Recover Deleted Files on an NTFS Hard Drive from a Linux
To undelete our files, we first need to identify the hard drive that we want to undelete from. In the terminal window, type in:
sudo fdisk –l
and press enter.
What you’re looking for is a line that ends with HPSF/NTFS (under the heading System). In our case, the device is “/dev/sda1”. This may be slightly different for you, but it will still begin with /dev/. Note this device name.
If you have more than one hard drive partition formatted as NTFS, then you may be able to identify the correct partition by the size. If you look at the second line of text in the screenshot above, it reads “Disk /dev/sda: 136.4 GB, …” This means that the hard drive that Ubuntu has named /dev/sda is 136.4 GB large. If your hard drives are of different size, then this information can help you track down the right device name to use. Alternatively, you can just try them all, though this can be time consuming for large hard drives.
Now that you know the name Ubuntu has assigned to your hard drive, we’ll scan it to see what files we can uncover.
In the terminal window, type:
sudo ntfsundelete <HD name>
and hit enter. In our case, the command is:
sudo ntfsundelete /dev/sda1
The names of files that can recovered show up in the far right column. The percentage in the third column tells us how much of that file can be recovered. Three of the four files that we originally deleted are showing up in this list, even though we shut down the computer right after deleting the four files – so even in ideal cases, your files may not be recoverable.
Nevertheless, we have three files that we can recover – two JPGs and an MPG.
Note: ntfsundelete is immediately available in the Ubuntu 9.10 Live CD. If you are in a different version of Ubuntu, or for some other reason get an error when trying to use ntfsundelete, you can install it by entering “sudo apt-get install ntfsprogs” in a terminal window.
To quickly recover the two JPGs, we will use the * wildcard to recover all of the files that end with .jpg.
In the terminal window, enter
sudo ntfsundelete <HD name> –u –m *.jpg
which is, in our case,
sudo ntfsundelete /dev/sda1 –u –m *.jpg
The two files are recovered from the NTFS hard drive and saved in the current working directory of the terminal. By default, this is the home directory of the current user, though we are working in the Desktop folder.
Note that the ntfsundelete program does not make any changes to the original NTFS hard drive. If you want to take those files and put them back in the NTFS hard drive, you will have to move them there after they are undeleted with ntfsundelete. Of course, you can also put them on your flash drive or open Firefox and email them to yourself – the sky’s the limit!
We have one more file to undelete – our MPG.
Note the first column on the far left. It contains a number, its Inode. Think of this as the file’s unique identifier. Note this number.
To undelete a file by its Inode, enter the following in the terminal:
sudo ntfsundelete <HD name> –u –i <Inode>
In our case, this is:
sudo ntfsundelete /dev/sda1 –u –i 14159
This recovers the file, along with an identifier that we don’t really care about. All three of our recoverable files are now recovered.
Resurses: