diff options
Diffstat (limited to 'usr/src/man/man1m/ntfsundelete.1m')
| -rw-r--r-- | usr/src/man/man1m/ntfsundelete.1m | 476 |
1 files changed, 0 insertions, 476 deletions
diff --git a/usr/src/man/man1m/ntfsundelete.1m b/usr/src/man/man1m/ntfsundelete.1m deleted file mode 100644 index 62ed3ad473..0000000000 --- a/usr/src/man/man1m/ntfsundelete.1m +++ /dev/null @@ -1,476 +0,0 @@ -'\" te -.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved -.\" Copyright (c) 2002-2006 Szabolcs Szakacsits -.\" Copyright (c) 2002-2005 Anton Altaparmakov -.\" Copyright (c) 2002-2003 Richard Russon -.\" Copyright (c) 2007 Yura Pakhuchiy -.\" This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation ; either version 2 of the License, or (at your option) any later version. This program is distributed -.\" in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program -.\" (in the main directory of the Linux-NTFS distribution in the file COPYING); if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 11-1307 USA -.TH NTFSUNDELETE 1M "May 22, 2009" -.SH NAME -ntfsundelete \- recover a deleted file from an NTFS volume -.SH SYNOPSIS -.LP -.nf -\fBntfsundelete\fR [\fIoptions\fR] \fIdevice\fR -.fi - -.SH DESCRIPTION -.sp -.LP -The \fBntfsundelete\fR utility can, under the right circumstances, recover a -deleted file from an NTFS volume. The command has three modes of operation: -.sp -.ne 2 -.na -\fB\fBScan\fR\fR -.ad -.sp .6 -.RS 4n -The default mode, \fBscan\fR simply reads an NTFS Volume and looks for files -that have been deleted. It then displays a list, giving the inode number, name, -and size of each deleted file. -.RE - -.sp -.ne 2 -.na -\fB\fBUndelete\fR\fR -.ad -.sp .6 -.RS 4n -The undelete mode takes the files either matching the regular expression -(option \fB-m\fR) or specified by the \fIinode-expressions\fR and recovers as -much of the data as possible. It saves the result to another location. -.RE - -.sp -.ne 2 -.na -\fB\fBCopy\fR\fR -.ad -.sp .6 -.RS 4n -The "wizard's" option. Saves a portion of the MFT to a file, which can be -useful when debugging \fBntfsundelete\fR. -.RE - -.sp -.LP -There are many circumstances under which \fBntfsundelete\fR is unable to -recover a file. For example, consider the following scenario. When a file is -deleted the MFT Record is marked as not in use and the bitmap representing the -disk usage is updated. If the power is not turned off immediately, the free -space, where the file used to reside might get overwritten. Worse, the MFT -Record might be reused for another file. If this happens, it is impossible to -tell where the file was on disk. -.sp -.LP -Even if all the clusters of a file are not in use, there is no guarantee that -they have not been overwritten by some short-lived file. -.sp -.LP -\fBntfsundelete\fR cannot recover compressed or encrypted files. During a scan, -it will display such a file as being 0% recoverable. -.SS "Locale" -.sp -.LP -In NTFS, all filenames are stored as Unicode. A filename is converted into the -current locale for display by \fBntfsundelete\fR. The utility has successfully -displayed Chinese pictogram filenames and then correctly recovered them. -.SS "Extended MFT Records" -.sp -.LP -In rare circumstances, a single MFT Record will not be large enough to hold the -metadata describing a file (a file would have to be in hundreds of fragments -for this to happen). In these cases, one MFT record might hold the filename, -while another will hold the information about the data. \fBntfsundelete\fR will -not try and piece together such records. It will simply list unnamed files with -data. -.SS "Recovered File's Size and Creation Date" -.sp -.LP -To recover a file, \fBntfsundelete\fR has to read the file's metadata. -Unfortunately, when a file is deleted, the metadata can be left in an -inconsistent state. For example, the file size might be recorded as zero; the -creation date of a file might be set to the time