Technical information about data recovery
This article is designed to explain some technical details about file undelete and data recovery to help you to understand the process, as well as to satisfy your technical curiosity.
Delete and undelete files on FAT volumes
Delete and undelete files on NTFS volumes
Data recovery tips
Delete and undelete files on FAT volumes
FAT file system description
The FAT file system has the file allocation
table located at the beginning of a logical volume. FAT was designed for
small disks and simple folder structures. Two copies of the file allocation
table are stored on the volume. In the event that one copy of the file
allocation table is corrupted, the other file allocation table is used.
Back2Life supports the following FAT file systems:
- FAT12 (used for floppies),
- FAT16 (fairly small disks and partitions, mainly used under DOS and first Windows 95 systems)
- FAT32
The number 12, 16 or 32 determines amount of bits used to store one FAT entry. All these file systems are supported by
operating systems Microsoft Windows 95-98-Me and NT-2000-XP.
The base unit for storing information on FAT disks is the cluster. Cluster
sizes depend on FAT version and disk configurations, and are usually equal
to several kilobytes. If a file doesn't fit to a single cluster, system
reserves several clusters to store it. When file clusters are not sequential
but are separated in fragments at different locations, we call this a
fragmented file.
FAT file systems store file name, size and attributes in the Directory
Table, while file content is stored in disk Data Area. The Directory Table
record of the file also stores the number of the first cluster file content
in Data Area, while the remaining sequence of cluster numbers is stored in
FAT (File Allocation Table). The clusters in FAT are specifically marked.
The first file cluster (if file takes more than one) holds the ordinal
number of the following cluster, the following cluster holds the ordinal
numbers of its following cluster and so on. The last file cluster holds
special value that indicates that it is the end of file. By reading cluster
marks and contents, the system aggregates the entire file for future use
(such as copying, editing etc.).
Data recovery on FAT disks
When you delete a file it is not physically erased from the disk. To reduce
the operation time, the system only deletes the first character of the file
name in Directory Table so other regular programs can no longer "see" it
(that's why sometimes it is impossible to find out the first filename
character. But, files created under Windows usually have doubled records).
This Directory Table record can be reused later for another file or folder.
Also the system clears all the clusters' marks, so they appear empty
(unused). During the course of further disk use, these clusters can be
reused to store other files. The Damage rates displayed by Back2Life
indicate the ratio of reused clusters which had been earlier used by
now-erased file.
Because of the loss of cluster marks, at data recovery ATTEMPT we may only
assume that file was not fragmented and all its clusters are sequential.
Starting at the first file cluster (this value is not lost when file is
erased), the program reads the ASSUMED file content from the corresponding
number of sequential clusters. It is no wonder that this assumption is not
always correct.
That's why sometimes, even with a Damage ratio of zero percent, the file
appears corrupted after recovery. Usually in such cases the file's integrity
has been broken - the recovered file begins correctly, but at its end it
holds the content of another file... It is also possible that file clusters
have been reused and erased again - they still look untouched but the
content has been changed.
Three following conditions determine data recovery success on FAT disks:
- if file record in Directory Table hasn't been reused (if it was, file will not even be found by Back2Life)
- if file cluster sequence is assumed correctly
- if file clusters were not reused after deletion
Please remember: FAT
disks were not directly designed to support file undelete so the possibility
to even try to restore at least something is the Grace by itself!
However, in most cases the files can be recovered successfully.
Delete and undelete files on NTFS volumes
NTFS provides performance, reliability, and functionality not found in FAT:
- Multiple Data Streams
- Reparse Points
- Change Journal
- Encryption
- Compression
- Sparse File Support
- Disk Quotas
- Distributed Link-Tracking
- Recoverability
Like FAT, NTFS uses clusters as the
fundamental unit of disk allocation.
NTFS creates a file record for each file and a directory record for each
directory created on an NTFS volume. These file and directory records are
stored in the MFT (Master File Table). The name, size and other attributes
of the file are written to the allocated space in the MFT. Besides file
attributes, each file record contains information about the position of the
file record in the MFT Index and allocation of the file content on disk
(cluster chain). File content is stored in disk Data Area outside of MFT.
Information about used and free disk clusters is stored in the disk Bitmap.
Data recovery on NTFS disks
When you delete a file it is not physically
erased from the disk. To reduce the operation time, the system only marks
file MFT record as not-in-use, so other regular programs can no longer "see"
it. Later NTFS can reuse this MFT record to store information about other
file or folder. Also NTFS clears all the clusters' marks in disk Bitmap, so
they appear empty (unused). During the course of further disk use, these
clusters can be also reused to store content of other files or folders. The
Damage ratio displayed by Back2Life indicate the ratio of reused clusters
which had been earlier used by now-erased file.
Unlike FAT file systems, NTFS holds information about the file cluster chain
in the MFT record even after file is erased. This increases data recovery
success because we don't have to guess where these clusters are located, as
we have to do with FAT.
But it still possible that a NTFS file even with a Damage ratio of zero
percent might not be successfully recovered. This is because file clusters
may have been reused and erased again - they still look untouched but the
content has been changed.
Two things determine the recovery success for NTFS disks:
- if file record in MFT hasn't been reused (if it was, file will not even be found by Back2Life)
- if file clusters were not reused after it's deletion
Even though NTFS disks
are much better fit for undeleting purposes than FAT disks, they were not
directly designed for it. So still even the possibility to restore at least
something, is Grace by itself!
Data recovery tips
As soon as you discover that vital files have
been erased or otherwise lost, the most important thing is to prevent erased
files from being rewritten. To do so, avoid any use of
the disk where the file was erased until after the files are
recovered. Also remember that Back2Life shouldn't be installed to this disk
- install it to floppy if no other disk is available.
The following three things are important for data recovery considerations:
(1) The less time since the disk has been defragmented, (2) the sooner you
make a data recovery attempt, and (3) the smaller the size of the file to
recover - the more chances for success we have.
When Back2Life saves a recovered file, it reads its content and writes it to
a new file with the same name. It is recommended that you save recovered
files on another disk because of the risk of overwriting other erased files
with the new saved one.