1 '\" te 2 .\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved 3 .\" Copyright (c) 2002-2006 Szabolcs Szakacsits 4 .\" Copyright (c) 2002-2005 Anton Altaparmakov 5 .\" Copyright (c) 2002-2003 Richard Russon 6 .\" Copyright (c) 2007 Yura Pakhuchiy 7 .\" This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation ; either version 2 of the License, or (at your option) any later version. This program is distributed 8 .\" in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program 9 .\" (in the main directory of the Linux-NTFS distribution in the file COPYING); if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 11-1307 USA 10 .TH NTFSUNDELETE 1M "May 22, 2009" 11 .SH NAME 12 ntfsundelete \- recover a deleted file from an NTFS volume 13 .SH SYNOPSIS 14 .LP 15 .nf 16 \fBntfsundelete\fR [\fIoptions\fR] \fIdevice\fR 17 .fi 18 19 .SH DESCRIPTION 20 .sp 21 .LP 22 The \fBntfsundelete\fR utility can, under the right circumstances, recover a 23 deleted file from an NTFS volume. The command has three modes of operation: 24 .sp 25 .ne 2 26 .na 27 \fB\fBScan\fR\fR 28 .ad 29 .sp .6 30 .RS 4n 31 The default mode, \fBscan\fR simply reads an NTFS Volume and looks for files 32 that have been deleted. It then displays a list, giving the inode number, name, 33 and size of each deleted file. 34 .RE 35 36 .sp 37 .ne 2 38 .na 39 \fB\fBUndelete\fR\fR 40 .ad 41 .sp .6 42 .RS 4n 43 The undelete mode takes the files either matching the regular expression 44 (option \fB-m\fR) or specified by the \fIinode-expressions\fR and recovers as 45 much of the data as possible. It saves the result to another location. 46 .RE 47 48 .sp 49 .ne 2 50 .na 51 \fB\fBCopy\fR\fR 52 .ad 53 .sp .6 54 .RS 4n 55 The "wizard's" option. Saves a portion of the MFT to a file, which can be 56 useful when debugging \fBntfsundelete\fR. 57 .RE 58 59 .sp 60 .LP 61 There are many circumstances under which \fBntfsundelete\fR is unable to 62 recover a file. For example, consider the following scenario. When a file is 63 deleted the MFT Record is marked as not in use and the bitmap representing the 64 disk usage is updated. If the power is not turned off immediately, the free 65 space, where the file used to reside might get overwritten. Worse, the MFT 66 Record might be reused for another file. If this happens, it is impossible to 67 tell where the file was on disk. 68 .sp 69 .LP 70 Even if all the clusters of a file are not in use, there is no guarantee that 71 they have not been overwritten by some short-lived file. 72 .sp 73 .LP 74 \fBntfsundelete\fR cannot recover compressed or encrypted files. During a scan, 75 it will display such a file as being 0% recoverable. 76 .SS "Locale" 77 .sp 78 .LP 79 In NTFS, all filenames are stored as Unicode. A filename is converted into the 80 current locale for display by \fBntfsundelete\fR. The utility has successfully 81 displayed Chinese pictogram filenames and then correctly recovered them. 82 .SS "Extended MFT Records" 83 .sp 84 .LP 85 In rare circumstances, a single MFT Record will not be large enough to hold the 86 metadata describing a file (a file would have to be in hundreds of fragments 87 for this to happen). In these cases, one MFT record might hold the filename, 88 while another will hold the information about the data. \fBntfsundelete\fR will 89 not try and piece together such records. It will simply list unnamed files with 90 data. 91 .SS "Recovered File's Size and Creation Date" 92 .sp 93 .LP 94 To recover a file, \fBntfsundelete\fR has to read the file's metadata. 