ntfsundelete

ntfsundelete [OPTIONS]
ntfsundelete -p [OPTIONS]
ntfsundelete -u [OPTIONS]

-p, --progress
    Preview mode; list deleted files without attempting recovery. Shows information about deleted files like inode number, size, and deletion time.

-u, --undelete
    Undelete a specific file identified by its inode number. This option must be used with -i or directly specify the inode after -u.

-i , --inode
    Specifies the inode number of the file to be undeleted. This is typically found using the -p (preview) option.

-d , --dest
    Specifies the destination directory where recovered files will be written. If not specified, files are recovered to the current working directory.

-s , --search
    Search for deleted files whose names match the given pattern. The pattern can include wildcards like * and ?.

-t , --time
    Filter results by deletion time. Time can be a specific date/time (e.g., YYYY-MM-DD HH:MM:SS) or relative (e.g., -24h for last 24 hours).

-f, --force
    Force operations, potentially overriding safety checks. Use with caution.

-v, --verbose
    Enable verbose output, showing more details about the process.

-h, --help
    Display a help message and exit.

ntfsundelete is a command-line utility designed to assist in the recovery of deleted files from NTFS (New Technology File System) partitions. It is part of the ntfs-3g suite of tools, which provides robust read/write support for NTFS filesystems on Linux. The command works by scanning the NTFS change journal and the Master File Table (MFT) for entries corresponding to files that have been marked as deleted but whose data blocks may still be intact.

While it offers a valuable chance at data recovery, its success heavily depends on whether the disk blocks occupied by the deleted file's data have been overwritten by new data. For optimal recovery chances, the partition should ideally be unmounted or mounted read-only before attempting recovery.

Data Overwrite Risk: The most significant limitation is that file recovery is only possible if the data blocks of the deleted file have not been overwritten by new data. Continuous use of the filesystem after deletion significantly reduces recovery chances.
Filesystem State: For best results, the NTFS partition should be unmounted or mounted read-only before attempting recovery. Mounting it read/write can lead to further data corruption or overwriting.
Partial Recovery: Even if a file's inode is found, it might be possible to recover only a part of the file if some of its data blocks have been reused.
No Guarantee: ntfsundelete is a best-effort tool and does not guarantee successful recovery of all deleted files.
Permissions: The command often requires root privileges to access the raw device.

ntfsundelete operates by scanning the Master File Table (MFT) for records of deleted files. When a file is deleted on NTFS, its MFT entry is marked as unused, but the data clusters themselves might remain untouched until new data is written over them. The command tries to reconstruct the file's metadata (name, size, cluster allocation) and then read the data from the identified clusters.

A typical usage involves first using the -p (preview) option to list potential deleted files and identify their inode numbers. Once the desired file's inode is known, the -u (undelete) option is then used with the inode number to recover the file to a specified destination directory, preferably on a different partition to avoid overwriting the source.

ntfsundelete is part of the ntfsprogs suite (now largely integrated into the ntfs-3g project for user-space tools and kernel driver). The development of ntfsprogs began in the early 2000s to provide robust Linux support for Microsoft's NTFS filesystem, which was becoming increasingly prevalent. ntfsundelete specifically addresses the critical need for data recovery on these partitions, leveraging the structure of NTFS's MFT and change journal. Its existence significantly enhanced the practical usability of NTFS partitions within the Linux environment, reducing reliance on Windows-specific recovery tools.

ntfs-3g(8), mkntfs(8), ntfsfix(8), ntfsmount(8), lsntfs(8)