News

Subject to resurrection! Restoring files to NTFS using PowerShell

Security Parrot Editorial Team

Recovering Deleted Files from NTFS v3.1 File System

Today, there are plenty of software solutions for recovering deleted files from various file systems. However, to get the most out of these tools, it is important to understand the theoretical foundations of recovering deleted information in the NTFS v3.1 file system. In this article, we will take a closer look at the practical way to manually recover files using PowerShell.

Theory

The NTFS file system is based on the “everything is a file” principle. The file has a certain set of attributes, of which the most important are $STANDARD_INFO, $FILE_NAME, and $DATA. The $STANDARD_INFO and $FILE_NAME attributes contain timestamps, while the $DATA attribute stores the contents of the resident file. In the case of non-resident files, there are “links” to the contents of the file scattered across sectors, called data runs or segments. Segments are a sequence of clusters that store the contents of a non-resident file, and as the mentioned “references” in the $DATA attribute, the number of the initial cluster and the number of clusters following are used.
All file attributes are stored in the File Record of the Master File Table ( $mft ). This is the most important service file, since it contains information about all files and directories on the volume. With only the $mft file on hand, you can build a history of file-related events, and in some cases, restore files.
Another important service file is the free space map $BitMap. With its help, all used and unused clusters are tracked.

Practice

Now that we have brushed up on the theoretical foundations of recovering deleted information in the NTFS v3.1 file system, let’s take a closer look at the practical way to manually recover files using PowerShell.
The first step is to create a folder to store the recovered files. This is done using the New-Item cmdlet:
New-Item -Path C:\RecoveredFiles -ItemType Directory
The next step is to use the Get-ChildItem cmdlet to get the list of all files in the specified folder. This cmdlet will return the list of all files, including the deleted ones.
Get-ChildItem -Path C:\RecoveredFiles
The third step is to use the Get-Content cmdlet to get the content of the deleted files. This cmdlet will return the content of the deleted files.
Get-Content -Path C:\RecoveredFiles\*
The fourth step is to use the Set-Content cmdlet to write the content of the deleted files to a new file. This cmdlet will write the content of the deleted files to a new file.
Set-Content -Path C:\RecoveredFiles\RecoveredFile.txt -Value (Get-Content -Path C:\RecoveredFiles\* -Raw)
The fifth and final step is to use the Move-Item cmdlet to move the recovered files to the desired location. This cmdlet will move the recovered files to the desired location.
Move-Item -Path C:\RecoveredFiles\RecoveredFile.txt -Destination C:\RecoveredFiles\RecoveredFiles
By following these steps, you can manually recover deleted files from the NTFS v3.1 file system using PowerShell.
Conclusion
Recovering deleted files from the NTFS v3.1 file system is a complex process that requires knowledge of the theoretical foundations of the file system. However, with the help of PowerShell, it is possible to manually recover deleted files from the NTFS v3.1 file system. By following the steps outlined in this article, you can easily recover deleted files from the NTFS v3.1 file system.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?