Undeleting files on an NTFS volume is not as simple as flipping one bit.
It is true that the difference between a deleted and non-deleted file is just one
bit in the MFT, but one needs also to recover the file's contents, which are stored as streams,
as well as re-flag the deleted sectors as used in the $Bitmap pseudo-file which contains
one bit per sector,
each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation).
The complexity of the job is such that all recovery tools prefer not to write to the
damaged volume. For example, marking a sector in $Bitmap as used may cause cross-chaining
if that sector was already used by another file.
This article demonstrated the problem very well with hex dumps :
Windows ‘File Recovery’ series : Part 5 Manually Recover a Deleted File From an NTFS File System.
Another article even contains the source code of a program that could be modified
to unflip the "deleted" bit :
Undelete a file in NTFS.
There are quite a few NTFS disk editors that can edit the MFT to flip that bit.
Some that I found via Google (but luckily never needed to use) are :
WinHex
NTFS Data Recovery Toolkit
DMDE
Freeware Active Disk Editor
A possible solution which might even work would be to undo the deleted bit in the MFT,
then use the chkdsk utility to try to recover the contents.
This utility can recover the sectors-chains of files whose sectors were wrongly marked as
available for reallocation and will fix up $Bitmap.
However, there is always the chance that this procedure may destroy your disk.
This is why you and all the commentators above (including myself) have not found any product that does in-place recovery. The possibilities for screwing up your disk are simply
too much for anybody who is not a Microsoft employee working on NTFS.
My best recommendation for you is to get a second hard disk and recover the files on it.
I believe you have found out that one backup disk is not enough.
I have already had several cases of friends asking me to recover their only backup,
and I always counsel them (sometimes too late) to have two backup disks.
In addition, at least one of the two backup disks should be disconnected from the computer.
I advise this after hearing of a case where a computer has fried itself and every
connected USB device, leaving the owner with no data and no backup in one hit.
2Actually, in the old DOS days,
undeleteandunerasedid exactly that, but Windows programs tend to copy files. I don’t think that I’ve seen any that literally un-delete files.I didn't write any byte to the drive after that incident, so my data is guaranteed to be there.Maybe, but that doesn’t mean that they are recoverable; any files that are fragmented will probably only let you get the first chunk of the file back. – Synetech – 2014-01-04T15:06:29.350AFAIK, normally the entry for the folder / file is removed from MFT when you delete a file. It may not be as simple as turning a bit on or off. – Ganesh R. – 2014-01-04T15:20:49.093
@GaneshR. That's what I want to do, I want to re-add the entry in the MFT, isn't this possible? The data is already there in the hard drive, it only needs to be registered in the filesystem. – Elmo – 2014-01-04T15:22:29.840
Recuva shows me the file name and the folder in which the file was situated. – Elmo – 2014-01-04T15:24:40.867
@Don'tForgettoUpvote Just a recommendation, if you can recover the files using a file recovery tool, start doing that. Your approach is interesting but I would personally retrieve the files first and then experiment :) – Ganesh R. – 2014-01-04T15:25:26.987
@GaneshR. Actually, that was my backup drive and I don't have any extra free drives lying around. – Elmo – 2014-01-04T15:26:26.410
@Don'tForgettoUpvote See http://www.ntfs.com/recovery-toolkit.htm#diskscan
– Ganesh R. – 2014-01-04T15:31:04.447@GaneshR. Did you see this? "The most important information for us in this block is a file state: deleted or in-use. If Flags(in red color) field has bit 1 set, it means that file is in-use. In our example it is zero, i.e. file is deleted."
Does that mean that changing a bit can undelete any file? – Elmo – 2014-01-04T16:13:35.713
@Don'tForgettoUpvote May be. But are you going to do this for all files manually? Also direct NTFS metadata editing is risky. Hence I would suggest somehow backup the deleted data and then go experiment.Also I tried thier metadata tool and I could not make any sense of it. May be its too complicated for me – Ganesh R. – 2014-01-04T17:31:51.727
@GaneshR. I have a backup of the data, and obviously I won't do that manually, just wish there was a simple tool for this purpose. – Elmo – 2014-01-04T17:47:17.587
Data Recovery Tips & Solutions: Windows, Linux, and BSD: http://www.amazon.com/Data-Recovery-Tips-Solutions-Windows/dp/8183331971/ref=sr_1_5/190-4250863-2306501?s=books&ie=UTF8&qid=1388857995&sr=1-5
– STTR – 2014-01-04T17:54:01.3531
You could try requesting the devs of some data-recovery tools add this option. Here’s the feedback forums for a couple of the most popular: Recuva, Photorec
– Synetech – 2014-04-20T14:57:18.213You could always try doing it manually if there’s only a few files, but I certainly wouldn’t recommend it. After several minutes of research and checking, I managed to mark a file as not-deleted in the
$MFT, but the problem is that is not enough, you also have to mark the used clusters as in-use in the$BITMAPfile which proved too difficult and too much work to find and do. – Synetech – 2014-04-20T23:26:22.023