Back2Life 2.9 Recovery

Technical information about data recovery

This article is designed to explain some technical details about file undelete and data recovery to help you to understand the process, as well as to satisfy your technical curiosity.

Delete and undelete files on FAT volumes
Delete and undelete files on NTFS volumes
Data recovery tips

Delete and undelete files on FAT volumes
FAT file system description

The FAT file system has the file allocation table located at the beginning of a logical volume. FAT was designed for small disks and simple folder structures. Two copies of the file allocation table are stored on the volume. In the event that one copy of the file allocation table is corrupted, the other file allocation table is used.

Back2Life supports the following FAT file systems:

  • FAT12 (used for floppies),
  • FAT16 (fairly small disks and partitions, mainly used under DOS and first Windows 95 systems)
  • FAT32

The number 12, 16 or 32 determines amount of bits used to store one FAT entry. All these file systems are supported by operating systems Microsoft Windows 95-98-Me and NT-2000-XP.

The base unit for storing information on FAT disks is the cluster. Cluster sizes depend on FAT version and disk configurations, and are usually equal to several kilobytes. If a file doesn't fit to a single cluster, system reserves several clusters to store it. When file clusters are not sequential but are separated in fragments at different locations, we call this a fragmented file.

FAT file systems store file name, size and attributes in the Directory Table, while file content is stored in disk Data Area. The Directory Table record of the file also stores the number of the first cluster file content in Data Area, while the remaining sequence of cluster numbers is stored in FAT (File Allocation Table). The clusters in FAT are specifically marked. The first file cluster (if file takes more than one) holds the ordinal number of the following cluster, the following cluster holds the ordinal numbers of its following cluster and so on. The last file cluster holds special value that indicates that it is the end of file. By reading cluster marks and contents, the system aggregates the entire file for future use (such as copying, editing etc.).

Data recovery on FAT disks

When you delete a file it is not physically erased from the disk. To reduce the operation time, the system only deletes the first character of the file name in Directory Table so other regular programs can no longer "see" it (that's why sometimes it is impossible to find out the first filename character. But, files created under Windows usually have doubled records). This Directory Table record can be reused later for another file or folder. Also the system clears all the clusters' marks, so they appear empty (unused). During the course of further disk use, these clusters can be reused to store other files. The Damage rates displayed by Back2Life indicate the ratio of reused clusters which had been earlier used by now-erased file.

Because of the loss of cluster marks, at data recovery ATTEMPT we may only assume that file was not fragmented and all its clusters are sequential. Starting at the first file cluster (this value is not lost when file is erased), the program reads the ASSUMED file content from the corresponding number of sequential clusters. It is no wonder that this assumption is not always correct.

That's why sometimes, even with a Damage ratio of zero percent, the file appears corrupted after recovery. Usually in such cases the file's integrity has been broken - the recovered file begins correctly, but at its end it holds the content of another file... It is also possible that file clusters have been reused and erased again - they still look untouched but the content has been changed.

Three following conditions determine data recovery success on FAT disks:

  • if file record in Directory Table hasn't been reused (if it was, file will not even be found by Back2Life)
  • if file cluster sequence is assumed correctly
  • if file clusters were not reused after deletion

Please remember: FAT disks were not directly designed to support file undelete so the possibility to even try to restore at least something is the Grace by itself! However, in most cases the files can be recovered successfully.

Delete and undelete files on NTFS volumes

NTFS provides performance, reliability, and functionality not found in FAT:

  • Multiple Data Streams
  • Reparse Points
  • Change Journal
  • Encryption
  • Compression
  • Sparse File Support
  • Disk Quotas
  • Distributed Link-Tracking
  • Recoverability

Like FAT, NTFS uses clusters as the fundamental unit of disk allocation.

NTFS creates a file record for each file and a directory record for each directory created on an NTFS volume. These file and directory records are stored in the MFT (Master File Table). The name, size and other attributes of the file are written to the allocated space in the MFT. Besides file attributes, each file record contains information about the position of the file record in the MFT Index and allocation of the file content on disk (cluster chain). File content is stored in disk Data Area outside of MFT. Information about used and free disk clusters is stored in the disk Bitmap.

   Data recovery on NTFS disks

When you delete a file it is not physically erased from the disk. To reduce the operation time, the system only marks file MFT record as not-in-use, so other regular programs can no longer "see" it. Later NTFS can reuse this MFT record to store information about other file or folder. Also NTFS clears all the clusters' marks in disk Bitmap, so they appear empty (unused). During the course of further disk use, these clusters can be also reused to store content of other files or folders. The Damage ratio displayed by Back2Life indicate the ratio of reused clusters which had been earlier used by now-erased file.

Unlike FAT file systems, NTFS holds information about the file cluster chain in the MFT record even after file is erased. This increases data recovery success because we don't have to guess where these clusters are located, as we have to do with FAT.

But it still possible that a NTFS file even with a Damage ratio of zero percent might not be successfully recovered. This is because file clusters may have been reused and erased again - they still look untouched but the content has been changed.

Two things determine the recovery success for NTFS disks:

  • if file record in MFT hasn't been reused (if it was, file will not even be found by Back2Life)
  • if file clusters were not reused after it's deletion

Even though NTFS disks are much better fit for undeleting purposes than FAT disks, they were not directly designed for it. So still even the possibility to restore at least something, is Grace by itself!

Data recovery tips

As soon as you discover that vital files have been erased or otherwise lost, the most important thing is to prevent erased files from being rewritten. To do so, avoid any use of the disk where the file was erased until after the files are recovered. Also remember that Back2Life shouldn't be installed to this disk - install it to floppy if no other disk is available.

The following three things are important for data recovery considerations:
(1) The less time since the disk has been defragmented, (2) the sooner you make a data recovery attempt, and (3) the smaller the size of the file to recover - the more chances for success we have.

When Back2Life saves a recovered file, it reads its content and writes it to a new file with the same name. It is recommended that you save recovered files on another disk because of the risk of overwriting other erased files with the new saved one.