Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Undelete files on NTFS

Posted on 2009-07-08
Medium Priority
Last Modified: 2012-05-07

I just accidentally deleted 4400 text files (1.5GB) on an NTFS volume that's probably heavily fragmented, although these files were created in a particular sequence. The files contain long columns of numerical data. If the undelete program takes one cluster from one file and another from some other file, there's basically no chance to detect it by taking a look at the files or even using a program that I could write. There are plenty of possibilities how this can go unnoticed.

So my question is: Is undelete on NTFS reliable? I mean, can I rely on the files being recovered as they originally were, with correct sequence of clusters and not mixing clusters from different files together? In the old DOS and FAT days, DOS deleted files by changing the first letter in the name to ? and then marking all of its clusters in FAT as unused (which overwrote there sequence), so you had to guess which clusters belong to the file and their sequence. Is this true for NTFS or is NTFS more advanced and can mark clusters as unused without forgetting the sequence (by changing an extra bit for the cluster being used/unused, but not changing the ID of the next cluster)?

Thanks a lot. If you know a good undelete tool, please recommend it.
Question by:bovlk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

Ste206 earned 1000 total points
ID: 24802112

A free solution would be to use

I have personally used this quite a lot of times, with great success, only on 1 occasion it has failed at getting the correct file back but that was after several months passing and many other files been deleted and added to the pc so the clusters were almost definatly re-used.

I'm still unable to find a better free solution to this program.

Hope this helps!
LVL 88

Assisted Solution

rindi earned 1000 total points
ID: 24802166
If you used the explorer to delete the files, and they were on your local PC, then just use the waste basket to get them back. As the files are still completely there, there are no issues with how fragmented they are or whatever.

Undelete is an old DOS utility and not used or necessary for ntfs partitions.

If on the other hand you also emptied the recycle bin, or the files were on a networked drive, and the server didn't have shadow copies turned on, then chances are high that at least some of your files are gone for good, depending on how long you waited to stop using the PC or server after deleting them. In such a case you should immediately stop using the PC or server and shut it down.

Then either connect the HD to another PC as a 2nd HD, or boot the PC with a LiveCD like the UBCD4WIN with getdataback on it, or another installation of the OS on another HD, then scan the disk on which you deleted the files with getdataback, and if the files are found, register the utility. Then you will be able to copy them from the deleted drive to another location.

Author Comment

ID: 24802565

thanks for the suggestions.

I deleted it using Total Commander. The files did not go to Recycle bin, but were really deleted immediately. Also, the directories that contain them were deleted using the same procedure. The files were on a local disk that's not a system disk and this happened a few hours ago so chances are high that most of the clusters will be unchanged.

If a few of the files are missing, that's not a problem. I can compute them again in short time. However, computing all of them would take 12 days. The problem is that I need to be sure they are exactly the same after restoring. Unfortunately, there are plenty of ways the files can be corrupted without me not noticing it, even though I can write a program to detect a few kinds of corruption. The most obvious problem would result from mixing of restored clusters, with the recovered files A and B having clusters from the deleted files C and D like this: A = C1, C2, D3, C4 and B = D1, D2, C3, D4. I'm virtually unable to detect this kind of problem (the files are just a bunch of columns of numbers with no CRC etc.) and still it is crucial that it does not happen. I can repeat the calculation but they took the computer 12 days so restoring the files is a much better option, but must be reliable.
LVL 88

Expert Comment

ID: 24802617
Getdataback is reliable if it finds the files you are looking for in the normal directory structure. If the directory structure looks different from what it used to be after you have scanned the disk, then it's possible the files, or some of them will be corrupt. If they are corrupt they will usually end up with strange filesizes, or you won't be able to open them using the application you open them with normally. So it should be pretty easy to find out which of the recovered files are bad and which aren't.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
A look at what happened in the Verizon cloud breach.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question