All of us, at some point of other, have deleted some files and then realized that we needed them. Such an incident happened with me some days ago, and that's when I came to know about a tool called ntfsundelete in linux, which can help recover deleted files.
PLEASE NOTE that it is NOT a magical tool that can recover anything and everything. Still, if you recently deleted a file, there is a high chance that it can be recovered.
How it Works?
Most of the computers that have Windows use NTFS as their file system. NTFS stands for New Technology File System. When you delete a file, it is still present in the memory, but can no longer be accessed normally. At a low level, the file is represented not by it's name, but by it's inode. The inode contains the metadata of a file. ntfsundelete scans for these inodes and checks whether the location in memory was overwritten or not. If not, then you are lucky and can recover the exact (or almost exact) file back. This is possible due to journaling, a technique that is used by NTFS to store any unsaved changes to the file system to recover it in case of a crash or system failure.
How to recover deleted files?
=>First of all, boot into a linux system. If you don't have Linux installed on your system, you can download the iso, make a bootable usb and then boot from it.
=>In Linux, everything is represented by files. In order to access a particular hard drive partition, you have to first mount it. There are two ways to do it:
1. Open a file explorer (nautilus), click on the drive from the left pane and it will be mounted.
2. Type
sudo mount /dev/sdax /mnt
(where x can be 1,2,3 etc) inside a terminal. This will mount the drive on /mnt, meaning that its contents can be accessed by going into /mnt folder.
I would suggest the second option and then using the terminal command
ls /mnt
to see the contents of the drive. This would give you an idea about which drive to choose when using ntfsundelete.
=>As an example, i created a sample try.cpp file on /dev/sda6 and removed it using rm command.
As you can see, the file try.cpp is no longer on the disk.
=>Now, in our case, the drive is sda6. It may be different in your case. Unmount the drive by typing:
sudo umount /mnt/
=>Now type:
sudo ntfsundelete -s /dev/sda6
(replace sda6 with the drive that contained the deleted file)
This will scan the drive for deleted files and display the information related to it. The first column contains the inode of the file. This field is of interest to us for now.
=>We will use grep to find the particular file that we need. In our case, it is try.cpp. So, type:
sudo ntfsundelete -s /dev/sda6 | grep try.cpp
(replace try.cpp with the name of file that you want to recover)
=>As you can see, the inode associated with try.cpp is 5888. So, to recover it, type:
sudo ntfsundelete /dev/sda6 -u -i 5888
(replace 5888 with the inode shown with your file)
If a number of inodes are shown for a single file name, the largest inode probably is the one that contains the file with latest changes.
=>Now, the file try.cpp has been recovered and placed inside the home (~) folder. Type
ls
This will confirm that the file is recovered.
=>To see the contents of the file, type
gedit try.cpp
and it will display the file inside the gedit text editor.
As you can see, in some cases, it is pretty easy to recover a recently deleted file. But, it may work, it may not. Always ensure that you have several backups of the important files. The best thing to do if you delete something of importance is to contact an expert and stop using the device altogether for the time being, so that you don't overwrite the data and damage the system further.
This method helped me to recover the contents of my disk, but it became almost useless as all the files (about 5000 of them) were placed in a single folder. Luckily, I had a backup of some of them. :)
Please tell us if you found this post useful in the comments below!
No comments:
Post a Comment