Mark Deleted Files as Undeleted

ntfs data-recovery mft

The capacity of my hard drive is 500 GiB. 150 GB of data got deleted accidently. I didn't write any byte to the drive after that incident, so my data is guaranteed to be there. I have tried apps like Recuva, all apps show that the data is there and allow me to save the data in a different location, but the problem is I don't want to do that.

I just want that the files are again marked as not deleted in the MFT. Is there any app available for this purpose? I searched a lot but didn't find anything, is it possible to unmark files as deleted in the MFT or am I missing something? I could write an app for this if I knew how to do it manually.


Solution 1:

Undeleting files on an NTFS volume is not as simple as flipping one bit. It is true that the difference between a deleted and non-deleted file is just one bit in the MFT, but one needs also to recover the file's contents, which are stored as streams, as well as re-flag the deleted sectors as used in the $Bitmap pseudo-file which contains one bit per sector, each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation).

The complexity of the job is such that all recovery tools prefer not to write to the damaged volume. For example, marking a sector in $Bitmap as used may cause cross-chaining if that sector was already used by another file.

This article demonstrated the problem very well with hex dumps :
Windows ‘File Recovery’ series : Part 5 Manually Recover a Deleted File From an NTFS File System.

Another article even contains the source code of a program that could be modified to unflip the "deleted" bit : Undelete a file in NTFS.

There are quite a few NTFS disk editors that can edit the MFT to flip that bit. Some that I found via Google (but luckily never needed to use) are :
WinHex
NTFS Data Recovery Toolkit
DMDE
Freeware Active Disk Editor

A possible solution which might even work would be to undo the deleted bit in the MFT, then use the chkdsk utility to try to recover the contents. This utility can recover the sectors-chains of files whose sectors were wrongly marked as available for reallocation and will fix up $Bitmap.

However, there is always the chance that this procedure may destroy your disk.

This is why you and all the commentators above (including myself) have not found any product that does in-place recovery. The possibilities for screwing up your disk are simply too much for anybody who is not a Microsoft employee working on NTFS.

My best recommendation for you is to get a second hard disk and recover the files on it. I believe you have found out that one backup disk is not enough. I have already had several cases of friends asking me to recover their only backup, and I always counsel them (sometimes too late) to have two backup disks.

In addition, at least one of the two backup disks should be disconnected from the computer. I advise this after hearing of a case where a computer has fried itself and every connected USB device, leaving the owner with no data and no backup in one hit.

Solution 2:

Like I said yesterday, you could always try doing it manually with a hex/disk-editor if there’s only a few files to recover, but I certainly wouldn’t recommend it.

After several minutes of research and testing, I eventually managed to mark a file as not-deleted in the $MFT, but the problem is that is not enough, you also have to mark clusters it uses in-use in the $BITMAP. This task proved too difficult and too much work to find and do so I eventually gave up. I considered running chkdsk /f to see if it would detect the discrepancy and mark the clusters correctly, but that felt too risky to do because the NTFS partition I tested on had a few other files I did not want to lose.

(Also, note that while unlike FAT*, NTFS stores the cluster chain for a file in the $MFT, that does not guarantee that you will have access to the whole cluster chain at the time of recovery, so a fragmented file could end up being unrecoverable. Even if you didn’t write anything to the drive after the accidental erasure, it doesn’t meant that Windows didn’t. For example, it may have written to \System Volume Information, especially if the Shadow Copy/Previous Versions service is running.)

Obviously manual recovery isn’t really a solution, nor an answer to your question, which is why I had posted it only as a comment. Sadly, all the searching I have done has come up empty and the short answer to your question is: no, there are no public programs that can simply mark a file as not-deleted on an NTFS volume.

(There are—expensive—forensic programs that can do fancy things with drives and recover files and present raw data through a filter to show structures and such, but even those aren’t going to be of help because they specifically make a point of not modifying the original drive.)

Related

Effective military scheduling
What happens in KOTOR 2 if I kill one Jedi Master and spare 2?
Are there hidden armor spawns as in previous games?
What effect does clicking on my believers have?
How many heists are there?
What are various pros and cons of granting or rejecting military access?
Is it possible to sell cars in single player?
How can I poison myself?
Does the Archery buff work for guns, too?
What items can be enchanted?
How do Inverse Battles affect moves that would usually do zero damage?
What is the ratio of Tourism to Culture when influencing a civilization?