nneonneo / ntfsrecover Goto Github PK

NTFS data-recovery program written in Python

Python 100.00%

ntfsrecover's Introduction

Introduction

Dead-simple (and somewhat stupid) NTFS data-recovery program. Works with Python 2.7 or Python 3.x, no dependencies. It can be used to recover deleted files or files off of damaged drives, although recovery quality will depend on how badly the file data has been damaged or overwritten.

Warning: to avoid data loss, please use this on a clean clone of the disk (e.g. by using ddrescue), rather than on the original disk. This program will read large swaths of the disk (specifically the entire Master File Table), which may stress an already damaged disk. Making a clean copy ensures that you can rerun the program as many times as you want without further data loss.

Motivation

A friend recently had an NTFS drive crash on him, and I happened to have learned about NTFS literally the day before (thanks MMA/TWCTF 2016!). So I put that to good use by writing this NTFS data recovery tool.

Disk paths

You may specify a path to a partition image file (previously created using e.g. ddrescue), or a raw disk path to read directly from the physical disk. Note that the latter should be used with extreme caution if the disk has failed, as it may stress an already-damaged disk to the point of failure.

Specifying disk paths is OS-specific:

Windows

On Windows disk paths should be specified using the device path:

\\.\Harddisk*Partition*

For example, \\.\Harddisk0Partition1 for the first partition on the first drive (note that Harddisk is 0-indexed while Partition is 1-indexed).

The program diskpart may be used to view the disk and partition numbers - use list disk, followed by select disk N, followed by list partition.

Linux

On Linux, disk paths should be specified using /dev paths, which depends on the device type. fdisk -l, parted -l or lsblk can show you which device path to use.

macOS

On macOS, disk paths should be specified using /dev/diskNsM paths. diskutil list will show you all partitions and their corresponding disk paths.

Usage

First, make a backup of your MFT:

python ntfsrecover.py /dev/diskX --save-mft mft

This will also print out the full paths to every single file on your disk. (This will be verbose as hell, but it's very useful!). Next, you can use --pattern in conjunction with --mft to selectively recover files. (--mft saves the program from having to read the MFT again; only file data will need to be read).

python ntfsrecover.py /dev/diskX --mft mft --pattern "*.jpg" --outdir recovered

You can specify --pattern multiple times to recover multiple different kinds of files in one run. It will match either the full path or the filename; thus, you can do things like --pattern "*/My Documents/*".

ntfsrecover's People

Contributors

Stargazers

Watchers

ntfsrecover's Issues

Deep Scan Bitlocker formatted

I did tested this tool but nothing found by this. My formatted hard is BitLocker and i just want to recover a file as VeraCrypt Type . I did saved the mft format and used that command for recovery , but nothing found and i think this script haven't Deep Scan. is there anyway other to do this?
thanks

Files are showing while running the save-mft(Verbose) command but not showing in the recovered folder when running the --pattern command.

PLEASE HELP

So what do I type for my partition?

python ntfsrecover.py /dev/diskX --save-mft mft

How do I know which disk it is? I'm hoping the disk doesn't mean physical disk because it's like the 10th partition on the second disk.

FAT32

Is there a way to recover fat32 data by modifying some of the code? Trying to make it run for fat32 but am not successful.

Can you please help?

A problem about file recovery

When I try to use '--save-mft' option to save a mft file, it will generate some weird file path such as '...path/qt.dll/a.png' and qt.dll is not a directory but a file. Then I tried to recover the odd file '...path/qt.dll/a.png' to figure out what is the problem, then it throws out an exception

PS C:\Users\hejun\Desktop\ntfsrecover-master\ntfsrecover-master> python.exe .\ntfsrecover.py \\.\Harddisk0Partition4 --mft mft --pattern "EVMVConvert/Qt5Gui.dll/home.png" --outdir D:\\ Reading MFT Parsing MFT: Done! Recovering EVMVConvert/Qt5Gui.dll/home.png defaultdict(<class 'dict'>, {'STANDARD_INFORMATION': {None: <function parse_attr.<locals>.<lambda> at 0x000001D2B20B9400>}, 'DATA': {None: <function parse_attr.<locals>.<lambda> at 0x000001D2B20B9510>}, 'FILE_NAME': {None: <function parse_attr.<locals>.<lambda> at 0x000001D2B20B9488>}}) failed!

I have an issue with the mac recovery, throws an error while running the --save-mft command that the disk is not an NTFS but the diskutil shows that the disk is NTFS!

Please HELP
Am using the same pendrive which i used in the windows laptop!

$MFT truncated saving MFT

OS: Windows 10
Disk: 0 Partition 1

python ntfsrecovery.py \\.\Harddisk0Partition1 --save-mft mft

Reading MFT
Loading MBR from cluster 46848
WARNING: Failed to load $MFT ($MFT truncated), proceeding with partial MFT.
Parsing MFT: Done!
$MFT
$MFTMirr
$LogFile
$Volume
$AttrDef

