Difference between revisions of "Forensic: ntfsundelete"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 3: | Line 3: | ||
sudo apt install ntfs-3g | sudo apt install ntfs-3g | ||
| + | |||
| Line 14: | Line 15: | ||
sudo ntfsundelete /dev/sdb1 --undelete --truncate --match '*.jpg' | sudo ntfsundelete /dev/sdb1 --undelete --truncate --match '*.jpg' | ||
sudo chmod -Rfv a+rw recovery/ | sudo chmod -Rfv a+rw recovery/ | ||
| + | |||
| + | |||
| + | Jika dibutuhkan mount img ke folder | ||
| + | |||
| + | fdisk -lu /path/disk.img # akan dapat offset | ||
| + | mount -o loop,offset=xxxx /path/disk.img /mnt/disk.img.partition | ||
Latest revision as of 05:16, 3 November 2023
Sumber: https://recoverit.wondershare.com/file-recovery/undelete-ntfs-linux.html
sudo apt install ntfs-3g
sudo ntfsundelete /dev/sdb1 --scan sudo ntfsundelete /dev/sdb1 --undelete --inodes 39 sudo ntfsundelete /dev/sdb1 --undelete --inodes 39-42 sudo ntfsundelete /dev/sdb1 --undelete --truncate --match '*.jpg'
mkdir recovery cd recovery sudo ntfsundelete /dev/sdb1 --undelete --truncate --match '*.jpg' sudo chmod -Rfv a+rw recovery/
Jika dibutuhkan mount img ke folder
fdisk -lu /path/disk.img # akan dapat offset mount -o loop,offset=xxxx /path/disk.img /mnt/disk.img.partition
Look for deleted files on /dev/hda1.
ntfsundelete /dev/hda1
Look for deleted documents on /dev/hda1.
ntfsundelete /dev/hda1 -s -m '*.doc'
Look for deleted files between 5000 and 6000000 bytes, with at least 90% of the data recoverable, on /dev/hda1.
ntfsundelete /dev/hda1 -S 5k-6m -p 90
Look for deleted files altered in the last two days
ntfsundelete /dev/hda1 -t 2d
Undelete inodes 2, 5 and 100 to 131 of device /dev/sda1
ntfsundelete /dev/sda1 -u -i 2,5,100-131
Undelete inode number 3689, call the file 'work.doc' and put it in the user's home directory.
ntfsundelete /dev/hda1 -u -i 3689 -o work.doc -d ~
Save MFT Records 3689 to 3690 to a file 'debug'
ntfsundelete /dev/hda1 -c 3689-3690 -o debug