95 Unfortunately, when a file is deleted, the metadata can be left in an 96 inconsistent state. For example, the file size might be recorded as zero; the 97 creation date of a file might be set to the time it was deleted or to a random 98 time. In such situations, \fBntfsundelete\fR picks the largest file size it 99 finds and writes that to disk. It also tries to set the file's creation date to 100 the last-modified date. This date might be the correct last modified date, or 101 something unexpected. 102 .SH OPTIONS 103 .sp 104 .LP 105 Supported options are listed below. Most options have both single-letter and 106 full-name forms. Multiple single-letter options that do not take an argument 107 can be combined. For example, \fB-fv\fR is the equivalent of \fB-f\fR \fB-v\fR. 108 A full-name option can be abbreviated to a unique prefix of its name. 109 .sp 110 .ne 2 111 .na 112 \fB\fB-b\fR, \fB--byte\fR \fInum\fR\fR 113 .ad 114 .sp .6 115 .RS 4n 116 Fill in the parts of unrecoverable file clusters with byte represented by 117 \fInum\fR. The default is zeros. 118 .RE 119 120 .sp 121 .ne 2 122 .na 123 \fB\fB-C\fR, \fB--case\fR\fR 124 .ad 125 .sp .6 126 .RS 4n 127 Make filename search, when attempting a match with the \fB--match\fR option, 128 case-sensitive. The default filename search is case-insensitive. 129 .RE 130 131 .sp 132 .ne 2 133 .na 134 \fB\fB-c\fR, \fB--copy\fR \fIrange\fR\fR 135 .ad 136 .sp .6 137 .RS 4n 138 This "wizard" option writes a block of MFT FILE records to a file. The default 139 file is mft which will be created in the current directory. This option can be 140 combined with the \fB--output\fR and \fB--destination\fR options. 141 .RE 142 143 .sp 144 .ne 2 145 .na 146 \fB\fB-d\fR, \fB--destination\fR \fIdir\fR\fR 147 .ad 148 .sp .6 149 .RS 4n 150 Specify the location of the output file for the \fB--copy\fR and 151 \fB--undelete\fR options. 152 .RE 153 154 .sp 155 .ne 2 156 .na 157 \fB\fB-f\fR, \fB--force\fR\fR 158 .ad 159 .sp .6 160 .RS 4n 161 Overrides some sensible defaults, such as not overwriting an existing file. Use 162 this option with caution. 163 .RE 164 165 .sp 166 .ne 2 167 .na 168 \fB\fB-h\fR, \fB--help\fR\fR 169 .ad 170 .sp .6 171 .RS 4n 172 Show a list of options with a brief description of each one. 173 .RE 174 175 .sp 176 .ne 2 177 .na 178 \fB\fB-i\fR, \fB--inodes\fR \fIrange\fR\fR 179 .ad 180 .sp .6 181 .RS 4n 182 Recover the files within the specified range of inode numbers. \fIrange\fR can 183 be a single inode number, several numbers separated by commas, or a range 184 separated by a dash (\fB-\fR). 185 .RE 186 187 .sp 188 .ne 2 189 .na 190 \fB\fB-m\fR, \fB--match\fR \fIpattern\fR\fR 191 .ad 192 .sp .6 193 .RS 4n 194 Filter the output by looking only for filenames that match \fIpattern\fR. The 195 pattern can include the wildcards \fB?