1ntfsundelete(1M)        System Administration Commands        ntfsundelete(1M)
2
3
4

NAME

6       ntfsundelete - recover a deleted file from an NTFS volume
7

SYNOPSIS

9       ntfsundelete [options] device
10
11

DESCRIPTION

13       The  ntfsundelete utility can, under the right circumstances, recover a
14       deleted file from an NTFS volume. The command has three modes of opera‐
15       tion:
16
17       Scan
18
19           The  default  mode,  scan simply reads an NTFS Volume and looks for
20           files that have been deleted. It then displays a list,  giving  the
21           inode number, name, and size of each deleted file.
22
23
24       Undelete
25
26           The  undelete  mode  takes  the  files  either matching the regular
27           expression (option -m) or specified by  the  inode-expressions  and
28           recovers  as  much  of the data as possible. It saves the result to
29           another location.
30
31
32       Copy
33
34           The "wizard's" option. Saves a portion of the MFT to a file,  which
35           can be useful when debugging ntfsundelete.
36
37
38
39       There  are  many  circumstances  under  which ntfsundelete is unable to
40       recover a file. For example, consider the following  scenario.  When  a
41       file  is  deleted the MFT Record is marked as not in use and the bitmap
42       representing the disk usage is updated. If the power is not turned  off
43       immediately,  the  free  space, where the file used to reside might get
44       overwritten. Worse, the MFT Record might be reused for another file. If
45       this happens, it is impossible to tell where the file was on disk.
46
47
48       Even  if all the clusters of a file are not in use, there is no guaran‐
49       tee that they have not been overwritten by some short-lived file.
50
51
52       ntfsundelete cannot recover compressed or  encrypted  files.  During  a
53       scan, it will display such a file as being 0% recoverable.
54
55   Locale
56       In  NTFS,  all filenames are stored as Unicode. A filename is converted
57       into the current locale for display by ntfsundelete.  The  utility  has
58       successfully  displayed  Chinese pictogram filenames and then correctly
59       recovered them.
60
61   Extended MFT Records
62       In rare circumstances, a single MFT Record will not be large enough  to
63       hold  the  metadata  describing a file (a file would have to be in hun‐
64       dreds of fragments for this to happen). In these cases, one MFT  record
65       might  hold the filename, while another will hold the information about
66       the data. ntfsundelete will not try and piece together such records. It
67       will simply list unnamed files with data.
68
69   Recovered File's Size and Creation Date
70       To recover a file, ntfsundelete has to read the file's metadata. Unfor‐
71       tunately, when a file is deleted, the metadata can be left in an incon‐
72       sistent  state.  For  example, the file size might be recorded as zero;
73       the creation date of a file might be set to the time it was deleted  or
74       to  a  random  time. In such situations, ntfsundelete picks the largest
75       file size it finds and writes that to disk. It also tries  to  set  the
76       file's  creation date to the last-modified date. This date might be the
77       correct last modified date, or something unexpected.
78

