James John – Software Engineer

Recovering Deleted Files From An NTFS Drive Partition in Linux

Lately I mistakenly deleted my pending movies directory where movies I’ve not watched are, this was so painful to me how I was about to loose all those movies 🙁 . Lucky me it was on another partition which was NTFS, Ubuntu  comes with a package called ntfsundelete or you install it with:

RPM:

$ sudo rpm -i ntfsundelete

DEB:

$ sudo apt-get install ntfsundelete

YUM:

$ yum install ntfsundelete

Restoring Deleted File
To find an NTFS file system drive, type this:

$ sudo fdisk -l

Which will list your drives as NTFS is usually related to Microsoft, It is called Microsoft basic data here as you can see I have 3 of them there. But here I’ll be working with my /dev/sda4 and I try to mount it, it say it’s already mounted which it was mounted at /media/donjajo/562283C82283AB95
Screenshot from 2015-05-12 09:14:10Here I change directory into /media/donjajo/562283C82283AB95 and created a directory with delete_test containing these files:
Screenshot from 2015-05-12 09:44:55Now I’m going to delete these files and directory:

$ rm delete_test/file1
$ rm delete_test/file2
$ rm delete_test/file3
$ rm -d delete_test

PS: This does not guarantee you that your deleted files can be restored, some files the possibility of recovering them is 0%
Type:

$ sudo umount /dev/sda4
$ sudo ntfsundelete /dev/sda4

If you’re getting this reply:

Volume is scheduled for check.
Please boot into Windows TWICE, or use the ‘force’ option.
NOTE: If you had not scheduled check and last time accessed this volume
using ntfsmount and shutdown system properly, then init scripts in your
distribution are broken. Please report to your distribution developers
(NOT to us!) that init scripts kill ntfsmount or mount.ntfs-fuse during
shutdown instead of proper umount.

And you’re sure Windows is not using the drive, you can add the –force parameter

$ sudo ntfsundelete /dev/sda4 --force

which will list you files and directories that can be recovered in that partition, something similar to this:
ntfsundeleteWhich shows Inodes, Flags, Age, Date, Size and Filename, ones with the age of 100% are fully recoverable while 0% are not recoverable, so as I have long list of files to be recovered I would want to get only the files I’m looking for if they are recoverable as I type:

$ sudo ntfsundelete /dev/sda4 --force --match file1
$ sudo ntfsundelete /dev/sda4 --force --match file2
$ sudo ntfsundelete /dev/sda4 --force --match file3

And these returned me the files only, showing me 100% of recovery
ntfsundelete2Now it’s time to recover the files you want, type this:

$ sudo ntfsundelete /dev/sda4 --force --undelete --match file1

Your file is being recovered and place in the current directory you are in, –destination parameter can set which directory to dump it. Files are recovered and has owner as root, change it to yours

$ sudo chown $USER file1

I hope this helps! 🙂

 

James John

Software Engineer