A tool that can find a deleted file on an NTFS disk and recover them for a user.
FileFinder simply requires Python 2.7+ to be installed. In order to read raw data from the disk, the user must have administrative access to the machine FileFinder will be run on.
Please note that FileFinder only runs on Windows. Although Linux can use NTFS formatted disks, FileFinder does not support it. Feel free to add Linux functionality with a pull request! =)
Open your favorite command line utility on Windows and navigate to the directory FileFinder is stored in. Then simply run it.
C:\User\myusername> python FileFinder.py
When prompted, enter the name of the file you wish to find (including the file extension) and wait. It should take less time to find your file than it would for you to rewrite your file (or, to put it simply, it should take a couple seconds).
Also, it's important to note that if you're trying to recover the file and you've just downloaded FileFinder, there's a decent chance you just permanently lost your file. The cool thing about Python - among other things - is that it's an interpreted language. That means you can copy the code to your clipboard and paste it into your interpreter (provided you already have Python 2.7+ and an interpreter installed) and FileFinder won't be written to disk - just to RAM.
None, the code is perfect.
But in a much more real sense:
- If you're currently running any programs from the disk you lost the file on, it's likely your file is already gone. For example, when I delete a file and then try to find it while Google Chrome is running, I am unsuccessful in recovering the file. The issue appears to not occur when Chrome is closed. I have no such issues when I try to recover a file from an NTFS formatted USB flash drive.
- While it works with resident and non-resident $DATA sections, FileFinder DOES NOT WORK WITH FRAGMENTED FILES
- Because most people delete files from the recycle bin and don't permanently delete them using Shift + delete, adding support for finding files that were first moved to the recycle bin and then deleted would be a huge plus.
- Improve speed by checking to see if the file is marked for deletion before checking the $FILE_NAME section.
- Include a Powershell script to download and install python 2.7+ for the user
- Get it to work with fragmented files
- Test it with directories
HUGE shout-out to ntfs.com and this ntfs disk forensics site.
- Joncarlo Alvarado
- Thomas Daniels
- Ikaagarjot Singh