1ntfsundelete(1M) System Administration Commands ntfsundelete(1M)
2
6 ntfsundelete - recover a deleted file from an NTFS volume
7
9 ntfsundelete [options] device
10
13 The ntfsundelete utility can, under the right circumstances, recover a
14 deleted file from an NTFS volume. The command has three modes of opera‐
15 tion:
16 Scan
18 The default mode, scan simply reads an NTFS Volume and looks for
20 files that have been deleted. It then displays a list, giving the
21 inode number, name, and size of each deleted file.
22 Undelete
25 The undelete mode takes the files either matching the regular
27 expression (option -m) or specified by the inode-expressions and
28 recovers as much of the data as possible. It saves the result to
29 another location.
30 Copy
33 The "wizard's" option. Saves a portion of the MFT to a file, which
35 can be useful when debugging ntfsundelete.
36 There are many circumstances under which ntfsundelete is unable to
40 recover a file. For example, consider the following scenario. When a
41 file is deleted the MFT Record is marked as not in use and the bitmap
42 representing the disk usage is updated. If the power is not turned off
43 immediately, the free space, where the file used to reside might get
44 overwritten. Worse, the MFT Record might be reused for another file. If
45 this happens, it is impossible to tell where the file was on disk.
46 Even if all the clusters of a file are not in use, there is no guaran‐
49 tee that they have not been overwritten by some short-lived file.
50 ntfsundelete cannot recover compressed or encrypted files. During a
53 scan, it will display such a file as being 0% recoverable.
54 Locale
56 In NTFS, all filenames are stored as Unicode. A filename is converted
57 into the current locale for display by ntfsundelete. The utility has
58 successfully displayed Chinese pictogram filenames and then correctly
59 recovered them.
60 Extended MFT Records
62 In rare circumstances, a single MFT Record will not be large enough to
63 hold the metadata describing a file (a file would have to be in hun‐
64 dreds of fragments for this to happen). In these cases, one MFT record
65 might hold the filename, while another will hold the information about
66 the data. ntfsundelete will not try and piece together such records. It
67 will simply list unnamed files with data.
68 Recovered File's Size and Creation Date
70 To recover a file, ntfsundelete has to read the file's metadata. Unfor‐
71 tunately, when a file is deleted, the metadata can be left in an incon‐
72 sistent state. For example, the file size might be recorded as zero;
73 the creation date of a file might be set to the time it was deleted or
74 to a random time. In such situations, ntfsundelete picks the largest
75 file size it finds and writes that to disk. It also tries to set the
76 file's creation date to the last-modified date. This date might be the
77 correct last modified date, or something unexpected.
78
80 Supported options are listed below. Most options have both single-let‐
81 ter and full-name forms. Multiple single-letter options that do not
82 take an argument can be combined. For example, -fv is the equivalent of
83 -f -v. A full-name option can be abbreviated to a unique prefix of its
84 name.
85 -b, --byte num
87 Fill in the parts of unrecoverable file clusters with byte repre‐
89 sented by num. The default is zeros.
90 -C, --case
93 Make filename search, when attempting a match with the --match
95 option, case-sensitive. The default filename search is case-insen‐
96 sitive.
97 -c, --copy range
100 This "wizard" option writes a block of MFT FILE records to a file.
102 The default file is mft which will be created in the current direc‐
103 tory. This option can be combined with the --output and --destina‐
104 tion options.
105 -d, --destination dir
108 Specify the location of the output file for the --copy and
110 --undelete options.
111 -f, --force
114 Overrides some sensible defaults, such as not overwriting an exist‐
116 ing file. Use this option with caution.
117 -h, --help
120 Show a list of options with a brief description of each one.
122 -i, --inodes range
125 Recover the files within the specified range of inode numbers.
127 range can be a single inode number, several numbers separated by
128 commas, or a range separated by a dash (-).
129 -m, --match pattern
132 Filter the output by looking only for filenames that match pattern.
134 The pattern can include the wildcards ?, matching exactly one char‐
135 acter, or *, matching zero or more characters. By default, the
136 matching is case-insensitive. To make the search case-sensitive,
137 use the --case option.
138 -O, --optimistic
141 Recover parts of the file even if they are currently marked as in
143 use.
