You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
325 lines
9.1 KiB
325 lines
9.1 KiB
.\" Copyright (c) 2002\-2005 Richard Russon.
|
|
.\" This file may be copied under the terms of the GNU Public License.
|
|
.\"
|
|
.TH NTFSUNDELETE 8 "November 2005" "ntfs-3g @VERSION@"
|
|
.SH NAME
|
|
ntfsundelete \- recover a deleted file from an NTFS volume.
|
|
.SH SYNOPSIS
|
|
.B ntfsundelete
|
|
[\fIoptions\fR] \fIdevice\fR
|
|
.SH DESCRIPTION
|
|
.B ntfsundelete
|
|
has three modes of operation:
|
|
.IR scan ,
|
|
.I undelete
|
|
and
|
|
.IR copy .
|
|
.SS Scan
|
|
.PP
|
|
The default mode,
|
|
.I scan
|
|
simply reads an NTFS Volume and looks for files that have been deleted. Then it
|
|
will print a list giving the inode number, name and size.
|
|
.SS Undelete
|
|
.PP
|
|
The
|
|
.I undelete
|
|
mode takes the files either matching the regular expression (option \-m)
|
|
or specified by the inode\-expressions and recovers as much of the data
|
|
as possible. It saves the result to another location. Partly for
|
|
safety, but mostly because NTFS write support isn't finished.
|
|
.SS Copy
|
|
.PP
|
|
This is a wizard's option. It will save a portion of the MFT to a file. This
|
|
probably only be useful when debugging
|
|
.I ntfsundelete
|
|
.SS Notes
|
|
.B ntfsundelete
|
|
only ever
|
|
.B reads
|
|
from the NTFS Volume.
|
|
.B ntfsundelete
|
|
will never change the volume.
|
|
.SH CAVEATS
|
|
.SS Miracles
|
|
.B ntfsundelete
|
|
cannot perform the impossible.
|
|
.PP
|
|
When a file is deleted the MFT Record is marked as not in use and the bitmap
|
|
representing the disk usage is updated. If the power isn't turned off
|
|
immediately, the free space, where the file used to live, may become
|
|
overwritten. Worse, the MFT Record may be reused for another file. If this
|
|
happens it is impossible to tell where the file was on disk.
|
|
.PP
|
|
Even if all the clusters of a file are not in use, there is no guarantee that
|
|
they haven't been overwritten by some short\-lived file.
|
|
.SS Locale
|
|
In NTFS all the filenames are stored as Unicode. They will be converted into
|
|
the current locale for display by
|
|
.BR ntfsundelete .
|
|
The utility has successfully displayed some Chinese pictogram filenames and then
|
|
correctly recovered them.
|
|
.SS Extended MFT Records
|
|
In rare circumstances, a single MFT Record will not be large enough to hold the
|
|
metadata describing a file (a file would have to be in hundreds of fragments
|
|
for this to happen). In these cases one MFT record may hold the filename, but
|
|
another will hold the information about the data.
|
|
.B ntfsundelete
|
|
will not try and piece together such records. It will simply show unnamed files
|
|
with data.
|
|
.SS Compressed and Encrypted Files
|
|
.B ntfsundelete
|
|
cannot recover compressed or encrypted files. When scanning for them, it will
|
|
display as being 0% recoverable.
|
|
.SS The Recovered File's Size and Date
|
|
To recover a file
|
|
.B ntfsundelete
|
|
has to read the file's metadata. Unfortunately, this isn't always intact.
|
|
When a file is deleted, the metadata can be left in an inconsistent state. e.g.
|
|
the file size may be zero; the dates of the file may be set to the time it was
|
|
deleted, or random.
|
|
.br
|
|
To be safe
|
|
.B ntfsundelete
|
|
will pick the largest file size it finds and write that to disk. It will also
|
|
try and set the file's date to the last modified date. This date may be the
|
|
correct last modified date, or something unexpected.
|
|
.SH OPTIONS
|
|
Below is a summary of all the options that
|
|
.B ntfsundelete
|
|
accepts. Nearly all options have two equivalent names. The short name is
|
|
preceded by
|
|
.B \-
|
|
and the long name is preceded by
|
|
.BR \-\- .
|
|
Any single letter options, that don't take an argument, can be combined into a
|
|
single command, e.g.
|
|
.B \-fv
|
|
is equivalent to
|
|
.BR "\-f \-v" .
|
|
Long named options can be abbreviated to any unique prefix of their name.
