Share |

3.2 Recovering deleted files or files from formatted drives (ntfsundeleteall, photorec)

In TRK, there are several ways you can use to undelete files. What you should use depends on the state of your harddisk/filesystem and the success of recovery can vary between various methods.

Ntfsundeleteall

The first method already explained earlier is ntfsundeleteall (section 2.8), so I'm not going to re-explain this. What I should mention about this method is that it has a high recoverability ratio on recently deleted files (deleted in a normal way, not because of a crash or filesystem corruption). It does however a poor job on drives that have already had more write I/O over them. It is completely unusable on formatted drives.

Photorec

In all other cases, you can try the photorec utility, which tries to recover any important kind of document from any filesystem. Be sure to run it by first changing to a place where you can write your stuff, because it saves its recovered output to a subfolder relative from where it was launched. Example:
'mount //10.0.0.1/share /mnt0'
'cd /mnt0'
'photorec'

If you suspect that your filesystem is corrupt, I would first try to run a chkdsk on it and see what it recovers. Then afterwards, see what shows up and, depending on what has become visible, use the ntfs capabilities of TRK or use photorec... But do not run a chkdsk if your disk is physically dieing!!! Try to do as little I/O possible on that disk. Running a chkdsk will probably render it even more unusable in that case.

Maybe ddrescue first

If photorec is unable to recover because of too many corrupt sectors, you can try ddrescue.
This util tries to recover files and filesystems that are on locations with bad sectors. If it is really unable to read the bad sectors, it will pad them with zeroes. Your files will possibly be corrupted, but at least you will have saved whatever there is to save. If you ddrescue a complete filesystem (e.g. 'ddrescue if=/dev/hda1 of=/mnt0/rescued-image.img), you can afterwards mount that image as a loopback filesystem ('mount -o loop /mnt0/rescued-image.img /mnt1') and rescue/undelete files like that.

Updated: July 28, 2010