Active@ File Recovery and Cluster Chain Recovery

Cluster chain recovery for a deleted entry

After a cluster chain is defined, either automatically or manually, the only task left is to read and save the contents of the defined clusters to another place for verifying their contents.

Having a chain of clusters; each cluster offset from the beginning of the drive can be calculate using standard formulas.

After that, the next step is to copy the amount of data equal to the cluster size, starting from the calculated offset into a newly created file.

Not all clusters are copied but only from the file size minus the number of copied clusters multiplied by cluster size.

Formulas for calculating a cluster offset could vary depending on file system.

Here is the information required to calculate the cluster offset for a FAT volume:

NTFS volumes use space linearly so to calculate a cluster's offset simply as the multiply the cluster number by the cluster size.

Example of recovering cluster chains on FAT16

In continuing with a previous example, here is the deleted file MyFile.txt again.

By now, its been determined that a chain of clusters 3, 4, 5, 6 are ready for recovery. The cluster consists of 64 sectors, sector size of 512 bytes, so the cluster size is: 64*512 = 32,768 bytes = 32 Kb. The first data sector is 535 (there is 1 boot sector, plus 2 copies of FAT by 251 sectors each, plus a root folder of 32 sectors, the total 534 occupied by system data sectors).

Clusters 0 and 1 do not exist, so the first data cluster is 2. Cluster number 3 is next to cluster 2, i.e. is located 64 sectors behind the first data sector (535). i.e. 535 + 64 = 599 sector, equal offset of 306,668 bytes from the beginning of the drive (0x4AE00).

With the help of a low-level disk editor to view the disk, here is the data starting with offset 0x4AE00, or 3 cluster, or 599 sector:

Because the cluster chain is consecutive, all that needs to be done is to copy the 112,435 bytes of data starting from this point forward. If the cluster chain were not consecutive, the offset of each cluster found would be re-calculate. 3 times by 64*512 = 32768 bytes starting from each cluster offset, and then from the last cluster copy reminder: 14,131 bytes that is calculated as 112,435 bytes - (3 * 32768 bytes).

Example of recovery cluster chains on NTFS

In this example 110 clusters need to be copied starting from the cluster 312555.

The Cluster size is 512 byte, so the offset of the first cluster would be 512 * 312555 = 160028160 = 0x0989D600

Here is the data. What's left is just reading 110 clusters (56320 bytes) from this point and then copying them to another location. Data recovery is now complete.

Important

DO NOT TRY TO SAVE DATA THAT YOU FOUND AND ARE TRYING TO RECOVER ONTO THE SAME DRIVE!Saving recovered data onto the same drive where sensitive data is located can hinder the recovery process by overwriting FAT/MFT records for this and other deleted entries. It's best to save data onto another logical, removable, network or floppy drive.

Important

  1. DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING YOUR IMPORTANT DATA THAT HAS JUST BEEN ACCIDENTALLY DELETED! Even the installation of data recovery software could spoil your sensitive data. If the data is really important to you and you do not have another logical drive to install the software to, take the whole hard drive out of the computer and plug it into another computer where data recovery software has already been installed or use recovery software that does not require installation. For example, recovery software which is capable of running from a bootable CD / USB media.
  2. DO NOT TRY TO SAVE DATA THAT YOU FOUND AND ARE TRYING TO RECOVER ONTO THE SAME DRIVE! Saving recovered data onto the same drive where sensitive data is located can hinder the recovery process by overwriting FAT/MFT records for this and other deleted entries. It's best to save data onto another logical, removable, network or floppy drive.