Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Unerase tool that marks deleted file as present

- - - - -

  • Please log in to reply
6 replies to this topic

#1
Mexxi

Mexxi

    Newbie

  • Member
  • 35 posts
  • Joined 10-January 10
When files are deleted a flag in the MFT is merely changed. I'm trying to find an unerase tool that is capable of changing that flag back without actually copying the file to a different location. I have been testing like a dozen tools and not a single one supports this way of data recovery. If I was still running on FAT, I'd use DOS 6.22's "undelete.exe" since that one actually did it that way, but I'll be damned if there isn't a modern equivalent. Does someone happen to know a tool that supports recovering a file without actually copying its content to a new location?


How to remove advertisement from MSFN

#2
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,475 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

When files are deleted a flag in the MFT is merely changed. I'm trying to find an unerase tool that is capable of changing that flag back without actually copying the file to a different location. I have been testing like a dozen tools and not a single one supports this way of data recovery. If I was still running on FAT, I'd use DOS 6.22's "undelete.exe" since that one actually did it that way, but I'll be damned if there isn't a modern equivalent. Does someone happen to know a tool that supports recovering a file without actually copying its content to a new location?

First thing that comes to mind is Linux ntfsundelete:
http://linux.die.net.../8/ntfsundelete

Running an undelete software in a running NT based systems is risky, that's why most programs, like Testdisk:
http://www.cgsecurit...S_with_TestDisk
won't t let you simply UNflag the $MFT entry.
And same goes for most tools, another example:
http://www.uneraser.com/quest1.htm

A port of the Linux tool may work for you:
http://gnuwin32.sour...s/ntfsprogs.htm

jaclaz

#3
Mexxi

Mexxi

    Newbie

  • Member
  • 35 posts
  • Joined 10-January 10
Thank you for your reply jaclaz. Excellent advice as always :thumbup

ntfsundelete looks like it does the trick. The windows port doesn't seem to support SATA-discs, so I'll have to dig out a Linux live CD first, but it's finally a solution I almost thought wouldn't exist.

#4
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06
My prefered linux liveCD with ntfs prog is systemrescuecd.

#5
Mexxi

Mexxi

    Newbie

  • Member
  • 35 posts
  • Joined 10-January 10
Thanks a lot allen2! I was just looking for a good one to download :)

#6
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,475 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

The windows port doesn't seem to support SATA-discs, so I'll have to ....

Are you sure?
Device support should be unrelated to actual program.
Or maybe that port is very old? :unsure:
But still, if a device is supported, a filesystem driver or tool should work independently, SATA is a form of ATA, it's not like it was a SCSI device.

But anyway - as said - it is much better to NOT run something like that on a "live" NT system. :thumbup

jaclaz

#7
Mexxi

Mexxi

    Newbie

  • Member
  • 35 posts
  • Joined 10-January 10
No, I'm not sure. I wasn't able to specify my hard drive in a way ntfsundelete supported. I tried c:, /dev/hda, /dev/hda1, /dev/sda and /dev/sda1 - no success. Through google I found a post of an XP user who had the same issue and someone replied that SATA wasn't supported yet. The port is from 2004, so that might explain it. The XP user also said that compiling ntfsprogs with cygwin made the whole thing work.

Before going through the hassle of recompiling the toolset myself I'd rather try to find another (preferably cygwin based) windows version (there must be several according to wikipedia) or - as a last resort - use a live CD. I'm not too Linux savvy, so this is my least favorite choice, plus the live CD allen2 suggested doesn't seem to like EasyBCD's ISO boot and doesn't boot successfully. However, I heard every Ubuntu live CD has ntfsprogs pre-installed, so I'll give those a shot before I give up on finding a working windows version.

Update: I got around trying ntfsundelete. Excellent tool, however, it does not support restoring files without copying them. The "undelete inode" option is a bit misleading here. In fact, you have to specify a destination directory or else ntfsundelete will copy the file to the current user directory by default. Still, great tool that I'll certainly use in the future. At least I was able to find out quickly that the file I was trying to restore already had its MFT entry overwritten.

Edited by Mexxi, 06 August 2012 - 02:08 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users