1NTFSUNDELETE(8) System Manager's Manual NTFSUNDELETE(8)
2
6 ntfsundelete - recover a deleted file from an NTFS volume.
7
9 ntfsundelete [options] device
10
12 ntfsundelete has three modes of operation: scan, undelete and copy.
13 Scan
15 The default mode, scan simply reads an NTFS Volume and looks for files
16 that have been deleted. Then it will print a list giving the inode
17 number, name and size.
18 Undelete
20 The undelete mode takes the files either matching the regular expres‐
21 sion (option -m) or specified by the inode-expressions and recovers as
22 much of the data as possible. It saves the result to another loca‐
23 tion. Partly for safety, but mostly because NTFS write support isn't
24 finished.
25 Copy
27 This is a wizard's option. It will save a portion of the MFT to a
28 file. This probably only be useful when debugging ntfsundelete
29 Notes
31 ntfsundelete only ever reads from the NTFS Volume. ntfsundelete will
32 never change the volume.
33
35 Miracles
36 ntfsundelete cannot perform the impossible.
37 When a file is deleted the MFT Record is marked as not in use and the
39 bitmap representing the disk usage is updated. If the power isn't
40 turned off immediately, the free space, where the file used to live,
41 may become overwritten. Worse, the MFT Record may be reused for
42 another file. If this happens it is impossible to tell where the file
43 was on disk.
44 Even if all the clusters of a file are not in use, there is no guaran‐
46 tee that they haven't been overwritten by some short-lived file.
47 Locale
49 In NTFS all the filenames are stored as Unicode. They will be con‐
50 verted into the current locale for display by ntfsundelete. The util‐
51 ity has successfully displayed some Chinese pictogram filenames and
52 then correctly recovered them.
53 Extended MFT Records
55 In rare circumstances, a single MFT Record will not be large enough to
56 hold the metadata describing a file (a file would have to be in hun‐
57 dreds of fragments for this to happen). In these cases one MFT record
58 may hold the filename, but another will hold the information about the
59 data. ntfsundelete will not try and piece together such records. It
60 will simply show unnamed files with data.
61 Compressed and Encrypted Files
63 ntfsundelete cannot recover compressed or encrypted files. When scan‐
64 ning for them, it will display as being 0% recoverable.
65 The Recovered File's Size and Date
67 To recover a file ntfsundelete has to read the file's metadata. Unfor‐
68 tunately, this isn't always intact. When a file is deleted, the meta‐
69 data can be left in an inconsistent state. e.g. the file size may be
70 zero; the dates of the file may be set to the time it was deleted, or
71 random.
72 To be safe ntfsundelete will pick the largest file size it finds and
73 write that to disk. It will also try and set the file's date to the
74 last modified date. This date may be the correct last modified date,
75 or something unexpected.
76
78 Below is a summary of all the options that ntfsundelete accepts.
79 Nearly all options have two equivalent names. The short name is pre‐
80 ceded by - and the long name is preceded by --. Any single letter
81 options, that don't take an argument, can be combined into a single
82 command, e.g. -fv is equivalent to -f -v. Long named options can be
83 abbreviated to any unique prefix of their name.
84 -b, --byte NUM
86 If any clusters of the file cannot be recovered, the missing
87 parts will be filled with this byte. The default is zeros.
88 -C, --case
90 When scanning an NTFS volume, any filename matching (using the
91 --match option) is case-insensitive. This option makes the
92 matching case-sensitive.
93 -c, --copy RANGE
95 This wizard's option will write a block of MFT FILE records to a
96 file. The default file is mft which will be created in the cur‐
97 rent directory. This option can be combined with the --output
98 and --destination options.
99 -d, --destination DIR
101 This option controls where to put the output file of the
102 --undelete and --copy options.
103 -f, --force
105 This will override some sensible defaults, such as not overwrit‐
106 ing an existing file. Use this option with caution.
107 -h, --help
109 Show a list of options with a brief description of each one.
110 -i, --inodes RANGE
112 Recover the files with these inode numbers. RANGE can be a sin‐
113 gle inode number, several numbers separated by commas "," or a
114 range separated by a dash "-".
115 -m, --match PATTERN
117 Filter the output by only looking for matching filenames. The
118 pattern can include the wildcards '?', match exactly one charac‐
119 ter or '*', match zero or more characters. By default the
120 matching is case-insensitive. To make the search case sensi‐
121 tive, use the --case option.
