There are two main Windows file systems used on modern PCs – NTFS and FAT.
Both Windows file systems contain tables that retain a list of what files are located on that disk drive or device and also their particulars such as size, file time, etc, but both do it in different ways. This can have an effect on the success of deleted file recovery techniques in each case.
These Windows file systems divide the disk drive into pieces known as “Clusters” which hold the data belonging to the files on that disk. If a file is larger than one of these clusters then it will be split up into pieces and put into however many clusters are needed to store the information. The reason for the files being broken up into pieces is to save areas of empty space being wasted. For example, if all the files on the disk were written in whole pieces so no files were broken, then every time a small file was deleted, unless the preceeding or superceeding parts of the disk were also free, only a file of the same size or smaller could be written into this part of the disk. If you then went to put a large file onto this disk you might find it wouldn’t fit, even though there is technically enough free space, but it is just not in one piece large enough to accommodate it.
FAT File Systems and Deleted File Recovery
Disk drives using the Windows FAT file system maintain 2 main tables of information – the File Allocation Tables and the Directory Entry Tables. The Directory Entries Tables contain details about each file on the disk including their name, size, attributes, creation/modification times and the first cluster this file uses on the disk. The File Allocation Table maintains a list of how all the pieces of information on the disk are organised. If you know a file begins at a particular cluster on the disk, you can look at the File Allocation Table and work out which is the next cluster on the disk drive that file uses, and so on until you have located where all the parts to the file are.
When a file is deleted from a FAT file system, the file details are left in place until they are overwritten by a new file needing its place in the Directory Entry Tables. Once this is done it is often very hard to achieve successful deleted file recovery unless you know which parts of the disk held the file data. If the Directory Entry isn’t deleted you still know the name of the deleted file and where it starts on the disk. However, once deleted, the File Allocation Tables are updated and the list of clusters used by this file are no longer stored and marked as “Free space”. Because they are marked as free space, the original deleted files data can be overwritten by new files being written to the disk. This is why it is important not to carry on using a disk containing deleted files until after you have been able to use a deleted file recovery product or technique.
FAT File Systems and Deleted File Recovery
Windows NTFS file systems work in a slightly different way. They use a Master File Table which contains records similar to a FAT Directory Entry but they also contain the file allocation data. This makes deleted file recovery much easier than on a FAT Windows file system as the allocation data isn’t lost when the file is deleted. However, the file data can still be overwritten in the same way as on a FAT file system because the clusters the file inhabited are marked as free once the file is deleted. The MFT records are also are susceptible to being overwritten in the same way as Directory Entries can be on FAT systems.
To recover data from the deleted files, a deleted file recovery program needs to piece together all the available pieces of information about these deleted files and fill in the gaps in its knowledge based on mathematical and logical routines. Once the deleted file recovery program has worked out all the information that is required, it can often recover the data with minimal file corruption except when the file data itself has been overwritten by another file. In this case deleted file recovery is next to impossible.
Reformatted Drives and Deleted File Recovery
When a drive is reformatted various things can happen but it depends on the computer’s operating system and how the drive is formatted. Most of the time under Windows file systems, a quick disk format is performed which simply erases the file tables from the disk, making room for new clean tables with no files in them. This means the files contained within them cannot always be recovered easily. Sometimes when the disk is formatted, the new file tables will be located in a different part of the disk than the existing ones, so the existing file data is available for the deleted file recovery software. If this table is in the same spot and the old file tables are destroyed, the data can only be recovered by looking for specific data which can be associated with particular files.
Most common file types have a “signature” at the start or end of the file which identifies which type of file they are. For example a common JPEG file usually begins with the letters “JFIF”. If this signature is found on a part of the disk that could have contained a JPEG file, the deleted file recovery software can go about piecing this file back together. Some file types store information about the files size along with its signature which gives them a greater chance of deleted file recovery. In files where this information isn’t available, the deleted file recovery program needs to use its knowledge of the files format to determine what clusters of information are actually parts of the particular file. In the case where files are reconstructed from their signatures there is a higher chance that the file will be corrupted after it is recovered. There is little hope of the original file name being preserved so these files are usually given a generic name such as “LOSTFILE1.JPG” etc.
If a full format is performed on a drive there is very little chance that any deleted file recovery techniques will work at all. This is because each individual cluster of the drive is overwritten with “blank” data which is done to not only remove the previous file system but to verify the disk is functioning correctly and that data can be written to every part of the disk correctly.