144 -o, --output file
147 Set the name of the output file created by the --copy or --undelete
149 options.
150 -P, --parent
153 Display the parent directory of a deleted file.
155 -p, --percentage num
158 Filter the output of the --scan option by matching only files with
160 num percent of recoverable content.
161 -q, --quiet
164 Reduce the amount of output to a minimum. This option is not useful
166 with the --scan option.
167 -s, --scan
170 Search through an NTFS volume and display a list of files that
172 could be recovered. This is the default action of ntfsundelete.
173 This list can be filtered by filename, size, percentage recover‐
174 able, or last modification time, using the --match, --size,
175 --percent, and --time options, respectively.
176 In the output from this option, the %age (percentage) field dis‐
178 plays how much of a file can potentially be recovered.
179 -S, --size range
182 Filter the output of the --scan option by looking for a particular
184 range of file sizes. range can be specified as two numbers sepa‐
185 rated by a hyphen (-). A unit of size can be abbreviated using the
186 suffixes k, m, g, and t, for kilobytes, megabytes, gigabytes, and
187 terabytes respectively.
188 -t, --time since
191 Filter the output of the --scan option. Match only files that have
193 been altered since this time. The time must be given as number and
194 a suffix of d, w, m, or y for, respectively, days, weeks,
195 months, or years.
196 -T, --truncate
199 The default behavior of ntfsundelete is to round up a file's size
201 to the nearest cluster (which will be a multiple of 512 bytes). In
202 cases where the utility has complete data about the size of a file,
203 this option restores the file to exactly that size.
204 -u, --undelete
207 Specifies undelete mode. You can specify the files to be recovered
209 using by using --match or --inodes options. This option can be com‐
210 bined with --output, --destination, and --byte.
211 When the file is recovered it will be given its original name,
213 unless the --output option is used.
214 -v, --verbose
217 Increase the amount of output that ntfsundelete displays.
219 -V, --version
222 Display the version number, copyright, and license for ntfsun‐
224 delete.
225
228 Example 1 Searching for Deleted Files
229 The following command searches for deleted files on a specific device.
232 # ntfsundelete /dev/dsk/c0d0p1
235 Example 2 Scanning for Files Matching a Wildcard
239 The following command searches for deleted files that match *.doc.
242 # ntfsundelete /dev/dsk/c0d0p1 -s -m '*.doc'
245 Example 3 Searching for Files of a Certain Size
249 The following command looks for deleted files between 5000 and 6000000
252 bytes, with at least 90% of the data recoverable, on /dev/dsk/c0d0p1.
253 # ntfsundelete /dev/dsk/c0d0p1 -S 5k-6m -p 90
256 Example 4 Searching for Recently Changed Files
260 The following command searches for deleted files altered in the last
263 two days.
264 # ntfsundelete /dev/dsk/c0d0p1 -t 2d
267 Example 5 Specifying an Inode Range
271 The following command undeletes inodes 2, 5 and 100 to 131 of device
274 /dev/sda1.
275 # ntfsundelete /dev/sda1 -u -i 2,5,100-131
278 Example 6 Specifying an Output File and Directory
282 The following command undeletes inode number 3689, names the file
285 work.doc, and stores it in the user's home directory.
286 # ntfsundelete /dev/dsk/c0d0p1 -u -i 3689 -o work.doc -d ~
289 Example 7 Saving MFT Records
293 The following command saves MFT records 3689 to 3690 to a file debug.
296 # ntfsundelete /dev/dsk/c0d0p1 -c 3689-3690 -o debug
299
303 See attributes(5) for descriptions of the following attributes:
304 ┌─────────────────────────────┬─────────────────────────────┐
309 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
310 ├─────────────────────────────┼─────────────────────────────┤
311 │Availability │SUNWntfsprogs │
312 ├─────────────────────────────┼─────────────────────────────┤
313 │Interface Stability │Uncommitted │
314 └─────────────────────────────┴─────────────────────────────┘
315
317 ntfsclone(1M), ntfsresize(1M), parted(1M), attributes(5)
318 http://wiki.linux-ntfs.org
321
323 ntfsundelete was written by Richard Russon and Holger Ohmacht, with
324 contributions from Anton Altaparmakov.
325SunOS 5.11 22 May 2009 ntfsundelete(1M)