it was deleted or to a random -time. In such situations, \fBntfsundelete\fR picks the largest file size it -finds and writes that to disk. It also tries to set the file's creation date to -the last-modified date. This date might be the correct last modified date, or -something unexpected. -.SH OPTIONS -.sp -.LP -Supported options are listed below. Most options have both single-letter and -full-name forms. Multiple single-letter options that do not take an argument -can be combined. For example, \fB-fv\fR is the equivalent of \fB-f\fR \fB-v\fR. -A full-name option can be abbreviated to a unique prefix of its name. -.sp -.ne 2 -.na -\fB\fB-b\fR, \fB--byte\fR \fInum\fR\fR -.ad -.sp .6 -.RS 4n -Fill in the parts of unrecoverable file clusters with byte represented by -\fInum\fR. The default is zeros. -.RE - -.sp -.ne 2 -.na -\fB\fB-C\fR, \fB--case\fR\fR -.ad -.sp .6 -.RS 4n -Make filename search, when attempting a match with the \fB--match\fR option, -case-sensitive. The default filename search is case-insensitive. -.RE - -.sp -.ne 2 -.na -\fB\fB-c\fR, \fB--copy\fR \fIrange\fR\fR -.ad -.sp .6 -.RS 4n -This "wizard" option writes a block of MFT FILE records to a file. The default -file is mft which will be created in the current directory. This option can be -combined with the \fB--output\fR and \fB--destination\fR options. -.RE - -.sp -.ne 2 -.na -\fB\fB-d\fR, \fB--destination\fR \fIdir\fR\fR -.ad -.sp .6 -.RS 4n -Specify the location of the output file for the \fB--copy\fR and -\fB--undelete\fR options. -.RE - -.sp -.ne 2 -.na -\fB\fB-f\fR, \fB--force\fR\fR -.ad -.sp .6 -.RS 4n -Overrides some sensible defaults, such as not overwriting an existing file. Use -this option with caution. -.RE - -.sp -.ne 2 -.na -\fB\fB-h\fR, \fB--help\fR\fR -.ad -.sp .6 -.RS 4n -Show a list of options with a brief description of each one. -.RE - -.sp -.ne 2 -.na -\fB\fB-i\fR, \fB--inodes\fR \fIrange\fR\fR -.ad -.sp .6 -.RS 4n -Recover the files within the specified range of inode numbers. \fIrange\fR can -be a single inode number, several numbers separated by commas, or a range -separated by a dash (\fB-\fR). -.RE - -.sp -.ne 2 -.na -\fB\fB-m\fR, \fB--match\fR \fIpattern\fR\fR -.ad -.sp .6 -.RS 4n -Filter the output by looking only for filenames that match \fIpattern\fR. The -pattern can include the wildcards \fB?\fR, matching exactly one character, or -\fB*\fR, matching zero or more characters. By default, the matching is -case-insensitive. To make the search case-sensitive, use the \fB--case\fR -option. -.RE - -.sp -.ne 2 -.na -\fB\fB-O\fR, \fB--optimistic\fR\fR -.ad -.sp .6 -.RS 4n -Recover parts of the file even if they are currently marked as in use. -.RE - -.sp -.ne 2 -.na -\fB\fB-o\fR, \fB--output\fR \fIfile\fR\fR -.ad -.sp .6 -.RS 4n -Set the name of the output file created by the \fB--copy\fR or \fB--undelete\fR -options. -.RE - -.sp -.ne 2 -.na -\fB\fB-P\fR, \fB--parent\fR\fR -.ad -.sp .6 -.RS 4n -Display the parent directory of a deleted file. -.RE - -.sp -.ne 2 -.na -\fB\fB-p\fR, \fB--percentage\fR \fInum\fR\fR -.ad -.sp .6 -.RS 4n -Filter the output of the \fB--scan\fR option by matching only files with -\fInum\fR percent of recoverable content. -.RE - -.sp -.ne 2 -.na -\fB\fB-q\fR, \fB--quiet\fR\fR -.ad -.sp .6 -.RS 4n -Reduce the amount of output to a minimum. This option is not useful with the -\fB--scan\fR option. -.RE - -.sp -.ne 2 -.na -\fB\fB-s\fR, \fB--scan\fR\fR -.ad -.sp .6 -.RS 4n -Search through an NTFS volume and display a list of files that could be -recovered. This is the default action of \fBntfsundelete\fR. This list can be -filtered by filename, size, percentage recoverable, or last modification time, -using the \fB--match\fR, \fB--size\fR, \fB--percent\fR, and \fB--time\fR -options, respectively. -.sp -In the output from this option, the \fB%age\fR (percentage) field displays how -much of a file can potentially be recovered. -.RE - -.sp -.ne 2 -.na -\fB\fB-S\fR, \fB--size\fR \fIrange\fR\fR -.ad -.sp .6 -.RS 4n -Filter the output of the \fB--scan\fR option by looking for a particular range -of file sizes. \fIrange\fR can be specified as two numbers separated by a -hyphen (\fB-\fR). A unit of size can be abbreviated using the suffixes \fBk\fR, -\fBm\fR, \fBg\fR, and \fBt\fR, for kilobytes, megabytes, gigabytes, and -terabytes respectively. -.RE - -.sp -.ne 2 -.na -\fB\fB-t\fR, \fB--time\fR \fIsince\fR\fR -.ad -.sp .6 -.RS 4n -Filter the output of the \fB--scan\fR option. Match only files that have been -altered since this time. The time must be given as number and a suffix of -\fBd\fR, \fBw\fR, \fBm\fR, or \fBy\fR for, respectively, days, weeks, -months, or years. -.RE - -.sp -.ne 2 -.na -\fB\fB-T\fR, \fB--truncate\fR\fR -.ad -.sp .6 -.RS 4n -The default behavior of \fBntfsundelete\fR is to round \fBup\fR a file's size -to the nearest cluster (which will be a multiple of 512 bytes). In cases where -the utility has complete data about the size of a file, this option restores -the file to exactly that size. -.RE - -.sp -.ne 2 -.na -\fB\fB-u\fR, \fB--undelete\fR\fR -.ad -.sp .6 -.RS 4n -Specifies undelete mode. You can specify the files to be recovered using by -using \fB--match\fR or \fB--inodes\fR options. This option can be combined with -\fB--output\fR, \fB--destination\fR, and \fB--byte\fR. -.sp -When the file is recovered it will be given its original name, unless the -\fB--output\fR option is used. -.RE - -.sp -.ne 2 -.na -\fB\fB-v\fR, \fB--verbose\fR \fI\fR\fR -.ad -.sp .6 -.RS 4n -Increase the amount of output that \fBntfsundelete\fR displays. -.RE - -.sp -.ne 2 -.na -\fB\fB-V\fR, \fB--version\fR \fI\fR\fR -.ad -.sp .6 -.RS 4n -Display the version number, copyright, and license for \fBntfsundelete\fR. -.RE - -.SH EXAMPLES -.LP -\fBExample 1 \fRSearching for Deleted Files -.sp -.LP -The following command searches for deleted files on a specific device. - -.sp -.in +2 -.nf -# \fBntfsundelete /dev/dsk/c0d0p1\fR -.fi -.in -2 -.sp - -.LP -\fBExample 2 \fRScanning for Files Matching a Wildcard -.sp -.LP -The following command searches for deleted files that match \fB*.doc\fR. - -.sp -.in +2 -.nf -# \fBntfsundelete /dev/dsk/c0d0p1 -s -m '*.doc'\fR -.fi -.in -2 -.sp - -.LP -\fBExample 3 \fRSearching for Files of a Certain Size -.sp -.LP -The following command looks for deleted files between 5000 and 6000000 bytes, -with at least 90% of the data recoverable, on \fB/dev/dsk/c0d0p1\fR. - -.sp -.in +2 -.nf -# \fBntfsundelete /dev/dsk/c0d0p1 -S 5k-6m -p 90\fR -.fi -.in -2 -.sp - -.LP -\fBExample 4 \fRSearching for Recently Changed Files -.sp -.LP -The following command searches for deleted files altered in the last two days. - -.sp -.in +2 -.nf -# \fBntfsundelete /dev/dsk/c0d0p1 -t 2d\fR -.fi -.in -2 -.sp - -.LP -\fBExample 5 \fRSpecifying an Inode Range -.sp -.LP -The following command undeletes inodes 2, 5 and 100 to 131 of device -\fB/dev/sda1\fR. - -.sp -.in +2 -.nf -# \fBntfsundelete /dev/sda1 -u -i 2,5,100-131\fR -.fi -.in -2 -.sp - -.LP -\fBExample 6 \fRSpecifying an Output File and Directory -.sp -.LP -The following command undeletes inode number 3689, names the file -\fBwork.doc\fR, and stores it in the user's home directory. - -.sp -.in +2 -.nf -# \fBntfsundelete /dev/dsk/c0d0p1 -u -i 3689 -o work.doc -d ~\fR -.fi -.in -2 -.sp - -.LP -\fBExample 7 \fRSaving MFT Records -.sp -.LP -The following command saves MFT records 3689 to 3690 to a file \fBdebug\fR. - -.sp -.in +2 -.nf -# \fBntfsundelete /dev/dsk/c0d0p1 -c 3689-3690 -o debug\fR -.fi -.in -2 -.sp - -.SH ATTRIBUTES -.sp -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Uncommitted -.TE - -.SH SEE ALSO -.sp -.LP -\fBntfsclone\fR(1M), \fBntfsresize\fR(1M), \fBparted\fR(1M), -\fBattributes\fR(5) -.sp -.LP -http://wiki.linux-ntfs.org -.SH AUTHORS -.sp -.LP -\fBntfsundelete\fR was written by Richard Russon and Holger Ohmacht, with -contributions from Anton Altaparmakov. |