• ARTICLES
SEARCH

How-To Geek

Recover Deleted Files on an NTFS Hard Drive from a Ubuntu Live CD

Accidentally deleting a file is a terrible feeling. Not being able to boot into Windows and undelete that file makes that even worse. Fortunately, you can recover deleted files on NTFS hard drives from an Ubuntu Live CD.

To show this process, we created four files on the desktop of a Windows XP machine, and then deleted them. We then booted up the same machine with the bootable Ubuntu 9.10 USB Flash Drive that we created last week.

Once Ubuntu 9.10 boots up, open a terminal by clicking Applications in the top left of the screen, and then selecting Accessories > Terminal.

sshot-1
To undelete our files, we first need to identify the hard drive that we want to undelete from. In the terminal window, type in:

sudo fdisk –l

and press enter.

sshot-2

What you’re looking for is a line that ends with HPSF/NTFS (under the heading System). In our case, the device is “/dev/sda1”. This may be slightly different for you, but it will still begin with /dev/. Note this device name.

If you have more than one hard drive partition formatted as NTFS, then you may be able to identify the correct partition by the size. If you look at the second line of text in the screenshot above, it reads “Disk /dev/sda: 136.4 GB, …” This means that the hard drive that Ubuntu has named /dev/sda is 136.4 GB large. If your hard drives are of different size, then this information can help you track down the right device name to use. Alternatively, you can just try them all, though this can be time consuming for large hard drives.

Now that you know the name Ubuntu has assigned to your hard drive, we’ll scan it to see what files we can uncover.

In the terminal window, type:

sudo ntfsundelete <HD name>

and hit enter. In our case, the command is:

sudo ntfsundelete /dev/sda1

sshot-3

The names of files that can recovered show up in the far right column. The percentage in the third column tells us how much of that file can be recovered. Three of the four files that we originally deleted are showing up in this list, even though we shut down the computer right after deleting the four files – so even in ideal cases, your files may not be recoverable.

Nevertheless, we have three files that we can recover – two JPGs and an MPG.

Note: ntfsundelete is immediately available in the Ubuntu 9.10 Live CD. If you are in a different version of Ubuntu, or for some other reason get an error when trying to use ntfsundelete, you can install it by entering “sudo apt-get install ntfsprogs” in a terminal window.

To quickly recover the two JPGs, we will use the * wildcard to recover all of the files that end with .jpg.

In the terminal window, enter

sudo ntfsundelete <HD name> –u –m *.jpg

which is, in our case,

sudo ntfsundelete /dev/sda1 –u –m *.jpg

sshot-10

The two files are recovered from the NTFS hard drive and saved in the current working directory of the terminal. By default, this is the home directory of the current user, though we are working in the Desktop folder.

Note that the ntfsundelete program does not make any changes to the original NTFS hard drive. If you want to take those files and put them back in the NTFS hard drive, you will have to move them there after they are undeleted with ntfsundelete. Of course, you can also put them on your flash drive or open Firefox and email them to yourself – the sky’s the limit!

We have one more file to undelete – our MPG.

sshot-4

Note the first column on the far left. It contains a number, its Inode. Think of this as the file’s unique identifier. Note this number.

To undelete a file by its Inode, enter the following in the terminal:

sudo ntfsundelete <HD name> –u –i <Inode>

In our case, this is:

sudo ntfsundelete /dev/sda1 –u –i 14159

sshot-11

This recovers the file, along with an identifier that we don’t really care about. All three of our recoverable files are now recovered.

sshot-5

However, Ubuntu lets us know visually that we can’t use these files yet. That’s because the ntfsundelete program saves the files as the “root” user, not the “ubuntu” user.

We can verify this by typing the following in our terminal window:

ls –l

sshot-7

We want these three files to be owned by ubuntu, not root. To do this, enter the following in the terminal window:

sudo chown ubuntu <Files>

If the current folder has other files in it, you may not want to change their owner to ubuntu. However, in our case, we only have these three files in this folder, so we will use the * wildcard to change the owner of all three files.

sudo chown ubuntu *

sshot-8

The files now look normal, and we can do whatever we want with them.

sshot-9

Hopefully you won’t need to use this tip, but if you do, ntfsundelete is a nice command-line utility. It doesn’t have a fancy GUI like many of the similar Windows programs, but it is a powerful tool that can recover your files quickly.

See ntfsundelete’s manual page for more detailed usage information

Trevor is our resident Linux geek, but always keeps his eyes open for neat Windows tricks too.

  • Published 03/29/10

Comments (12)

  1. Prashant

    This is awesome !!

  2. ph15h

    This would help all those kids that believe deleting System32 fixes viruses since they need to somehow restore those files for Windows to run.

  3. calebstein

    To install this in FreeBSD, type “sudo pkg_add -r ntfsprogs” (without quotes). Because FreeBSD uses a radically different partition naming system than Linux, I am not really sure how one would go about using it.

  4. calebstein

    Sorry about the second post, but you should also type ‘sudo pkg_add -r fusefs-ntfs’ (without single quotes) and add ‘fusefs_enable=”YES”‘ (without the single quotes) to your /etc/rc.conf file.

  5. tshirtman

    You should have pointed that ntfsundelete comes from the ntfsprogs package :).

    but good to know anyway, I used photorec for this 2 days ago, and it only restore a big mess without name nor directory, but i learned after that it’s friend testdisk has an “undelete” option. (tesdisk is mainly a partition recovery program, so i forgot to check).

  6. twjolson

    Nice little tool. For an even more powerful recovery, check out foremost or photorec. They recover much more because they ignore the file system and recover based on file headers and footers. You’ll lose the name, however.

  7. Maria

    Thanks for sharing the informative post about Recovery of Deleted Files on an NTFS Hard Drive from a Ubuntu Live CD the tool seem to be very effective I have used for the same purpose a Linux recovery Software from stellar ” Stellar phoenix linux data recovery software” the software was quiet effective

  8. Ángel

    Typing
    sudo ntfsundelete –u –m *.jpg

    is wrong, you should quote the name:
    sudo ntfsundelete –u –m ‘*.jpg’

    Otherwise, if you had RandomFile.jpg in your working folder, the shell will expand the command to
    sudo ntfsundelete /dev/sda1 –u –m RandomFile.jpg

    and thus it won’t recover DoNotDelete.jpg

  9. f3rns

    Hello Trevor thank you for this lovely article.

    Please would you kindly tell me how to make the saved files appear on the desktop as you do in the article.

    Thank you in advance.

  10. Thomes

    Photorec is also a recovery tool . Photorec utility under the package of testdisk utility. If you don’t want to mess with too much of commands, then this utility is the best for you. To know more visit: ubuntumanual.org/posts/357/recover-your-deleted-files-in-ubuntu

  11. Abhilash

    Using scalpel:

    By default, all file types in the database (/etc/scalpel/scalpel.conf) are commented out. To specify which filetypes you want to carve, you need to edit the file and uncomment each line.

    sudo scalpel FILE -o Directory

    Where FILE is the image file (or device) and Directory is the output directory. <a href="http:/www..ubuntumanual.org/posts/357/recover-your-deleted-files-in-ubuntu"For more details you may please visit: "http:/www..ubuntumanual.org/posts/357/recover-your-deleted-files-in-ubuntu"

  12. Sam

    Very Informative Post…

Enter Your Email Here to Get Access for Free:

Go check your email!