Difference between revisions of "Forensic: ntfsundelete"

From OnnoWiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Sumber: https://recoverit.wondershare.com/file-recovery/undelete-ntfs-linux.html
 
Sumber: https://recoverit.wondershare.com/file-recovery/undelete-ntfs-linux.html
 +
 +
 +
sudo apt install ntfs-3g
 +
 +
  
 
  sudo ntfsundelete /dev/sdb1 --scan
 
  sudo ntfsundelete /dev/sdb1 --scan
Line 8: Line 13:
 
  mkdir recovery
 
  mkdir recovery
 
  cd recovery
 
  cd recovery
  udo ntfsundelete /dev/sdb1 --undelete --truncate --match '*.jpg'
+
  sudo ntfsundelete /dev/sdb1 --undelete --truncate --match '*.jpg'
 
  sudo chmod -Rfv a+rw recovery/
 
  sudo chmod -Rfv a+rw recovery/
  
  
 +
Jika dibutuhkan mount img ke folder
  
 
+
fdisk -lu /path/disk.img  # akan dapat offset
 
+
mount -o loop,offset=xxxx /path/disk.img /mnt/disk.img.partition
 
 
 
 
 
 
  
  

Latest revision as of 05:16, 3 November 2023

Sumber: https://recoverit.wondershare.com/file-recovery/undelete-ntfs-linux.html


sudo apt install ntfs-3g


sudo ntfsundelete /dev/sdb1 --scan
sudo ntfsundelete /dev/sdb1 --undelete --inodes 39
sudo ntfsundelete /dev/sdb1 --undelete --inodes 39-42
sudo ntfsundelete /dev/sdb1 --undelete --truncate --match '*.jpg'
mkdir recovery
cd recovery
sudo ntfsundelete /dev/sdb1 --undelete --truncate --match '*.jpg'
sudo chmod -Rfv a+rw recovery/


Jika dibutuhkan mount img ke folder

fdisk -lu /path/disk.img   # akan dapat offset
mount -o loop,offset=xxxx /path/disk.img /mnt/disk.img.partition


Look for deleted files on /dev/hda1.

ntfsundelete /dev/hda1

Look for deleted documents on /dev/hda1.

ntfsundelete /dev/hda1 -s -m '*.doc'

Look for deleted files between 5000 and 6000000 bytes, with at least 90% of the data recoverable, on /dev/hda1.

ntfsundelete /dev/hda1 -S 5k-6m -p 90

Look for deleted files altered in the last two days

ntfsundelete /dev/hda1 -t 2d

Undelete inodes 2, 5 and 100 to 131 of device /dev/sda1

ntfsundelete /dev/sda1 -u -i 2,5,100-131

Undelete inode number 3689, call the file 'work.doc' and put it in the user's home directory.

ntfsundelete /dev/hda1 -u -i 3689 -o work.doc -d ~

Save MFT Records 3689 to 3690 to a file 'debug'

ntfsundelete /dev/hda1 -c 3689-3690 -o debug