|
|
.TP
|
|
\fB\-b\fR, \fB\-\-byte\fR NUM
|
|
If any clusters of the file cannot be recovered, the missing parts will be
|
|
filled with this byte. The default is zeros.
|
|
.TP
|
|
\fB\-C\fR, \fB\-\-case\fR
|
|
When scanning an NTFS volume, any filename matching (using the
|
|
.B \-\-match
|
|
option) is case\-insensitive. This option makes the matching case\-sensitive.
|
|
.TP
|
|
\fB\-c\fR, \fB\-\-copy\fR RANGE
|
|
This wizard's option will write a block of MFT FILE records to a file. The
|
|
default file is
|
|
.I mft
|
|
which will be created in the current directory. This option can be combined
|
|
with the
|
|
.B \-\-output
|
|
and
|
|
.B \-\-destination
|
|
options.
|
|
.TP
|
|
\fB\-d\fR, \fB\-\-destination\fR DIR
|
|
This option controls where to put the output file of the
|
|
.B \-\-undelete
|
|
and
|
|
.B \-\-copy
|
|
options.
|
|
.TP
|
|
\fB\-f\fR, \fB\-\-force\fR
|
|
This will override some sensible defaults, such as not overwriting an existing
|
|
file. Use this option with caution.
|
|
.TP
|
|
\fB\-h\fR, \fB\-\-help\fR
|
|
Show a list of options with a brief description of each one.
|
|
.TP
|
|
\fB\-i\fR, \fB\-\-inodes\fR RANGE
|
|
Recover the files with these inode numbers.
|
|
.I RANGE
|
|
can be a single inode number, several numbers separated by commas "," or a
|
|
range separated by a dash "\-".
|
|
.TP
|
|
\fB\-m\fR, \fB\-\-match\fR PATTERN
|
|
Filter the output by only looking for matching filenames. The pattern can
|
|
include the wildcards '?', match exactly one character or '*', match zero or
|
|
more characters. By default the matching is case\-insensitive. To make the
|
|
search case sensitive, use the
|
|
.B \-\-case
|
|
option.
|
|
.TP
|
|
\fB\-O\fR, \fB\-\-optimistic\fR
|
|
Recover parts of the file even if they are currently marked as in use.
|
|
.TP
|
|
\fB\-o\fR, \fB\-\-output\fR FILE
|
|
Use this option to set name of output file that
|
|
.B \-\-undelete
|
|
or
|
|
.B \-\-copy
|
|
will create.
|
|
.TP
|
|
\fB\-P\fR, \fB\-\-parent\fR
|
|
Display the parent directory of a deleted file.
|
|
.TP
|
|
\fB\-p\fR, \fB\-\-percentage\fR NUM
|
|
Filter the output of the
|
|
.B \-\-scan
|
|
option, by only matching files with a certain amount of recoverable content.
|
|
.B Please read the caveats section for more details.
|
|
.TP
|
|
\fB\-q\fR, \fB\-\-quiet\fR
|
|
Reduce the amount of output to a minimum. Naturally, it doesn't make sense to
|
|
combine this option with
|
|
.BR \-\-scan .
|
|
.TP
|
|
\fB\-s\fR, \fB\-\-scan\fR
|
|
Search through an NTFS volume and print a list of files that could be recovered.
|
|
This is the default action of
|
|
.BR ntfsundelete .
|
|
This list can be filtered by filename, size, percentage recoverable or last
|
|
modification time, using the
|
|
.BR \-\-match ,
|
|
.BR \-\-size ,
|
|
.B \-\-percent
|
|
and
|
|
.B \-\-time
|
|
options, respectively.
|
|
.sp
|
|
The output of scan will be:
|
|
.sp
|
|
.nf
|
|
Inode Flags %age Date Time Size Filename
|
|
6038 FN.. 93% 2002\-07\-17 13:42 26629 thesis.doc
|
|
.fi
|
|
.TS
|
|
box;
|
|
lB lB
|
|
l l.
|
|
Flag Description
|
|
F/D File/Directory
|
|
N/R (Non\-)Resident data stream
|
|
C/E Compressed/Encrypted data stream
|
|
! Missing attributes
|
|
.TE
|
|
.sp
|
|
.sp
|
|
The percentage field shows how much of the file can potentially be recovered.
|
|
.TP
|
|
\fB\-S\fR, \fB\-\-size\fR RANGE
|
|
Filter the output of the
|
|
.B \-\-scan
|
|
option, by looking for a particular range of file sizes. The range may be
|
|
specified as two numbers separated by a '\-'. The sizes may be abbreviated
|
|
using the suffixes k, m, g, t, for kilobytes, megabytes, gigabytes and terabytes
|
|
respectively.
