Problem :
I have a feeling the answer to this is right in front of me, but I am not seeing it. :/
I used dd to to create an image of a failing drive. Now, I would like to attempt to recover anything I can from an NTFS partition on the drive using ntfsundelete
The problem is that I don’t understand how to specify the NTFS partition(mounted or not) as input for ntfsundelete.
I have mounted the NTFS partition(specified the block offset) on a loopback, /mnt/myhdd
Any help would be appreciated.
Thanks.
Solution :
The manpage for ntfsundelete says it works on devices, not mounted filesystems. You would need unmount /mnt/myhdd and run ntfsundelete on /dev/loop0, or whichever loop device you set up.
Obviously you want -u. It might be that you need to specify -m as well in order to get anything to happen. E.g. -m <filename>. After running -s previously to look for available filenames. -m * to undelete all available files might be necessary if you have a lot, but that might be a bit painful.