OPTIONS

80       Supported options are listed below. Most options have both  single-let‐
81       ter  and  full-name  forms.  Multiple single-letter options that do not
82       take an argument can be combined. For example, -fv is the equivalent of
83       -f  -v. A full-name option can be abbreviated to a unique prefix of its
84       name.
85
86       -b, --byte num
87
88           Fill in the parts of unrecoverable file clusters with  byte  repre‐
89           sented by num. The default is zeros.
90
91
92       -C, --case
93
94           Make  filename  search,  when  attempting  a match with the --match
95           option, case-sensitive. The default filename search is  case-insen‐
96           sitive.
97
98
99       -c, --copy range
100
101           This  "wizard" option writes a block of MFT FILE records to a file.
102           The default file is mft which will be created in the current direc‐
103           tory.  This option can be combined with the --output and --destina‐
104           tion options.
105
106
107       -d, --destination dir
108
109           Specify the  location  of  the  output  file  for  the  --copy  and
110           --undelete options.
111
112
113       -f, --force
114
115           Overrides some sensible defaults, such as not overwriting an exist‐
116           ing file. Use this option with caution.
117
118
119       -h, --help
120
121           Show a list of options with a brief description of each one.
122
123
124       -i, --inodes range
125
126           Recover the files within the  specified  range  of  inode  numbers.
127           range  can  be  a single inode number, several numbers separated by
128           commas, or a range separated by a dash (-).
129
130
131       -m, --match pattern
132
133           Filter the output by looking only for filenames that match pattern.
134           The pattern can include the wildcards ?, matching exactly one char‐
135           acter, or *, matching zero or  more  characters.  By  default,  the
136           matching  is  case-insensitive.  To make the search case-sensitive,
137           use the --case option.
138
139
140       -O, --optimistic
141
142           Recover parts of the file even if they are currently marked  as  in
143           use.
144
145
146       -o, --output file
147
148           Set the name of the output file created by the --copy or --undelete
149           options.
150
151
152       -P, --parent
153
154           Display the parent directory of a deleted file.
155
156
157       -p, --percentage num
158
159           Filter the output of the --scan option by matching only files  with
160           num percent of recoverable content.
161
162
163       -q, --quiet
164
165           Reduce the amount of output to a minimum. This option is not useful
166           with the --scan option.
167
168
169       -s, --scan
170
171           Search through an NTFS volume and display  a  list  of  files  that
172           could  be  recovered.  This  is the default action of ntfsundelete.
173           This list can be filtered by filename,  size,  percentage  recover‐
174           able,  or  last  modification  time,  using   the  --match, --size,
175           --percent,  and --time options, respectively.
176
177           In the output from this option, the %age  (percentage)  field  dis‐
178           plays how much of a file can potentially be recovered.
179
180
181       -S, --size range
182
183           Filter  the output of the --scan option by looking for a particular
184           range of file sizes. range can be specified as  two  numbers  sepa‐
185           rated  by a hyphen (-). A unit of size can be abbreviated using the
186           suffixes k, m, g, and t, for kilobytes, megabytes,  gigabytes,  and
187           terabytes respectively.
188
189
190       -t, --time since
191
192           Filter the output of the --scan option. Match only  files that have
193           been altered since this time. The time must be given as number  and
194           a  suffix  of  d,   w,   m,   or  y for, respectively, days, weeks,
195           months, or years.
196
197
198       -T, --truncate
199
200           The default behavior of ntfsundelete is to round up a  file's  size
201           to  the nearest cluster (which will be a multiple of 512 bytes). In
202           cases where the utility has complete data about the size of a file,
203           this option restores the file to exactly that size.
204
205
206       -u, --undelete
207
208           Specifies  undelete mode. You can specify the files to be recovered
209           using by using --match or --inodes options. This option can be com‐
210           bined with --output, --destination, and --byte.
211
212           When  the  file  is  recovered  it will be given its original name,
213           unless the --output option is used.
214
215
216       -v, --verbose
217
218           Increase the amount of output that ntfsundelete displays.
219
220
221       -V, --version
222
223           Display the version number,  copyright,  and  license  for  ntfsun‐
224           delete.
225
226

EXAMPLES

228       Example 1 Searching for Deleted Files
229
230
231       The following command searches for deleted files on a specific device.
232
233
234         # ntfsundelete /dev/dsk/c0d0p1
235
236
237
238       Example 2 Scanning for Files Matching a Wildcard
239
240
241       The following command searches for deleted files that match *.doc.
242
243
244         # ntfsundelete /dev/dsk/c0d0p1 -s -m '*.doc'
245
246
247
248       Example 3 Searching for Files of a Certain Size
249
250
251       The  following command looks for deleted files between 5000 and 6000000
252       bytes, with at least 90% of the data recoverable, on /dev/dsk/c0d0p1.
253
254
255         # ntfsundelete /dev/dsk/c0d0p1 -S 5k-6m -p 90
256
257
258
259       Example 4 Searching for Recently Changed Files
260
261
262       The following command searches for deleted files altered  in  the  last
263       two days.
264
265
266         # ntfsundelete /dev/dsk/c0d0p1 -t 2d
267
268
269
270       Example 5 Specifying an Inode Range
271
272
273       The  following  command  undeletes inodes 2, 5 and 100 to 131 of device
274       /dev/sda1.
275
276
277         # ntfsundelete /dev/sda1 -u -i 2,5,100-131
278
279
280
281       Example 6 Specifying an Output File and Directory
282
283
284       The following command undeletes  inode  number  3689,  names  the  file
285       work.doc, and stores it in the user's home directory.
286
287
288         # ntfsundelete /dev/dsk/c0d0p1 -u -i 3689 -o work.doc -d ~
289
290
291
292       Example 7 Saving MFT Records
293
294
295       The following command saves MFT records 3689 to 3690 to a file debug.
296
297
298         # ntfsundelete /dev/dsk/c0d0p1 -c 3689-3690 -o debug
299
300
301

ATTRIBUTES

303       See attributes(5) for descriptions of the following attributes:
304
305
306
307
308       ┌─────────────────────────────┬─────────────────────────────┐
309       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
310       ├─────────────────────────────┼─────────────────────────────┤
311       │Availability                 │SUNWntfsprogs                │
312       ├─────────────────────────────┼─────────────────────────────┤
313       │Interface Stability          │Uncommitted                  │
314       └─────────────────────────────┴─────────────────────────────┘
315

SEE ALSO

317       ntfsclone(1M), ntfsresize(1M), parted(1M), attributes(5)
318
319
320       http://wiki.linux-ntfs.org
321

AUTHORS

323       ntfsundelete  was  written  by  Richard Russon and Holger Ohmacht, with
324       contributions from Anton Altaparmakov.
325
326
327
328SunOS 5.11                        22 May 2009                 ntfsundelete(1M)
Impressum