Solved

Undelete files on NTFS

Posted on 2009-07-08
4
356 Views
Last Modified: 2012-05-07
Hello,

I just accidentally deleted 4400 text files (1.5GB) on an NTFS volume that's probably heavily fragmented, although these files were created in a particular sequence. The files contain long columns of numerical data. If the undelete program takes one cluster from one file and another from some other file, there's basically no chance to detect it by taking a look at the files or even using a program that I could write. There are plenty of possibilities how this can go unnoticed.

So my question is: Is undelete on NTFS reliable? I mean, can I rely on the files being recovered as they originally were, with correct sequence of clusters and not mixing clusters from different files together? In the old DOS and FAT days, DOS deleted files by changing the first letter in the name to ? and then marking all of its clusters in FAT as unused (which overwrote there sequence), so you had to guess which clusters belong to the file and their sequence. Is this true for NTFS or is NTFS more advanced and can mark clusters as unused without forgetting the sequence (by changing an extra bit for the cluster being used/unused, but not changing the ID of the next cluster)?

Thanks a lot. If you know a good undelete tool, please recommend it.
0
Comment
Question by:bovlk
  • 2
4 Comments
 
LVL 2

Accepted Solution

by:
Ste206 earned 250 total points
Comment Utility
Hi,

A free solution would be to use http://ntfsundelete.com

I have personally used this quite a lot of times, with great success, only on 1 occasion it has failed at getting the correct file back but that was after several months passing and many other files been deleted and added to the pc so the clusters were almost definatly re-used.

I'm still unable to find a better free solution to this program.

Hope this helps!
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 250 total points
Comment Utility
If you used the explorer to delete the files, and they were on your local PC, then just use the waste basket to get them back. As the files are still completely there, there are no issues with how fragmented they are or whatever.

Undelete is an old DOS utility and not used or necessary for ntfs partitions.

If on the other hand you also emptied the recycle bin, or the files were on a networked drive, and the server didn't have shadow copies turned on, then chances are high that at least some of your files are gone for good, depending on how long you waited to stop using the PC or server after deleting them. In such a case you should immediately stop using the PC or server and shut it down.

Then either connect the HD to another PC as a 2nd HD, or boot the PC with a LiveCD like the UBCD4WIN with getdataback on it, or another installation of the OS on another HD, then scan the disk on which you deleted the files with getdataback, and if the files are found, register the utility. Then you will be able to copy them from the deleted drive to another location.

http://ubcd4win.com
http://runtime.org
0
 

Author Comment

by:bovlk
Comment Utility
Hi,

thanks for the suggestions.

I deleted it using Total Commander. The files did not go to Recycle bin, but were really deleted immediately. Also, the directories that contain them were deleted using the same procedure. The files were on a local disk that's not a system disk and this happened a few hours ago so chances are high that most of the clusters will be unchanged.

If a few of the files are missing, that's not a problem. I can compute them again in short time. However, computing all of them would take 12 days. The problem is that I need to be sure they are exactly the same after restoring. Unfortunately, there are plenty of ways the files can be corrupted without me not noticing it, even though I can write a program to detect a few kinds of corruption. The most obvious problem would result from mixing of restored clusters, with the recovered files A and B having clusters from the deleted files C and D like this: A = C1, C2, D3, C4 and B = D1, D2, C3, D4. I'm virtually unable to detect this kind of problem (the files are just a bunch of columns of numbers with no CRC etc.) and still it is crucial that it does not happen. I can repeat the calculation but they took the computer 12 days so restoring the files is a much better option, but must be reliable.
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
Getdataback is reliable if it finds the files you are looking for in the normal directory structure. If the directory structure looks different from what it used to be after you have scanned the disk, then it's possible the files, or some of them will be corrupt. If they are corrupt they will usually end up with strange filesizes, or you won't be able to open them using the application you open them with normally. So it should be pretty easy to find out which of the recovered files are bad and which aren't.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now