122 -O, --optimistic
124 Recover parts of the file even if they are currently marked as
125 in use.
126 -o, --output FILE
128 Use this option to set name of output file that --undelete or
129 --copy will create.
130 -P, --parent
132 Display the parent directory of a deleted file.
133 -p, --percentage NUM
135 Filter the output of the --scan option, by only matching files
136 with a certain amount of recoverable content. Please read the
137 caveats section for more details.
138 -q, --quiet
140 Reduce the amount of output to a minimum. Naturally, it doesn't
141 make sense to combine this option with --scan.
142 -s, --scan
144 Search through an NTFS volume and print a list of files that
145 could be recovered. This is the default action of ntfsundelete.
146 This list can be filtered by filename, size, percentage recover‐
147 able or last modification time, using the --match, --size,
148 --percent and --time options, respectively.
149 The output of scan will be:
151 Inode Flags %age Date Size Filename
153 6038 FN.. 93% 2002-07-17 26629 thesis.doc
154 ┌────────────────────────────────────────┐
156 │Flag Description │
157 │F/D File/Directory │
158 │N/R (Non-)Resident data stream │
159 │C/E Compressed/Encrypted data stream │
160 │! Missing attributes │
161 └────────────────────────────────────────┘
162 The percentage field shows how much of the file can potentially
164 be recovered.
165 -S, --size RANGE
167 Filter the output of the --scan option, by looking for a partic‐
168 ular range of file sizes. The range may be specified as two
169 numbers separated by a '-'. The sizes may be abbreviated using
170 the suffixes k, m, g, t, for kilobytes, megabytes, gigabytes and
171 terabytes respectively.
172 -t, --time SINCE
174 Filter the output of the --scan option. Only match files that
175 have been altered since this time. The time must be given as
176 number using a suffix of d, w, m, y for days, weeks, months or
177 years ago.
178 -T, --truncate
180 If ntfsundelete is confident about the size of a deleted file,
181 then it will restore the file to exactly that size. The default
182 behaviour is to round up the size to the nearest cluster (which
183 will be a multiple of 512 bytes).
184 -u, --undelete
186 Select undelete mode. You can specify the files to be recovered
187 using by using --match or --inodes options. This option can be
188 combined with --output, --destination, and --byte.
189 When the file is recovered it will be given its original name,
191 unless the --output option is used.
192 -v, --verbose
194 Increase the amount of output that ntfsundelete prints.
195 -V, --version
197 Show the version number, copyright and license for ntfsundelete.
198
200 Look for deleted files on /dev/hda1.
201 ntfsundelete /dev/hda1
203 Look for deleted documents on /dev/hda1.
205 ntfsundelete /dev/hda1 -s -m '*.doc'
207 Look for deleted files between 5000 and 6000000 bytes, with at least
209 90% of the data recoverable, on /dev/hda1.
210 ntfsundelete /dev/hda1 -S 5k-6m -p 90
212 Look for deleted files altered in the last two days
214 ntfsundelete /dev/hda1 -t 2d
216 Undelete inodes 2, 5 and 100 to 131 of device /dev/sda1
218 ntfsundelete /dev/sda1 -u -i 2,5,100-131
220 Undelete inode number 3689, call the file 'work.doc' and put it in the
222 user's home directory.
223 ntfsundelete /dev/hda1 -u -i 3689 -o work.doc -d ~
225 Save MFT Records 3689 to 3690 to a file 'debug'
227 ntfsundelete /dev/hda1 -c 3689-3690 -o debug
229
232 There are some small limitations to ntfsundelete, but currently no
233 known bugs. If you find a bug please send an email describing the
234 problem to the development team:
235 linux-ntfs-dev@lists.sourceforge.net
236
238 ntfsundelete was written by Richard Russon and Holger Ohmacht, with
239 contributions from Anton Altaparmakov.
240
242 ntfsundelete is part of the ntfsprogs package and is available from:
243 http://www.linux-ntfs.org/content/view/19/37
244 The manual pages are available online at:
246 http://man.linux-ntfs.org/
247
249 ntfsinfo(8), ntfsprogs(8)
250ntfsprogs 1.13.1 November 2005 NTFSUNDELETE(8)