0

An employee accidentally deleted a folder from our fileserver. Is there way to restore this folder without having to restore our backup? (As this would undo a lot of work in other users' folders.) Shadow copies aren't enabled so that isn't a solution.

Also, what could we do to prevent this problem in the future? Can we enable some kind of recycle bin on the server to which files are (temporarily) moved when deleted?

Teebs
  • 123
  • 5
  • Why can't you just restore only the files you need? – Sven Oct 07 '15 at 08:36
  • To be completely honest, because I can't. Our IT manager is very reticent in giving us admin passwords. So all this kind of stuff goes through him. But since he's just responsible for IT, but it isn't his work area (he's actually in sales) he usually forwards this kind of work to our external IT guy, who comes by every three weeks. – Teebs Oct 07 '15 at 08:41
  • For the future make sure shadow copies/previous versions are enabled. This would allow you to simply right click the folder and revert the file/folder to an earlier point in time. I know you said it isn't at the moment but it is a very simple solution for this – Drifter104 Oct 07 '15 at 09:08
  • @Drifter104: How much space would that take? Is it a complete copy of all data and double the storage space taken? – Teebs Oct 07 '15 at 09:40
  • No it doesn't work that way, it would depend on changes made and reserved space. Think of the requirements for storage being more like incremental backups. That said the more space you reserve the more changes you can keep. – Drifter104 Oct 07 '15 at 16:29

1 Answers1

0

NTFS does not immediately delete the contents of files, neither does it delete the file name. The MFT entries may still be there, just marked as deleted. Therefore it can be possible to restore files by marking removing the "deleted" flag.

However, please note that the more changes are made to the disk, the unlikely the recovery will be. Also, there is no guarantee that the file contents have not been modified in the meanwhile. There may have been a different file temporarily, overwriting part of your data. Therefore it is highly recommended to perform an integrity check of the recovered data. In many cases, this is not possible (e.g. text files which have no sort of checksum).

In practice, I have successfully used AccessData Forensic ToolKit Lite which is available for free. Be careful with it, you may destroy your whole disk. You should know what you're doing - and if you didn't know above details about NTFS, maybe you should not use it.

Thomas Weller
  • 135
  • 11