[SOLVED] Script to undelete files on NTFS. Need help.

eDio · 2010-07-10 20:27:04

Preamble
I've removed a folder with very important files for me. Unfortunately there were no any backups.
I've restored some files with photorec utility, but then I noticed, that ntfsundelete can restore much more files.

What is the problem
Deleted files have no names and ntfsundelete just restores them as unknown. So I can't just run ntfsundelete with inode range to restore all files (as it wount restore more than one file because of name conflict).
Also it would be great to restore only specific filetypes, as I know almost exactly, what filetypes I need. The only way to know filetype is to read first bytes of the file (files have no names).

What I want to do
1. Increment inode in cycle and restore files from this inode with ntfsundelete (I can implement this).
2. In cycle body I want to read first bytes and compare them to some table of values.
Here is the main question. How can I do this? Maybe grep would be fine for reading bytes? Please, suggest something.
3. Depending on result of comparison I want to rename restored file or delete it (I believe, I can implement this too, but it depends on how the second step will be implemented)

Please, I need your help very much. Maybe there is some ready-made solution. Any help is appreciated.

Thanks in advance.

Last edited by eDio (2010-07-11 19:53:37)

karol · 2010-07-10 22:20:32

> I want to read first bytes
'hexdump -n 5 somefile' will read 5 bytes. man page says you can format the output.

> Maybe grep would be fine for reading bytes?
grep searches whole files

Last edited by karol (2010-07-10 22:21:16)

eDio · 2010-07-11 14:02:34

Thank you, karol!
Now I can share script. Maybe someone would find it useful.
As for me, I could not restore needed files. So now I know, backups are essential.

http://pastebin.com/nSKTi5ux

karol · 2010-07-11 15:01:09

I'm glad it worked :-)

Correct me if I'm wrong, but you're basically reading inodes.txt line by line, undeleting the files and identyfying them, right?

for inode in $( ntfsundelete $DEVICE -p  100 -S 512-100m | grep -o -e ^[0-9]* ); do
     ntfsundelete $DEVICE -u -i $inode > /dev/null
     HEAD4="$(hexdump -f printformat -n 4 unknown)"
     (...)
done

I don't think you need to count them: we have 151 lines, so now read the line # 1, do sth to it, good, move to line # 2, do sth to it, good ...

And if you really want to count the lines, turn

ntfsundelete $DEVICE -p 100 -S 512-100m | grep -o -e ^[0-9]* > inodes.txt

num_inodes=$(wc -l inodes.txt | grep -o -e ^[0-9]*)

into

num_inodes=$(ntfsundelete $DEVICE -p 100 -S 512-100m | grep -o -e ^[0-9]* | tee -a inodes.txt | wc -l)

No, it's not less readable, it l33t ;P

Last edited by karol (2010-07-11 15:24:46)

eDio · 2010-07-11 15:31:45

but you're basically reading inodes.txt line by line, undeleting the files and identyfying them, right?

You are right. I couldn't find better solution, as ntfsundelete can't print in specified format. So the solution is to store info to file, then parse it for inodes. As inodes are just numbers, parsing is very simple and could be done via grep

And if you really want to count the lines, turn

Of course, your version is better.
As for counting lines, maybe I could check if sed returns error or smthng else. But I'm noob in bash, so I try to keep solutions as simple as possible.

Arch Linux

#1 2010-07-10 20:27:04

[SOLVED] Script to undelete files on NTFS. Need help.

#2 2010-07-10 22:20:32

Re: [SOLVED] Script to undelete files on NTFS. Need help.

#3 2010-07-11 14:02:34

Re: [SOLVED] Script to undelete files on NTFS. Need help.

#4 2010-07-11 15:01:09

Re: [SOLVED] Script to undelete files on NTFS. Need help.

#5 2010-07-11 15:31:45

Re: [SOLVED] Script to undelete files on NTFS. Need help.

Board footer