Share |

2.19 Ntfsundeleteall

This script is a simple wrapper for the utility 'ntfsundelete'

What it does is find all deleted files on an ntfs volume and tries to recover them. It does this by looking for traces in the ntfs Master File Table and sees whether the file is still available on the disk (or partially overwritten). It 's a good utility that recovers your files with the original filename but without the relevant path in front. So to avoid double recovered filenames, I 've written the script so that it prepends the original inode (=internal number for the file on the filesystem) before the filename, so you always have a unique filename. It 's up to you to rename the files afterwards, but at least you have the original name in the recovered filename.

Here 's how the script works

Suppose you have the volume /dev/hda1 in ntfs from which you wish to recover files.
Make sure this volume is NOT mounted
Prepare a place to which you can store your recovered files. Recovered files will never be written to the original partition from which you recover them because the risk exists you will overwrite other files that still need recovery. Let 's say you have space on a network volume that you 've mounted on /mnt0 (for this procedure, see the section "Getting around with commands"), with a subdir called "recovered"
Here 's the syntax of ntfsundeleteall:
ntfsundeleteall Device Savedir [minimum percentage] --force

Now here 's how we do it in our example:
'ntfsundeleteall /dev/hda1 /mnt0/recovered'

This is very simple, this will recover any file it finds, even if only 1% of the file is recoverable. You 're probably not interested in that, because these files are most likely to be corrupt and unusable, so you add a parameter on the percentage you wish the file is recoverable. If we only want 100% recoverability, make the command like this:

'ntfsundeleteall /dev/hda1 /mnt0/recovered 100'

You will see the directory /mnt0/recovered filling up with recovered files, hopefully your file is in there.

You might have noticed the parameter "--force". This will only skip the check that your filesystem is ntfs, you can use this if you think your filesystem is so badly damaged that it won 't even be recognized anymore, but I doubt you will be even capable of recovering any files then.

Another recommendation I can give you is Photorec. Photorec is a third party utility that is able to recover files in a unique way: it is independent of the filesystem, it just does raw read of the disk (tries to use as much info as it can from whatever filesystem there was on it) and tries to recognize known document formats to recover whatever it can find. Although the name implies it might only serve to recover pictures, it can in fact recover any kind of important document, including word and excel, but also file archives such as zip and tar.gz.

The only thing you won 't get from this utility is the original filename, so you 'll have to sort out your recovered documents one by one.

Updated: July 27, 2010