Understanding the File Recovery Process
The file recovery process can be briefly described as scanning a drive or folder to find deleted entries in a Root Folder (FAT) or a Master File Table (NTFS). It also consists of scanning for a particular deleted entry and defining the cluster chain to be recovered and copying the contents of these clusters to the newly created file.
Different file systems maintain their own specific logical data structures, however basically each file system:
- Has a list or catalog of file entries, so we can iterate through this list and entries, marked as deleted
- For each entry, keeps a list of data clusters so we can try to find a set of clusters composing the file
After finding the proper file entry and assembling the set of clusters composing the file, it is possible to read and copy these clusters to another location.
Step by Step with examples:
However, not every deleted file can be recovered and there are certain considerations to keep in mind:
- Firstly, the file entry should still exist (not overwritten with other data). If a low number of files have been created on the drive where the deleted file resided, there is a better chance that that space for the deleted file entry has not been used by any other entries.
- Secondly, the file entry should point to the correct place where file clusters are located. In some cases (it has been noticed in Windows XP, on large FAT32 volumes) the operating system damages file entries right after deletion so that the first data cluster becomes invalid. If this happens file recovery is not possible.
- Thirdly, the file data clusters should be safe (not overwritten with other data). Write operations should be kept to a minimum on the drive where deleted files resided. If that the data clusters occupied by the deleted file have not been used by other data storage, this greatly improves the chances that the files can be recovered properly.
General advice after data loss:
- 1. DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING THE DATA THAT NEEDS TO BE RECOVERED! Even the installation of data recovery software could spoil your sensitive data. If the data is really important to you and you do not have another logical drive to install the software to, take the whole hard drive out of the computer and plug it into another computer where data recovery software has already been installed or use recovery software that does not require installation. For example, recovery software which is capable to run from bootable floppy.
- 2. DO NOT SAVE THE DATA ON THE SAME LOGICAL DRIVE YOU ARE RECOVERING FROM! Saving recovered data onto the same drive where sensitive data is located can hinder the recovery process by overwriting FAT/MFT records for this and other deleted entries. It's best to save data onto another logical, removable, network or floppy drive.