NTFS undelete on Linux

To avoid damaging filesystem with files to be undeleted I created image of entire hard disk by booting live linux on source PC from USB and then making 1:1 copy of HDD with dd.

1. Figure out offset where partition of interest starts. Simply open image with fdisk and multiply start sector with 512 bytes.

2. Mount it with losetup. "losetup -o 105906176 /dev/loop0 diskimage.bin"

3. Scan for undeletable files. "ntfsundelete -s /dev/loop0"

4. Undelete files. "ntfsundelete -u -m '*.docx' -d /tmp/recovered /dev/loop0"

5. Done. "losetup -d /dev/loop0"