ntfsundelete - Undeleting NTFS files

Raul Suarez

And Linux saves the day again.

My son installed an application but mistakenly he selected the data directory as the installation directory. When he realized it he decided to uninstall, but the full uninstall deleted everything from the folder. This is: the program and all his files.

The solution was very easy. I found that I had already installed the ntfsprogrs package. This package contains a pretty slick utility called ntfsundelete.

This utility allowed me to first list the files that I could recover and then recover them.

It has some very useful filters such as:

  • File name pattern matching: For example to search/undelete files *.mp3
  • Files modified since: Maybe you don't care about old deleted files just files modified since 5 months ago
  • Percentage recoverable: In some cases you want to salvage whatever you can, in some cases you only care if you can recover 90% or more, for example.
  • Files within a specific size range

In my case it was a breeze to use it.
I first unmounted the partition where the deleted files were

sudo umount /dev/sda2

I then executed the following to list which deleted mp3 files located in my /dev/sda2 device that were modified in the last 5 months were 100% recoverable:

sudo ntfsundelete /dev/sda2 -m '*.mp3' -p 100 -t 5m > deletedmp3.txt

That created a file called deletedmp3.txt with a list of files.

Once I reviewed the list I went on to undelete them and put the undeleted files on my external HDD on a folder called undeleted

sudo ntfsundelete /dev/sda2 -u -m '*.mp3' -p 100 -t 5m -d /media/externalExt3/undeleted

If you want to know how to fully use this utility just open a console and type
man ntfsundelete

Important things to consider

  • If you deleted using the file manager first check if your files are in the trash can, that's always the easiest way
  • As soon as you realize that you mistakenly deleted the files, don't write anything else to that partition. if possible unmount it right away
  • If you want to do it in a computer that does not have linux installed, you can always use a live CD distribution that includes the ntfsundelete utility