Unerase tool that marks deleted file as present
Posted 04 August 2012 - 09:35 AM
Posted 05 August 2012 - 02:45 AM
First thing that comes to mind is Linux ntfsundelete:
Running an undelete software in a running NT based systems is risky, that's why most programs, like Testdisk:
won't t let you simply UNflag the $MFT entry.
And same goes for most tools, another example:
A port of the Linux tool may work for you:
Posted 05 August 2012 - 07:43 AM
ntfsundelete looks like it does the trick. The windows port doesn't seem to support SATA-discs, so I'll have to dig out a Linux live CD first, but it's finally a solution I almost thought wouldn't exist.
Posted 05 August 2012 - 12:53 PM
Are you sure?
Device support should be unrelated to actual program.
Or maybe that port is very old?
But still, if a device is supported, a filesystem driver or tool should work independently, SATA is a form of ATA, it's not like it was a SCSI device.
But anyway - as said - it is much better to NOT run something like that on a "live" NT system.
Posted 05 August 2012 - 02:25 PM
Before going through the hassle of recompiling the toolset myself I'd rather try to find another (preferably cygwin based) windows version (there must be several according to wikipedia) or - as a last resort - use a live CD. I'm not too Linux savvy, so this is my least favorite choice, plus the live CD allen2 suggested doesn't seem to like EasyBCD's ISO boot and doesn't boot successfully. However, I heard every Ubuntu live CD has ntfsprogs pre-installed, so I'll give those a shot before I give up on finding a working windows version.
Update: I got around trying ntfsundelete. Excellent tool, however, it does not support restoring files without copying them. The "undelete inode" option is a bit misleading here. In fact, you have to specify a destination directory or else ntfsundelete will copy the file to the current user directory by default. Still, great tool that I'll certainly use in the future. At least I was able to find out quickly that the file I was trying to restore already had its MFT entry overwritten.
This post has been edited by Mexxi: 06 August 2012 - 02:08 PM