bovlk
asked on
Undelete files on NTFS
Hello,
I just accidentally deleted 4400 text files (1.5GB) on an NTFS volume that's probably heavily fragmented, although these files were created in a particular sequence. The files contain long columns of numerical data. If the undelete program takes one cluster from one file and another from some other file, there's basically no chance to detect it by taking a look at the files or even using a program that I could write. There are plenty of possibilities how this can go unnoticed.
So my question is: Is undelete on NTFS reliable? I mean, can I rely on the files being recovered as they originally were, with correct sequence of clusters and not mixing clusters from different files together? In the old DOS and FAT days, DOS deleted files by changing the first letter in the name to ? and then marking all of its clusters in FAT as unused (which overwrote there sequence), so you had to guess which clusters belong to the file and their sequence. Is this true for NTFS or is NTFS more advanced and can mark clusters as unused without forgetting the sequence (by changing an extra bit for the cluster being used/unused, but not changing the ID of the next cluster)?
Thanks a lot. If you know a good undelete tool, please recommend it.
I just accidentally deleted 4400 text files (1.5GB) on an NTFS volume that's probably heavily fragmented, although these files were created in a particular sequence. The files contain long columns of numerical data. If the undelete program takes one cluster from one file and another from some other file, there's basically no chance to detect it by taking a look at the files or even using a program that I could write. There are plenty of possibilities how this can go unnoticed.
So my question is: Is undelete on NTFS reliable? I mean, can I rely on the files being recovered as they originally were, with correct sequence of clusters and not mixing clusters from different files together? In the old DOS and FAT days, DOS deleted files by changing the first letter in the name to ? and then marking all of its clusters in FAT as unused (which overwrote there sequence), so you had to guess which clusters belong to the file and their sequence. Is this true for NTFS or is NTFS more advanced and can mark clusters as unused without forgetting the sequence (by changing an extra bit for the cluster being used/unused, but not changing the ID of the next cluster)?
Thanks a lot. If you know a good undelete tool, please recommend it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Getdataback is reliable if it finds the files you are looking for in the normal directory structure. If the directory structure looks different from what it used to be after you have scanned the disk, then it's possible the files, or some of them will be corrupt. If they are corrupt they will usually end up with strange filesizes, or you won't be able to open them using the application you open them with normally. So it should be pretty easy to find out which of the recovered files are bad and which aren't.
ASKER
thanks for the suggestions.
I deleted it using Total Commander. The files did not go to Recycle bin, but were really deleted immediately. Also, the directories that contain them were deleted using the same procedure. The files were on a local disk that's not a system disk and this happened a few hours ago so chances are high that most of the clusters will be unchanged.
If a few of the files are missing, that's not a problem. I can compute them again in short time. However, computing all of them would take 12 days. The problem is that I need to be sure they are exactly the same after restoring. Unfortunately, there are plenty of ways the files can be corrupted without me not noticing it, even though I can write a program to detect a few kinds of corruption. The most obvious problem would result from mixing of restored clusters, with the recovered files A and B having clusters from the deleted files C and D like this: A = C1, C2, D3, C4 and B = D1, D2, C3, D4. I'm virtually unable to detect this kind of problem (the files are just a bunch of columns of numbers with no CRC etc.) and still it is crucial that it does not happen. I can repeat the calculation but they took the computer 12 days so restoring the files is a much better option, but must be reliable.