I have an external USB disk with an NTFS filesystem on it.
If I remove a file from Windows and I run one of the several "undelete" utilities (say, TestDisk) I can easily recover the file (because "it's still there but it's marked as deleted").
If I remove the file from Linux no utility (unless I use a deep-search signature-based one) can recover the file. Why? How is unlink implemented in Linux's NTFS file system code? It looks like it does not just "mark it as deleted" but it wipes away some on-disk structure, is this the case?
Best Answer
I had a look at the ntfs3g source out of curiosity.
There seems to be a function
ntfs_delete(...)defined indir.c, which does the deleting.It definitely removes all of the deleted file/directory's metadata from the filesystem structures.
Since there is the source code for Microsoft's own version is not available, I can only try to make an educated guess how it performs deletion.
It seems, that Microsoft only marks the MFT entry as unused, since the undelete utilities are able to recover the location and the name of the deleted file.