193 files changed, 80411 insertions, 44563 deletions
diff --git a/ntfsprogs/ntfsundelete.8.in b/ntfsprogs/ntfsundelete.8.in new file mode 100755 index 0000000..f80a4d7 --- a/dev/null +++ b/ntfsprogs/ntfsundelete.8.in @@ -0,0 +1,324 @@ +.\" Copyright (c) 2002\-2005 Richard Russon. +.\" This file may be copied under the terms of the GNU Public License. +.\" +.TH NTFSUNDELETE 8 "November 2005" "ntfs-3g @VERSION@" +.SH NAME +ntfsundelete \- recover a deleted file from an NTFS volume. +.SH SYNOPSIS +.B ntfsundelete +[\fIoptions\fR] \fIdevice\fR +.SH DESCRIPTION +.B ntfsundelete +has three modes of operation: +.IR scan , +.I undelete +and +.IR copy . +.SS Scan +.PP +The default mode, +.I scan +simply reads an NTFS Volume and looks for files that have been deleted. Then it +will print a list giving the inode number, name and size. +.SS Undelete +.PP +The +.I undelete +mode takes the files either matching the regular expression (option \-m) +or specified by the inode\-expressions and recovers as much of the data +as possible. It saves the result to another location. Partly for +safety, but mostly because NTFS write support isn't finished. +.SS Copy +.PP +This is a wizard's option. It will save a portion of the MFT to a file. This +probably only be useful when debugging +.I ntfsundelete +.SS Notes +.B ntfsundelete +only ever +.B reads +from the NTFS Volume. +.B ntfsundelete +will never change the volume. +.SH CAVEATS +.SS Miracles +.B ntfsundelete +cannot perform the impossible. +.PP +When a file is deleted the MFT Record is marked as not in use and the bitmap +representing the disk usage is updated. If the power isn't turned off +immediately, the free space, where the file used to live, may become +overwritten. Worse, the MFT Record may be reused for another file. If this +happens it is impossible to tell where the file was on disk. +.PP +Even if all the clusters of a file are not in use, there is no guarantee that +they haven't been overwritten by some short\-lived file. +.SS Locale +In NTFS all the filenames are stored as Unicode. They will be converted into +the current locale for display by +.BR ntfsundelete . +The utility has successfully displayed some Chinese pictogram filenames and then +correctly recovered them. +.SS Extended MFT Records +In rare circumstances, a single MFT Record will not be large enough to hold the +metadata describing a file (a file would have to be in hundreds of fragments +for this to happen). In these cases one MFT record may hold the filename, but +another will hold the information about the data. +.B ntfsundelete +will not try and piece together such records. It will simply show unnamed files +with data. +.SS Compressed and Encrypted Files +.B ntfsundelete +cannot recover compressed or encrypted files. When scanning for them, it will +display as being 0% recoverable. +.SS The Recovered File's Size and Date +To recover a file +.B ntfsundelete +has to read the file's metadata. Unfortunately, this isn't always intact. +When a file is deleted, the metadata can be left in an inconsistent state. e.g. +the file size may be zero; the dates of the file may be set to the time it was +deleted, or random. +.br +To be safe +.B ntfsundelete +will pick the largest file size it finds and write that to disk. It will also +try and set the file's date to the last modified date. This date may be the +correct last modified date, or something unexpected. +.SH OPTIONS +Below is a summary of all the options that +.B ntfsundelete +accepts. Nearly all options have two equivalent names. The short name is +preceded by +.B \- +and the long name is preceded by +.BR \-\- . +Any single letter options, that don't take an argument, can be combined into a +single command, e.g. +.B \-fv +is equivalent to +.BR "\-f \-v" . +Long named options can be abbreviated to any unique prefix of their name. +.TP +\fB\-b\fR, \fB\-\-byte\fR NUM +If any clusters of the file cannot be recovered, the missing parts will be +filled with this byte. The default is zeros. +.TP +\fB\-C\fR, \fB\-\-case\fR +When scanning an NTFS volume, any filename matching (using the +.B \-\-match +option) is case\-insensitive. This option makes the matching case\-sensitive. +.TP +\fB\-c\fR, \fB\-\-copy\fR RANGE +This wizard's option will write a block of MFT FILE records to a file. The +default file is +.I mft +which will be created in the current directory. This option can be combined +with the +.B \-\-output +and +.B \-\-destination +options. +.TP +\fB\-d\fR, \fB\-\-destination\fR DIR +This option controls where to put the output file of the +.B \-\-undelete +and +.B \-\-copy +options. +.TP +\fB\-f\fR, \fB\-\-force\fR +This will override some sensible defaults, such as not overwriting an existing +file. Use this option with caution. +.TP +\fB\-h\fR, \fB\-\-help\fR +Show a list of options with a brief description of each one. +.TP +\fB\-i\fR, \fB\-\-inodes\fR RANGE +Recover the files with these inode numbers. +.I RANGE +can be a single inode number, several numbers separated by commas "," or a +range separated by a dash "\-". +.TP +\fB\-m\fR, \fB\-\-match\fR PATTERN +Filter the output by only looking for matching filenames. The pattern can +include the wildcards '?', match exactly one character or '*', match zero or +more characters. By default the matching is case\-insensitive. To make the +search case sensitive, use the +.B \-\-case +option. +.TP +\fB\-O\fR, \fB\-\-optimistic\fR +Recover parts of the file even if they are currently marked as in use. +.TP +\fB\-o\fR, \fB\-\-output\fR FILE +Use this option to set name of output file that +.B \-\-undelete +or +.B \-\-copy +will create. +.TP +\fB\-P\fR, \fB\-\-parent\fR +Display the parent directory of a deleted file. +.TP +\fB\-p\fR, \fB\-\-percentage\fR NUM +Filter the output of the +.B \-\-scan +option, by only matching files with a certain amount of recoverable content. +.B Please read the caveats section for more details. +.TP +\fB\-q\fR, \fB\-\-quiet\fR +Reduce the amount of output to a minimum. Naturally, it doesn't make sense to +combine this option with +.BR \-\-scan . +.TP +\fB\-s\fR, \fB\-\-scan\fR +Search through an NTFS volume and print a list of files that could be recovered. +This is the default action of +.BR ntfsundelete . +This list can be filtered by filename, size, percentage recoverable or last +modification time, using the +.BR \-\-match , +.BR \-\-size , +.B \-\-percent +and +.B \-\-time +options, respectively. +.sp +The output of scan will be: +.sp +.nf +Inode Flags %age Date Time Size Filename + 6038 FN.. 93% 2002\-07\-17 13:42 26629 thesis.doc +.fi +.TS +box; +lB lB +l l. +Flag Description +F/D File/Directory +N/R (Non\-)Resident data stream +C/E Compressed/Encrypted data stream +! Missing attributes +.TE +.sp +.sp +The percentage field shows how much of the file can potentially be recovered. +.TP +\fB\-S\fR, \fB\-\-size\fR RANGE +Filter the output of the +.B \-\-scan +option, by looking for a particular range of file sizes. The range may be +specified as two numbers separated by a '\-'. The sizes may be abbreviated +using the suffixes k, m, g, t, for kilobytes, megabytes, gigabytes and terabytes +respectively. +.TP +\fB\-t\fR, \fB\-\-time\fR SINCE +Filter the output of the +.B \-\-scan +option. Only match files that have been altered since this time. The time must +be given as number using a suffix of d, w, m, y for days, weeks, months or years +ago. +.TP +\fB\-T\fR, \fB\-\-truncate\fR +If +.B ntfsundelete +is confident about the size of a deleted file, then it will restore the file to +exactly that size. The default behaviour is to round up the size to the nearest +cluster (which will be a multiple of 512 bytes). +.TP +\fB\-u\fR, \fB\-\-undelete\fR +Select +.B undelete +mode. You can specify the files to be recovered using by using +.B \-\-match +or +.B \-\-inodes +options. This option can be combined with +.BR \-\-output , +.BR \-\-destination , +and +.BR \-\-byte . +.sp +When the file is recovered it will be given its original name, unless the +.B \-\-output +option is used. +.TP +\fB\-v\fR, \fB\-\-verbose\fR +Increase the amount of output that +.B ntfsundelete +prints. +.TP +\fB\-V\fR, \fB\-\-version\fR +Show the version number, copyright and license for +.BR ntfsundelete . +.SH EXAMPLES +Look for deleted files on /dev/hda1. +.RS +.sp +.B ntfsundelete /dev/hda1 +.sp +.RE +Look for deleted documents on /dev/hda1. +.RS +.sp +.B ntfsundelete /dev/hda1 \-s \-m '*.doc' +.sp +.RE +Look for deleted files between 5000 and 6000000 bytes, with at least 90% of the +data recoverable, on /dev/hda1. +.RS +.sp +.B ntfsundelete /dev/hda1 \-S 5k\-6m \-p 90 +.sp +.RE +Look for deleted files altered in the last two days +.RS +.sp +.B ntfsundelete /dev/hda1 \-t 2d +.sp +.RE +Undelete inodes 2, 5 and 100 to 131 of device /dev/sda1 +.RS +.sp +.B ntfsundelete /dev/sda1 \-u \-i 2,5,100\-131 +.sp +.RE +Undelete inode number 3689, call the file 'work.doc', set it to recovered +size and put it in the user's home directory. +.RS +.sp +.B ntfsundelete /dev/hda1 \-u \-T \-i 3689 \-o work.doc \-d ~ +.sp +.RE +Save MFT Records 3689 to 3690 to a file 'debug' +.RS +.sp +.B ntfsundelete /dev/hda1 \-c 3689\-3690 \-o debug +.sp +.RE +.SH BUGS +There are some small limitations to +.BR ntfsundelete , +but currently no known bugs. If you find a bug please send an email describing +the problem to the development team: +.br +.nh +ntfs\-3g\-devel@lists.sf.net +.hy +.SH AUTHORS +.B ntfsundelete +was written by Richard Russon and Holger Ohmacht, with contributions from Anton +Altaparmakov. +It was ported to ntfs-3g by Erik Larsson and Jean-Pierre Andre. +.SH AVAILABILITY +.B ntfsundelete +is part of the +.B ntfs-3g +package and is available from: +.br +.nh +http://www.tuxera.com/community/ +.hy +.SH SEE ALSO +.BR ntfsinfo (8), +.BR ntfsprogs (8) |