"><A HREF="#lbAF">Undelete</A><DD>
<DT id="33"><A HREF="#lbAG">Copy</A><DD>
<DT id="34"><A HREF="#lbAH">Notes</A><DD>
</DL>
<DT id="35"><A HREF="#lbAI">CAVEATS</A><DD>
<DL>
<DT id="36"><A HREF="#lbAJ">Miracles</A><DD>
<DT id="37"><A HREF="#lbAK">Locale</A><DD>
<DT id="38"><A HREF="#lbAL">Extended MFT Records</A><DD>
<DT id="39"><A HREF="#lbAM">Compressed and Encrypted Files</A><DD>
<DT id="40"><A HREF="#lbAN">The Recovered File's Size and Date</A><DD>
</DL>
<DT id="41"><A HREF="#lbAO">OPTIONS</A><DD>
<DT id="42"><A HREF="#lbAP">EXAMPLES</A><DD>
<DT id="43"><A HREF="#lbAQ">BUGS</A><DD>
<DT id="44"><A HREF="#lbAR">AUTHORS</A><DD>
<DT id="45"><A HREF="#lbAS">AVAILABILITY</A><DD>
<DT id="46"><A HREF="#lbAT">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:14 GMT, March 31, 2021
</BODY>
</HTML>