helps‎ > ‎

undelete

using ntfsundelete

This might save your life one day (or the life of some files you removed bypassing the trash!)

In Linux it's easy (relatively, if you act quickly) to reclaim files that have been wiped from disk -because really they are still there but their names are gone and their inodes have been offered for new files to be stored in their place.

You can "undelete" wiped files from Linux partitions (ext3/ext4) and NTFS -so long as you haven't been using the partition and stored new files over the lost ones.  So if something goes wrong you should make a rescue op immediately.

Today I managed to wipe 200Gb of very important data off an external drive.  I couldn't believe it had happened.  One thing I need to watch out for is when an external drive is not present and an app needs to access it, say for a DVD project, it will create the partition somewhere locally and carry on!  Then inserting the external drive makes another entry with a _ after it in /media -it was when I tried removing the phony local version of the drive that it decided to take out loads of real data with it (but left some), and I still can't understand how because I had already unplugged the drive.

Fortunately I had just enough space around on different drives to rescue everything.  The deleted files have to be copied to a different partition than the one they were on, and the one recovering from must be unmounted.  My drive was NTFS so I'll show how that works.

note: ntfsundelete is installed with ntfs-3g

[get device i.e. sdb1 etc]
sudo fdisk -l

[unmount drive]
sudo umount /media/VIDEO
or click on eject in a file browser

[list files available for undelete, might need force option -f
sudo ntfsundelete /dev/sdb1 -f
adjust the scroll lines of the Terminal to a few thousand to show long lists.

[list files of certain type available for undelete] 
sudo ntfsundelete /dev/sdb1 -m *.MTS -f

[list files with something in the filename, available for undelete] 
sudo ntfsundelete /dev/sdb1 -m something\* -f

[combine the above two] 
sudo ntfsundelete /dev/sdb1 -m something\*MTS -f

[undelete with file name]
sudo ntfsundelete /dev/sdb1 -u -m 0032.MTS -f

[undelete with wildcard extension (will recover ALL files with the ex.), to a destination dir with -d switch]
sudo ntfsundelete /dev/sdb1 -u -m *.MTS -d /media/VIDEO
sudo ntfsundelete /dev/sdb1 -u -m something\*.MTS -d /media/VIDEO

[undelete with inode range, to a destination dir]
sudo ntfsundelete /dev/sdb1 -u -i 7245-7275 -d /media/VIDEO -f

[change permissions to user for undeleted files if necessary]
sudo chown username *.MTS

Notes
  1. If you cancel the terminal with the process going, you can restart with exactly the same command and dir location and the process will skip all the files already recovered -it won't write over them, or it can't.
  2. If you try to split the process between different target directories it will be impossible using a wildcard extension, you'd have to use inode ranges, I'd say. combine them?


Undelete files on ext3/ext4 partitions
Undelete files on NTFS from Linux


using photorec or testdisk
After recovering files from my removable drive (see on the left) I realised that there were some videos yet to be encoded from raw files -and I couldn't get those files after the restore as they were written over -luckily I remembered I hadn't used the SD card much since then, I had just formatted it.

So in comes photorec, packaged with testdisk, for recovering from FAT format disks -and also from ext3/ext4 and NTFS.

 sudo apt-get install testdisk

 sudo photorec

1. choose disk to rescue files from
2. choose partition on disk (and also file options -search for extensions)
3. choose format type
4. choose rescue from freespace or whole disk
5. select directory to rescue files to: use left/right arrows to go up/down dir tree
e.g. use left to get out of /home/username, then down to /media, right and down to reach dir
6. enter the chosen dir and press C

tip: stop photorec in taskmanager if it's eating the cpu even after it's finished the process!

using Testdisk is just as easy, it will list the deleted files and it works on NTFS, FAT (SD cards etc) and ext2 http://www.cgsecurity.org/wiki/TestDisk

 sudo testdisk
1. choose log option
2. choose disk to rescue files from
3. choose partition table type (Intel)
4. choose [Advanced] File System Utils
5. select partition
6. choose option [undelete] or [Image Creation]
7. search for deleted directory or file and press C
8. select directory to copy files to: use left/right arrows to go up/down dir tree
9. enter the chosen dir (e.g. Desktop), go down one to .. and press C
10. cd to where the recovery dir has been copied to and run: 
 sudo chown -R username ./recovered-dir-name



Using dd to make an image of a partition first

I had one SDHC card that photorec and testdisk couldn't see any deleted files on, even though I had recently had MTS files on it and just formatted it.

So I made an image of the SD card with
 dd if=/dev/mmcblk0p1 of=/media/FILES/RECOV/disk.img bs=1024M

then
 photorec /media/FILES/RECOV/disk.img

but alas, no files were found either!  duh, the card had been formatted.
Comments