File Recovery understanding

Understanding the File Recovery Process

The file recovery process can be briefly described as scanning a drive or folder to find deleted entries in a Root Folder (FAT) or a Master File Table (NTFS). It also consists of scanning for a particular deleted entry and defining the cluster chain to be recovered and copying the contents of these clusters to the newly created file.

Different file systems maintain their own specific logical data structures, however basically each file system:

After finding the proper file entry and assembling the set of clusters composing the file, it is possible to read and copy these clusters to another location.

Step by Step with examples:

However, not every deleted file can be recovered and there are certain considerations to keep in mind:

Important

General advice after data loss:

  1. 1. DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING THE DATA THAT NEEDS TO BE RECOVERED! Even the installation of data recovery software could spoil your sensitive data. If the data is really important to you and you do not have another logical drive to install the software to, take the whole hard drive out of the computer and plug it into another computer where data recovery software has already been installed or use recovery software that does not require installation. For example, recovery software which is capable to run from bootable floppy.
  2. 2. DO NOT SAVE THE DATA ON THE SAME LOGICAL DRIVE YOU ARE RECOVERING FROM! Saving recovered data onto the same drive where sensitive data is located can hinder the recovery process by overwriting FAT/MFT records for this and other deleted entries. It's best to save data onto another logical, removable, network or floppy drive.