File Recovery Concepts

The file recovery process can be broken down into steps:

1. Scanning the drive or folder to find deleted entries in Root Folder (FAT) or Master File Table (NTFS)



2. Defining the cluster chain to be recovered



3. Copying contents of these clusters to the newly created file.

Different file systems maintain their own specific logical data structures. However because of what the file systems have in common with each other, it is possible to scan the contents with a single utility. Basically each file system has the following in common:

• Holds a list or catalog of file entries, so we can iterate through this list and find entries marked as deleted



• Keeps a list of data clusters for each entry, so we can try to piece together a set of clusters composing the file

After locating the proper file entry and assembling a set of clusters, composing the file, the clusters are read and copied to another location.

The links below illustrate the method step by step with examples:

1. Disk Scan for Deleted Entries
2. Defining  the Chain of Clusters
3. Recovering the Chain of Clusters

In some cases, not every deleted file can be recovered using a strict process. Sometimes it is necessary to make some assumptions, or use fuzzy logic, for example:

1. To begin recovery when a clear file name is not present in the catalog, we must assume that the file entry still exists (i.e. it has not been overwritten with other data). The smaller the number of files that have been created on the same drive where the deleted file used to be, the greater the chances that space used for the deleted file entry has not been over-written by other entries.



2. We must assume that the file entry is more or less secure enough to indicate the proper location where file clusters are residing on the hard drive. In some cases (specifically in Windows XP, on large FAT32 volumes) the operating system damages file entries immediately after deletion so that the first data cluster becomes invalid. In this case further entry restoration is not possible.



3. We must assume that the file data clusters are secure (i.e. they have not been overwritten with other data). The fewer write operations that have been performed on the drive where the deleted file was, the greater the chances that the space occupied by data clusters of the deleted file has not been used for other data storage.

General Advice After Data Loss

1. DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING THE IMPORTANT DATA THAT YOU HAVE JUST DELETED ACCIDENTALLY! Even installing data recovery software can spoil your sensitive data. If the data is really important to you and you do not have another logical drive to install software to, take the whole hard drive out of the computer and plug it into another computer where data recovery software has been already installed or use recovery software that does not require installation, for example recovery software which is capable of running from a bootable floppy.

2. DO NOT TRY TO WRITE DATA THAT YOU FOUND AND ARE TRYING TO RECOVER BACK ONTO THE SAME DRIVE! When saving recovered data onto the same drive where deleted data is located, you can interfere with the process of recovering by overwriting FAT/MFT records for this and other deleted entries. It's better to save data onto another logical, removable, network or floppy drive.