What does altering a file/directory mean

directoryfilesntfs

From man ntfsundelete

Look for deleted files altered in the last two days

ntfsundelete /dev/hda1 -t 2d

I wonder what altering files/directories mean?

  1. Does deleting some files/directories count as altering them?

    For example,
    if I created a file more than two days ago, and didn't change it
    until yesterday when I deleted. Will the command be able to recover
    it?

  2. Does moving some files/directories from being under a directory to being under another directory
    count as altering them, even when the files/directories being moved
    have not been changed themselves?

I am hoping to find a way to specify and undelete the directories (with files inside) that I deleted at once last time.

Thanks!

Best Answer

I'll try to answer your questions in a different order. What does altering a file mean ?

Altering means whenever you modify and update the content of the file (modify in linux). If we look at ntfsundelete source code we can clearly see what the authors have marked as alter:

ntfsundelete.h line 72:

time_t         date_a;    /*  altered */

ntfsundelete.c line 1002, 1045:

name->date_a     = ntfs2timespec(attr->last_data_change_time).tv_sec;

last_data_change_time is also explained in linux/fs/ntfs/inode.c line 674:

      * mtime is the last change of the data within the file. Not changed
      * when only metadata is changed, e.g. a rename doesn't affect mtime.
      */
      vi->i_mtime = ntfs2utc(si->last_data_change_time);

Question nr. 2:

List of actions that change a directory modification time:

Linux

Windows

Question nr.1:

No, deleting a file does not count as altering it. So if you created a file more than two days ago and didn't change it until yesterday when you deleted it the command won't be able to recover it.

Here is a test on my NTFS partition. I had three .jpg files with mtime as follows:

  • brr.jpg 2012-05-21
  • IMG_2001.JPG 2012-05-21
  • s640x480.jpg 2011-03-18

I modified IMG_2001.JPG with MSPaint and saved it so modification time changed to today: 2012-08-26. I then deleted (SHIF+DELETE) all three files and rebooted in Linux.

Running ntfsundelete without --time switch (altered time not taken into account) prints out a long list of files starting with the above three files:

ntfsundelete /dev/sda1 -m '*.jpg'

Inode    Flags  %age  Date           Size  Filename
---------------------------------------------------------------
72801    FN..   100%  2012-05-21   1055334  brr.JPG
72822    FN..   100%  2012-08-26   1034072  IMG_2001.JPG
72826    FN..   100%  2011-03-18     52333  s640x480.jpg
.....    ....   ....  ..........   .......  ............

Files with potentially recoverable content: 1631

Running ntfsundelete with --time d1 switch (so for files altered in the last 1 day) prints out only one file, namely the one I have just modified before deleting all three of them:

ntfsundelete /dev/sda1 -m '*.jpg' -t 1d

Inode    Flags  %age  Date           Size  Filename
---------------------------------------------------------------
72822    FN..   100%  2012-08-26   1034072  IMG_2001.JPG

Files with potentially recoverable content: 1
Related Question