Recovering Deleted Files: What Impacts Recoverability?

Recently, I’ve received several questions related to the recovery of deleted files.  What happens when a file is deleted on a Windows-based system, and what causes those files to be lost and therefore unrecoverable?  Further, what could I have done to prevent their loss?  To answer those questions, we first need to answer another very important question.

How does Windows save file data on a NTFS volume?

When you create a new file, like a picture from your vacation (vacation.jpg), and save it to your hard drive (formatted with the NTFS file system), Windows does a couple things.  It finds an open file record in the metadata area of the disk (called the Master File Table or MFT) and writes some information about the file, such as the file name and date.  If there are no open file records, Windows will expand the MFT and create a new file record.

Windows then finds some free data blocks on the volume to write the actual file data to.  Once the data blocks are identified, Windows links the new file record to the data blocks and writes the actual data to the disk.  The picture below illustrates the vacation.jpg file as written to the disk.

So what happens when a file is deleted (assuming it is not going into the Recycle Bin)? Two very important things happen (from a data recovery perspective): 1. The file record is marked as deleted and available for reuse. 2. The data area is marked as free space and available for reuse.

The image above shows the areas of the disk that hold the data for the vacation.jpg file have now been marked as free space and are available for use for new files or to expand existing files. The file record has also been marked as deleted and is available for reuse by the file system. To recover deleted data, your data recovery company or software needs to be able to find deleted file records that have not been overwritten and the data blocks that relate to those files. The DR company or software should also scan the unallocated space on the disk for data blocks that were in use, but whose file records have been overwritten. An example of such a process is as follows:

1.  Limit access to the disk (write blocker)
2.  Scan volume metadata for file records marked as deleted
3. Recover deleted file records and their related data blocks into new files
4. Scan volume for raw data that is currently in unallocated or free areas of the drive
5. Recover raw data blocks into new files

What are some of the reasons deleted data cannot be recovered?

• File record is overwritten and:
  • No signature for the file data
  • Data is fragmented
• Data is completely overwritten
• Data is partially overwritten

The figure below illustrates a file that has been deleted, its file record overwritten by a new file, and the data is fragmented on the drive.

Our example file (vacation.jpg) has been deleted and the file record overwritten with a new file (birthday.jpg). The only recovery possible for the vacation.jpg file is to find and assemble the raw data blocks (assuming there isn’t another copy of the FR somewhere else on the volume). The success rate for this type of recovery is very high as the data blocks (Blocks 1-4) in our example have not been overwritten by new data.

If the new file (birthday.jpg) had overwritten some of the data blocks like in the example below, then the file would only be partially recoverable (blocks 2 and 3 overwritten).

If all of the data blocks had been overwritten like the example below then the file would not be recoverable (blocks 1-4 overwritten).

So what can you do to make sure this doesn’t happen to you?

1. Backup/replicate your data. I know it sounds cliché, but a simple backup/replication can save a ton of heartache.
2. If you accidentally delete a file, and don’t have a backup, stop using the system as soon as possible. Browsing the Internet or continuing to work writes additional data to the disk and can cause the data blocks to be overwritten.
3. Restore a backup to a different drive to make sure that the backup contains the data you need and that the files are in working order.
4. If you want to attempt the recovery yourself, make a copy of the drive if possible and work on the copy. If it is not possible to make a copy, make sure the drive is slaved as a secondary disk to the system. Do not install recovery software on the drive you want to recover from.
5. Seek professional assistance. Good data recovery companies offer a free consultation, so you can discuss your specific needs with a data loss expert.