|
|
.TP
|
|
\fB\-t\fR, \fB\-\-time\fR SINCE
|
|
Filter the output of the
|
|
.B \-\-scan
|
|
option. Only match files that have been altered since this time. The time must
|
|
be given as number using a suffix of d, w, m, y for days, weeks, months or years
|
|
ago.
|
|
.TP
|
|
\fB\-T\fR, \fB\-\-truncate\fR
|
|
If
|
|
.B ntfsundelete
|
|
is confident about the size of a deleted file, then it will restore the file to
|
|
exactly that size. The default behaviour is to round up the size to the nearest
|
|
cluster (which will be a multiple of 512 bytes).
|
|
.TP
|
|
\fB\-u\fR, \fB\-\-undelete\fR
|
|
Select
|
|
.B undelete
|
|
mode. You can specify the files to be recovered using by using
|
|
.B \-\-match
|
|
or
|
|
.B \-\-inodes
|
|
options. This option can be combined with
|
|
.BR \-\-output ,
|
|
.BR \-\-destination ,
|
|
and
|
|
.BR \-\-byte .
|
|
.sp
|
|
When the file is recovered it will be given its original name, unless the
|
|
.B \-\-output
|
|
option is used.
|
|
.TP
|
|
\fB\-v\fR, \fB\-\-verbose\fR
|
|
Increase the amount of output that
|
|
.B ntfsundelete
|
|
prints.
|
|
.TP
|
|
\fB\-V\fR, \fB\-\-version\fR
|
|
Show the version number, copyright and license for
|
|
.BR ntfsundelete .
|
|
.SH EXAMPLES
|
|
Look for deleted files on /dev/hda1.
|
|
.RS
|
|
.sp
|
|
.B ntfsundelete /dev/hda1
|
|
.sp
|
|
.RE
|
|
Look for deleted documents on /dev/hda1.
|
|
.RS
|
|
.sp
|
|
.B ntfsundelete /dev/hda1 \-s \-m '*.doc'
|
|
.sp
|
|
.RE
|
|
Look for deleted files between 5000 and 6000000 bytes, with at least 90% of the
|
|
data recoverable, on /dev/hda1.
|
|
.RS
|
|
.sp
|
|
.B ntfsundelete /dev/hda1 \-S 5k\-6m \-p 90
|
|
.sp
|
|
.RE
|
|
Look for deleted files altered in the last two days
|
|
.RS
|
|
.sp
|
|
.B ntfsundelete /dev/hda1 \-t 2d
|
|
.sp
|
|
.RE
|
|
Undelete inodes 2, 5 and 100 to 131 of device /dev/sda1
|
|
.RS
|
|
.sp
|
|
.B ntfsundelete /dev/sda1 \-u \-i 2,5,100\-131
|
|
.sp
|
|
.RE
|
|
Undelete inode number 3689, call the file 'work.doc', set it to recovered
|
|
size and put it in the user's home directory.
|
|
.RS
|
|
.sp
|
|
.B ntfsundelete /dev/hda1 \-u \-T \-i 3689 \-o work.doc \-d ~
|
|
.sp
|
|
.RE
|
|
Save MFT Records 3689 to 3690 to a file 'debug'
|
|
.RS
|
|
.sp
|
|
.B ntfsundelete /dev/hda1 \-c 3689\-3690 \-o debug
|
|
.sp
|
|
.RE
|
|
.SH BUGS
|
|
There are some small limitations to
|
|
.BR ntfsundelete ,
|
|
but currently no known bugs. If you find a bug please send an email describing
|
|
the problem to the development team:
|
|
.br
|
|
.nh
|
|
ntfs\-3g\-devel@lists.sf.net
|
|
.hy
|
|
.SH AUTHORS
|
|
.B ntfsundelete
|
|
was written by Richard Russon and Holger Ohmacht, with contributions from Anton
|
|
Altaparmakov.
|
|
It was ported to ntfs-3g by Erik Larsson and Jean-Pierre Andre.
|
|
.SH AVAILABILITY
|
|
.B ntfsundelete
|
|
is part of the
|
|
.B ntfs-3g
|
|
package and is available from:
|
|
.br
|
|
.nh
|
|
https://github.com/tuxera/ntfs-3g/wiki/
|
|
.hy
|
|
.SH SEE ALSO
|
|
.BR ntfsinfo (8),
|
|
.BR ntfsprogs (8)
|