$Bitmap
$Boot
$BadClus
$Secure
$UpCase
$Extend
$Extend/$Quota
$Extend/$ObjId
$Extend/$Reparse
$Extend/$RmMetadata
$Extend/$RmMetadata/$Repair
$Extend/$Deleted
$Extend/$RmMetadata/$TxfLog
$Extend/$RmMetadata/$Txf
$Extend/$RmMetadata/$TxfLog/$Tops
$Extend/$RmMetadata/$TxfLog/$TxfLog.blf
$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000001
$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000002
Boot
Boot/bg-BG
Boot/bg-BG/bootmgr.exe.mui
Boot/BOOTSTAT.DAT
Boot/BCD
Boot/bootuwf.dll
Boot/bootvhd.dll
Boot/cs-CZ
Boot/cs-CZ/bootmgr.exe.mui
Boot/cs-CZ/memtest.exe.mui
Boot/da-DK
Boot/da-DK/bootmgr.exe.mui
Boot/da-DK/memtest.exe.mui
Boot/de-DE
Boot/de-DE/bootmgr.exe.mui
Boot/de-DE/memtest.exe.mui
Boot/el-GR
Boot/el-GR/bootmgr.exe.mui
Boot/el-GR/memtest.exe.mui
Boot/en-GB
Boot/en-GB/bootmgr.exe.mui
Boot/en-US
Boot/en-US/bootmgr.exe.mui
Boot/en-US/memtest.exe.mui
Boot/es-ES
Boot/es-ES/bootmgr.exe.mui
Boot/es-ES/memtest.exe.mui
Boot/es-MX
Boot/es-MX/bootmgr.exe.mui
Boot/et-EE
Boot/et-EE/bootmgr.exe.mui
Boot/fi-FI
Boot/fi-FI/bootmgr.exe.mui
Boot/fi-FI/memtest.exe.mui
Boot/fr-CA
Boot/fr-CA/bootmgr.exe.mui
Boot/fr-FR
Boot/fr-FR/bootmgr.exe.mui
Boot/fr-FR/memtest.exe.mui
Boot/hr-HR
Boot/hr-HR/bootmgr.exe.mui
Boot/hu-HU
Boot/hu-HU/bootmgr.exe.mui
Boot/hu-HU/memtest.exe.mui
Boot/it-IT
Boot/it-IT/bootmgr.exe.mui
Boot/it-IT/memtest.exe.mui
Boot/ja-JP
Boot/ja-JP/bootmgr.exe.mui
Boot/ja-JP/memtest.exe.mui
Boot/ko-KR
Boot/ko-KR/bootmgr.exe.mui
Boot/ko-KR/memtest.exe.mui
Boot/lt-LT
Boot/lt-LT/bootmgr.exe.mui
Boot/lv-LV
Boot/lv-LV/bootmgr.exe.mui
Boot/memtest.exe
Boot/nb-NO
Boot/nb-NO/bootmgr.exe.mui
Boot/nb-NO/memtest.exe.mui
Boot/nl-NL
Boot/nl-NL/bootmgr.exe.mui
Boot/nl-NL/memtest.exe.mui
Boot/pl-PL
Boot/pl-PL/bootmgr.exe.mui
Boot/pl-PL/memtest.exe.mui
Boot/pt-BR
Boot/pt-BR/bootmgr.exe.mui
Boot/pt-BR/memtest.exe.mui
Boot/pt-PT
Boot/pt-PT/bootmgr.exe.mui
Boot/pt-PT/memtest.exe.mui
Boot/qps-ploc
Boot/qps-ploc/bootmgr.exe.mui
Boot/qps-ploc/memtest.exe.mui
Boot/qps-plocm
Boot/qps-plocm/bootmgr.exe.mui
Boot/ro-RO
Boot/ro-RO/bootmgr.exe.mui
Boot/ru-RU
Boot/ru-RU/bootmgr.exe.mui
Boot/ru-RU/memtest.exe.mui
Boot/sk-SK
Boot/sk-SK/bootmgr.exe.mui
Boot/sl-SI
Boot/sl-SI/bootmgr.exe.mui
Boot/sr-Latn-RS
Boot/sr-Latn-RS/bootmgr.exe.mui
Boot/sv-SE
Boot/sv-SE/bootmgr.exe.mui
Boot/sv-SE/memtest.exe.mui
Boot/tr-TR
Boot/tr-TR/bootmgr.exe.mui
Boot/tr-TR/memtest.exe.mui
Boot/uk-UA
Boot/uk-UA/bootmgr.exe.mui
Boot/zh-CN
Boot/zh-CN/bootmgr.exe.mui
Boot/zh-CN/memtest.exe.mui
Boot/zh-TW
Boot/zh-TW/bootmgr.exe.mui
Boot/zh-TW/memtest.exe.mui
bootmgr
Boot/Fonts
Boot/Fonts/chs_boot.ttf
Boot/Fonts/cht_boot.ttf
Boot/Fonts/jpn_boot.ttf
Boot/Fonts/kor_boot.ttf
Boot/Fonts/malgunn_boot.ttf
Boot/Fonts/malgun_boot.ttf
Boot/Fonts/meiryon_boot.ttf
Boot/Fonts/meiryo_boot.ttf
Boot/Fonts/msjhn_boot.ttf
Boot/Fonts/msjh_boot.ttf
Boot/Fonts/msyhn_boot.ttf
Boot/Fonts/msyh_boot.ttf
Boot/Fonts/segmono_boot.ttf
Boot/Fonts/segoen_slboot.ttf
Boot/Fonts/segoe_slboot.ttf
Boot/Fonts/wgl4_boot.ttf
Boot/Resources
Boot/Resources/bootres.dll
Boot/Resources/en-US
Boot/Resources/en-US/bootres.dll.mui
BOOTNXT
Boot/BCD.LOG
Boot/BCD.LOG1
Boot/BCD.LOG2
BOOTSECT.BAK
System Volume Information
System Volume Information/tracking.log
Recovery
Recovery/Logs
Recovery/WindowsRE
Recovery/WindowsRE/Winre.wim
Recovery/WindowsRE/boot.sdi
Recovery/WindowsRE/ReAgent.xml
Boot/bootmgr
Boot/bootnxt

No files are got in the mft copy and obviously nothing is recovered.
This happens in ALL my PCs / Disks
Any idea?

not a iisue but a comment

Could you possibly write testcase for the script.