Peter's Blog

Due to some finger trouble in Salamander I accidently deleted some files. Oops.

I could have installed an undelete utility such as freeundelete but downloading it or installing it could have damaged the remains of the deleted files on the disk (as far as windows is concerned the space the files are occupying can be used to store something else) so I thought I'd try knoppix. It transpires that Knoppix 4 includes a utility called ntfsundelete to undelete ntfs files so I gave it a try:

• reboot pc in knoppix. I used knoppix 2 as the start parameters to start in text mode so I didn't have to wait for a gui.
• ran:

  ntfsundelete /dev/hda1
  

  and it listed the potentially undeletable files on my ntfs partition. There were a lot of them.
• ran:

  ntfsundelete /dev/hda1 -m *.py
  

  and it listed just the python files, as the file I most wanted to undelete was python.
• ran:

  ntfsundelete /dev/hda1 -m *.py -u
  

  and it undeleted the python files. They were in the current directory, knoppix's ram drive, i.e. it didn't try to write them back to the ntfs disk. This is very good, it means that if it failed it is unlikely to have ruined the ntfs drive.
• look at my file:

  cat blah.py
  

  and argh I get funny characters and rubbish at the end of the file. Panic. Dissillusionment.
• Open file in vim and it seems that the file is there but a load of rubbish has been added to the end. Maybe ntfsundelete does not now how long the file is and can only restore the whole sectors it was in? Conjecture. Anyway, in vim, delete the rubbish at the end of the file.
• Use sftp to copy the file somewhere safe.

Conclusion: success, albeit not as clean as I would prefer. I do like the idea of being able to undelete the data with the partition read-only so if I fail miserably I can try again with some other tool.

Knoppix 2 Windows 0.