PC-3000 DE. Deleted files recovering

recycle

Deleted files recover is a very popular task. So, how to work with hard drive and recover deleted files. Let’s discuss about it in this article.

After files deleting drive modified a metadata of File System but not affect on files body directly. These files still are located on the drive but (!) FS think that these blocks are empty for writing and FS can overwrite these blocks by new users data.

The faster client bring the drive to DR lab the more likely to recover the deleted files.

1st way. Searching and analysis of File System metadata.

This solution is based on available File System metadata of deleted files and as result we can find these values.

Take a look on this images with NTFS file system partition. Here we have a few folders, then we have deleted one of them.

Before deleting:

NTFS-cr1

 

After deleting:

NTFS-after-delete-cr

As you know, each file in NTFS have “MFT record“. It contain name of file, creation data, modification data, etc. These value are using for file identification by File system. All such records have the same size (basically 1024 bytes) and keeps in special region of drive – in the MFT table (Master File Table). This region is allocated with reserve and as result inside this region can be a not used sectors.

So, after deleting “Pics” folder we have following:

  • Link to “Pics” folder has been deleted;
  • record for “Pics” folder and records for each files inside this folder are marked like free in MFT table;
  • Space which has been used for these files are maked like a free and can be used for new users data.

(This is not a full list of changes but it’s enough for this article)

NTFSfilesscheme

So, files and their MFT records are still on the drive but the space of these files and their MFT records are marked like free for new files.

If we open the partition as is we can’t to see this folder and deleted files, but if we scan MFT records we can return back this folder with files inide back to the original Partition.

Such process can be performed in Data Extractor by “Scan MFT” option. Don’t forget to mark “Show deleted files” option.

ScanMFTshowDELETED

«Scan MFT» option — is not the only one logical scan for NTFS file system:

  • «Scan MFT» and «Scan MFT+INDX» methods — read a very little part of drive, and as result this process take a little bit a time. But both are bring a good result if FS is not a very damaged.
  • «Partition analysis» and «Search NTFS structures» methods — are effective for complex cases (then damaged the whole partition). They are read a whole partition and take a lot of time for this scan, but bring a most quality and complete results.

In our example each of these option bring the same good result and files will be recovered.

2nd way. When deleted files metadata are not found.

Data Extractor have logical scan options for each File System. For example for XFS can be used «Partition data analysis» option. But in our example it’s not bring a result because XFS file system clear a metadata records after files deleting.

The same situation can be on NTFS partition if after deleting user proceed to work. Records of deleted files can be rewrote by new data. For such situation can be used RAW recovery method, but we can try to speed up the process by following method:

Create a map of unused space then launch a RAW recovery process on this map.

RAW recovery

This process allow to save a lot of time and also get a good result of scan.

There are cases which is required to apply both these ways for recovery and our TS department is ready to help you.

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...

This entry was posted in Articles, Data Extractor. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *