Active@ File Recovery and NTFS Clusters, FAT Clusters

Define cluster chains for a deleted entry

To define cluster chains, the drive needs to be scanned. All file (NTFS) clusters or free (FAT) clusters are scanned one by one, that (presumably) belonging to a file, until the file size equaling the total size of the selected clusters is reached.

If the file is fragmented, the cluster chains will be composed of several cluster sets, in the case of NTFS, or bypassing occupied clusters in case of FAT.

The location of these clusters can vary depending on the file system.

For example, a file deleted on a FAT volume has its first cluster in its Root entry, the other clusters can be found in the File Allocation Table.

On NTFS, each file has a _DATA_ attribute that describes "data runs". Disassembling data runs to "extents" (lengths) and for each extent, a file's cluster chain can be composed by taking the start cluster offset and number of clusters in the extent then enumerating the extents together.

You can try to define a cluster chain manually by using low-level disk editors; however, it's much simpler to use a data recovery tools, like Active@ File Recovery.

See also: Example of defining cluster chains on FAT16

Example of defining cluster chains on NTFS