\fR, matching exactly one character, or 196 \fB*\fR, matching zero or more characters. By default, the matching is 197 case-insensitive. To make the search case-sensitive, use the \fB--case\fR 198 option. 199 .RE 200 201 .sp 202 .ne 2 203 .na 204 \fB\fB-O\fR, \fB--optimistic\fR\fR 205 .ad 206 .sp .6 207 .RS 4n 208 Recover parts of the file even if they are currently marked as in use. 209 .RE 210 211 .sp 212 .ne 2 213 .na 214 \fB\fB-o\fR, \fB--output\fR \fIfile\fR\fR 215 .ad 216 .sp .6 217 .RS 4n 218 Set the name of the output file created by the \fB--copy\fR or \fB--undelete\fR 219 options. 220 .RE 221 222 .sp 223 .ne 2 224 .na 225 \fB\fB-P\fR, \fB--parent\fR\fR 226 .ad 227 .sp .6 228 .RS 4n 229 Display the parent directory of a deleted file. 230 .RE 231 232 .sp 233 .ne 2 234 .na 235 \fB\fB-p\fR, \fB--percentage\fR \fInum\fR\fR 236 .ad 237 .sp .6 238 .RS 4n 239 Filter the output of the \fB--scan\fR option by matching only files with 240 \fInum\fR percent of recoverable content. 241 .RE 242 243 .sp 244 .ne 2 245 .na 246 \fB\fB-q\fR, \fB--quiet\fR\fR 247 .ad 248 .sp .6 249 .RS 4n 250 Reduce the amount of output to a minimum. This option is not useful with the 251 \fB--scan\fR option. 252 .RE 253 254 .sp 255 .ne 2 256 .na 257 \fB\fB-s\fR, \fB--scan\fR\fR 258 .ad 259 .sp .6 260 .RS 4n 261 Search through an NTFS volume and display a list of files that could be 262 recovered. This is the default action of \fBntfsundelete\fR. This list can be 263 filtered by filename, size, percentage recoverable, or last modification time, 264 using the \fB--match\fR, \fB--size\fR, \fB--percent\fR, and \fB--time\fR 265 options, respectively. 266 .sp 267 In the output from this option, the \fB%age\fR (percentage) field displays how 268 much of a file can potentially be recovered. 269 .RE 270 271 .sp 272 .ne 2 273 .na 274 \fB\fB-S\fR, \fB--size\fR \fIrange\fR\fR 275 .ad 276 .sp .6 277 .RS 4n 278 Filter the output of the \fB--scan\fR option by looking for a particular range 279 of file sizes. \fIrange\fR can be specified as two numbers separated by a 280 hyphen (\fB-\fR). A unit of size can be abbreviated using the suffixes \fBk\fR, 281 \fBm\fR, \fBg\fR, and \fBt\fR, for kilobytes, megabytes, gigabytes, and 282 terabytes respectively. 283 .RE 284 285 .sp 286 .ne 2 287 .na 288 \fB\fB-t\fR, \fB--time\fR \fIsince\fR\fR 289 .ad 290 .sp .6 291 .RS 4n 292 Filter the output of the \fB--scan\fR option. Match only files that have been 293 altered since this time. The time must be given as number and a suffix of 294 \fBd\fR, \fBw\fR, \fBm\fR, or \fBy\fR for, respectively, days, weeks, 295 months, or years. 296 .RE 297 298 .sp 299 .ne 2 300 .na 301 \fB\fB-T\fR, \fB--truncate\fR\fR 302 .ad 303 .sp .6 304 .RS 4n 305 The default behavior of \fBntfsundelete\fR is to round \fBup\fR a file's size 306 to the nearest cluster (which will be a multiple of 512 bytes). In cases where 307 the utility has complete data about the size of a file, this option restores 308 the file to exactly that size. 309 .RE 310 311 .sp 312 .ne 2 313 .na 314 \fB\fB-u\fR, \fB--undelete\fR\fR 315 .ad 316 .sp .6 317 .RS 4n 318 Specifies undelete mode. You can specify the files to be recovered using by 319 using \fB--match\fR or \fB--inodes\fR options. This option can be combined with 320 \fB--output\fR, \fB--destination\fR, and \fB--byte\fR. 321 .sp 322 When the file is recovered it will be given its original name, unless the 323 \fB--output\fR option is used. 324 .RE 325 326 .sp 327 .ne 2 328 .na 329 \fB\fB-v\fR, \fB--verbose\fR \fI\fR\fR 330 .ad 331 .sp .6 332 .RS 4n 333 Increase the amount of output that \fBntfsundelete\fR displays. 