Created
January 11, 2016 08:39
-
-
Save langri-sha/a16de0399998fd7eda41 to your computer and use it in GitHub Desktop.
NTFS undelete session highlights
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # List deleted files from the MFT, sort by date | |
| sudo ntfsundelete /dev/sdb1 | sort -n -r -k4 | \ | |
| # Construct commands to undelete each INODE to ~${date}/${inode}-{filename} | |
| awk '{print "sudo ntfsundelete -u /dev/sdb1 -i " $1 " -o \"/run/media/fdupanovic/WD/" $4 "/" $1 "-" $7 "\"";}' | \ | |
| # Truncate day from dates | |
| sed -r "s/-[0-9]+//2" | \ | |
| # Split into files with 2048 commands each to avoid memory segmentation errors | |
| split -l 2048 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment