The capacity of my hard drive is 500 GiB. 150 GB of data got deleted accidently. I didn't write any byte to the drive after that incident, so my data is guaranteed to be there. I have tried apps like Recuva, all apps show that the data is there and allow me to save the data in a different location, but the problem is I don't want to do that.
I just want that the files are again marked as not deleted in the MFT. Is there any app available for this purpose? I searched a lot but didn't find anything, is it possible to unmark files as deleted in the MFT or am I missing something? I could write an app for this if I knew how to do it manually.
Answer
Undeleting files on an NTFS volume is not as simple as flipping one bit. It is true that the difference between a deleted and non-deleted file is just one bit in the MFT, but one needs also to recover the file's contents, which are stored as streams, as well as re-flag the deleted sectors as used in the $Bitmap pseudo-file which contains one bit per sector, each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation).
The complexity of the job is such that all recovery tools prefer not to write to the damaged volume. For example, marking a sector in $Bitmap as used may cause cross-chaining if that sector was already used by another file.
This article demonstrated the problem very well with hex dumps :
Windows ‘File Recovery’ series : Part 5 Manually Recover a Deleted File From an NTFS File System.
Another article even contains the source code of a program that could be modified to unflip the "deleted" bit : Undelete a file in NTFS.
There are quite a few NTFS disk editors that can edit the MFT to flip that bit. Some that I found via Google (but luckily never needed to use) are :
WinHex
NTFS Data Recovery Toolkit
DMDE
Freeware Active Disk Editor
A possible solution which might even work would be to undo the deleted bit in the MFT, then use the chkdsk utility to try to recover the contents. This utility can recover the sectors-chains of files whose sectors were wrongly marked as available for reallocation and will fix up $Bitmap.
However, there is always the chance that this procedure may destroy your disk.
This is why you and all the commentators above (including myself) have not found any product that does in-place recovery. The possibilities for screwing up your disk are simply too much for anybody who is not a Microsoft employee working on NTFS.
My best recommendation for you is to get a second hard disk and recover the files on it. I believe you have found out that one backup disk is not enough. I have already had several cases of friends asking me to recover their only backup, and I always counsel them (sometimes too late) to have two backup disks.
In addition, at least one of the two backup disks should be disconnected from the computer. I advise this after hearing of a case where a computer has fried itself and every connected USB device, leaving the owner with no data and no backup in one hit.
No comments:
Post a Comment