Recover Specific using ntfsundelete
Once you're ready, you may proceed to specific file using ntfsundelete. This section guides you on how to recover all deleted files on NTFS partition format.
Unmount Partition (IMPORTANT)
The first step is to unmount the partition, leaving it to only the device node. This is because ntfsundelete has a nasty reputation of corrupting the entire partition after its recovery. You should not skip this step. Use lsblk to identify your target partition.
Make A Workspace Directory
Once done, create a temporary directory to work and change directory into it.
$ mkdir temp && cd tempRecover File
Now that we're done, we can proceed to recover the file from NTFS partition.
Scan Inodes
The very first thing to do is to scan for Inodes in that partition. It will take some times depending on partition size. This is done by using the following command:
$ ntfsundelete <partition>Example:
$ ntfsundelete /dev/sda1Recover Files
To recover all files, you pass the * regex into the query.
$ ntfsundelete /dev/sdb2 -u -m '<filename>'Example:
$ ntfsundelete /dev/sdb2 -u -m 'myfile.docx'This will takes time depending on partition sizes and deleted files' volume.
That's all about ntfsundelete recovering specific file.