NtfsUndelete is part of the bundle of programs in "ntfsprogs". Another program worth having if you have a Windows partition (they call it a drive even tho it is only part of a drive) is "ntfs-3g". Ubuntu seems to have both of these programs installed by default both on the LiveCd and when installed properly.

NtfsUndelete can recover deleted files from an NTFS file-system. As so many people keep pointing out it cannot perform miracles = overwritten data cannot be recovered by this or any of the expensive alternatives. Theoretically it is possible and has been done in carefully controlled conditions in a science lab but apparently even extreme data-recovery labs do not offer that level of service.

This page is really just a copy of the DataRecovery page at the moment (25-11-2010) but hopefully it will pull together some of the other online guides and/or the presentation will get much more nicely sorted out.

From the manpage

Windows 7 and Vista both routinely put a "recovery partition" at the front of drives now even as fresh installs from their installer Cd/dvd. Previously only some laptops offered this. The idea seems to be that you can make a fresh installer Cd tailored to your particular machine. Anyway, the important result for us is that a lot of documentation assumes Windows will be on hda1 but in fact nowadays the important stuff, your stuff, is likely to be (or have been) on sda2. Of course it could easily be somewhere completely different but this is the general case, the default, now.

Look for deleted files on /dev/sda2.

ntfsundelete /dev/sda2

Look for deleted documents on /dev/sda2.

ntfsundelete /dev/sda2 -s -m '*.doc'

Look for deleted files between 5000 and 6000000 bytes, with at least 90% of the data recoverable, on /dev/sda2.

ntfsundelete /dev/sda2 -S 5k-6m -p 90

Look for deleted files altered in the last two days

ntfsundelete /dev/sda2 -t 2d

Undelete inodes 2, 5 and 100 to 131 of device /dev/sda2

ntfsundelete /dev/sda2 -u -i 2,5,100-131

Undelete inode number 3689, call the file 'work.doc' and put it in the user's home directory.

ntfsundelete /dev/sda2 -u -i 3689 -o work.doc -d ~

Save MFT Records 3689 to 3690 to a file 'debug'

ntfsundelete /dev/sda2 -c 3689-3690 -o debug

External Links

There are a number of articles scattered around the internet but they can be difficult to find even with a search engine such as google. Hopefully these links might help as they helped me. I haven't worked through them yet but they look the best i have seen so far. Tom 24-11-2010

• http://kwlug.org/node/649

• http://www.sucka.net/2010/04/recover-deleted-files-with-ntfsundelete-from-a-ubuntu-livecd/

• http://man-wiki.net/index.php/8:ntfsundelete