Why Are My Recovered Files Just Zeros After Using ntfsundelete?

By
Aaron Garnes
-
0
0
Asked By TechieTurtle23 On

I recently lost some important files on an NTFS volume and tried to recover them using ntfsundelete. The command I used showed that the files were 100% available, but when I attempted to actually recover them, the contents came back as all zeros. I've pasted the command and output below:

```
$ ntfsundelete /dev/nvme1n1p2 -s -m 'save*.rar'
Inode Flags %age Date Time Size Filename
-----------------------------------------------------------------------
54433 FN.. 100% 2025-07-11 10:52 31992226 savedgames.rar
57603 FN.. 100% 2025-02-01 11:55 1606 SaveGameName.2.rar
163906 FN.. 100% 2025-07-11 10:52 31992226 savedgames.rar
164367 FN.. 100% 2025-07-10 02:58 31644673 savedgames-2025-07-010.rar
```

When I dump the contents of one of the recovered files, it just shows zeros:

```
$ hexdump savedgames-2025-07-010.rar
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
1e2e000
```

And trying to test the files with rar fails as well:

```
$ ls *.rar|xargs -I {} rar t {} ;

savedgames-2025-07-010.rar is not RAR archive
No files to extract
```

Does anyone have insight into why this might be happening? Thanks!

3 Answers

Answered By DataDigger42 On

It sounds like the volume might have been trimmed, which means the contents of the files were essentially deleted and are no longer recoverable. Unfortunately, this is a common issue with NVMe drives where TRIM commands clear data that isn't actively being used. You might want to try ntfsundelete on a traditional spinning hard drive next time to see if you have better luck!

Answered By FileSaver99 On

In my experience, I found that recovery from a TRIM-enabled NVMe drive is often problematic. I’ve had success recovering files from regular spinning drives or USBs though. If the files were indeed there and accessible, but now just zeros, then you likely lost the actual data when the TRIM function was executed.

Answered By RecoveryNerd88 On

It's interesting that you're getting zeros when you recover the files. Just to clarify, the `%age` column in your output actually shows how much of the file could potentially be recovered, not necessarily that the file is intact. Also, it looks like you mentioned the filesystem isn't encrypted, which is good. If the drive has TRIM enabled, it could be the reason you’re getting empty files.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.