334 .RE 335 336 .sp 337 .ne 2 338 .na 339 \fB\fB-V\fR, \fB--version\fR \fI\fR\fR 340 .ad 341 .sp .6 342 .RS 4n 343 Display the version number, copyright, and license for \fBntfsundelete\fR. 344 .RE 345 346 .SH EXAMPLES 347 .LP 348 \fBExample 1 \fRSearching for Deleted Files 349 .sp 350 .LP 351 The following command searches for deleted files on a specific device. 352 353 .sp 354 .in +2 355 .nf 356 # \fBntfsundelete /dev/dsk/c0d0p1\fR 357 .fi 358 .in -2 359 .sp 360 361 .LP 362 \fBExample 2 \fRScanning for Files Matching a Wildcard 363 .sp 364 .LP 365 The following command searches for deleted files that match \fB*.doc\fR. 366 367 .sp 368 .in +2 369 .nf 370 # \fBntfsundelete /dev/dsk/c0d0p1 -s -m '*.doc'\fR 371 .fi 372 .in -2 373 .sp 374 375 .LP 376 \fBExample 3 \fRSearching for Files of a Certain Size 377 .sp 378 .LP 379 The following command looks for deleted files between 5000 and 6000000 bytes, 380 with at least 90% of the data recoverable, on \fB/dev/dsk/c0d0p1\fR. 381 382 .sp 383 .in +2 384 .nf 385 # \fBntfsundelete /dev/dsk/c0d0p1 -S 5k-6m -p 90\fR 386 .fi 387 .in -2 388 .sp 389 390 .LP 391 \fBExample 4 \fRSearching for Recently Changed Files 392 .sp 393 .LP 394 The following command searches for deleted files altered in the last two days. 395 396 .sp 397 .in +2 398 .nf 399 # \fBntfsundelete /dev/dsk/c0d0p1 -t 2d\fR 400 .fi 401 .in -2 402 .sp 403 404 .LP 405 \fBExample 5 \fRSpecifying an Inode Range 406 .sp 407 .LP 408 The following command undeletes inodes 2, 5 and 100 to 131 of device 409 \fB/dev/sda1\fR. 410 411 .sp 412 .in +2 413 .nf 414 # \fBntfsundelete /dev/sda1 -u -i 2,5,100-131\fR 415 .fi 416 .in -2 417 .sp 418 419 .LP 420 \fBExample 6 \fRSpecifying an Output File and Directory 421 .sp 422 .LP 423 The following command undeletes inode number 3689, names the file 424 \fBwork.doc\fR, and stores it in the user's home directory. 425 426 .sp 427 .in +2 428 .nf 429 # \fBntfsundelete /dev/dsk/c0d0p1 -u -i 3689 -o work.doc -d ~\fR 430 .fi 431 .in -2 432 .sp 433 434 .LP 435 \fBExample 7 \fRSaving MFT Records 436 .sp 437 .LP 438 The following command saves MFT records 3689 to 3690 to a file \fBdebug\fR. 439 440 .sp 441 .in +2 442 .nf 443 # \fBntfsundelete /dev/dsk/c0d0p1 -c 3689-3690 -o debug\fR 444 .fi 445 .in -2 446 .sp 447 448 .SH ATTRIBUTES 449 .sp 450 .LP 451 See \fBattributes\fR(5) for descriptions of the following attributes: 452 .sp 453 454 .sp 455 .TS 456 box; 457 c | c 458 l | l . 459 ATTRIBUTE TYPE ATTRIBUTE VALUE 460 _ 461 Interface Stability Uncommitted 462 .TE 463 464 .SH SEE ALSO 465 .sp 466 .LP 467 \fBntfsclone\fR(1M), \fBntfsresize\fR(1M), \fBparted\fR(1M), 468 \fBattributes\fR(5) 469 .sp 470 .LP 471 http://wiki.linux-ntfs.org 472 .SH AUTHORS 473 .sp 474 .LP 475 \fBntfsundelete\fR was written by Richard Russon and Holger Ohmacht, with 476 contributions from Anton Altaparmakov.