Recovering Compressed NTFS Files

To learn more about recovering protected and encrypted files, please read our article called Recovering Protected and Encrypted NTFS Files. Later on, we will consider the possibilities of recovering files compressed using the standard means of the NTFS file system.

Compressed NTFS Files

NTFS File Compression

On-the-fly compression was new to NTFS, allowing users to trade off some extra disk space for a little performance without sacrificing convenience. The fully transparent compression shrinks files, folders or entire disks, allowing to use disk space more effectively. Doing it is extremely easy – just select a file, the “My Documents” folder, your desktop or a disk, and set a corresponding flag in the extended attributes dialog.

Unfortunately, data recovery tools unaware of the specific compression algorithms used in NTFS encryption will lose much of their functionality when accessing the disk in low-level mode. Low-level access will return compressed binary stream instead of the content of actual files, effectively rendering signature-search algorithms completely useless. Data recovery tools unaware of NTFS compression will fail to recover compressed files in a case the file system is broken.

File attributes

Recovering NTFS Compressed Files

The issue of recovering NTFS-compressed files is complicated enough to make it worthy of a scientific research. Korean researchers Byeongyeong Yoo, Jungheum Park, Sungsu Lim, Jewan Bang and Sangjin Lee published several whitepapers such as “A study on multimedia file carving method” exploring this very issue. While their research mostly refers to forensic investigations, they developed a file carving algorithm using a variation of signature-search method widely employed in data recovery. According to the researchers, their “…file carving(algorithm) recovers files using the inherent header and footer in files or the entire file size determined in the file header”.

Re-creating the very complex algorithms implemented by Microsoft in the NTFS in order to gain binary, raw-mode access to compressed files is extremely complicated. For this reason, whatever support there is for compressed NTFS files is currently only available in certain high-end and very expensive digital forensic tools.

Tools and Limitations

Does it mean that compressed NTFS files cannot be recovered? Absolutely not! The better NTFS recovery tools will correctly process the compressed files. However, the recovery of NTFS-compressed files carries a number of restrictions and limitations, making the ability of a given tool to recover a given file under given circumstances a case-by-case issue.

NTFS recovery tools such as Hetman NTFS Recovery will be able to access and recover compressed files under certain conditions. Hetman NTFS Recovery will use Windows API to access the compressed files (as opposed to direct disk access when reading the disk in raw mode). Thus the recovery of compressed files will depend on whether or not the disk API is still able to read the file. For example, undeleting compressed files located on a healthy disk is no different to undeleting any other type of file. Recovering NTFS-compressed files from formatted NTFS disks is generally not a problem. However, if the file system is badly damaged, the chances of correctly recovering NTFS-compressed files are lower than those for non-compressed ones. It’s always worth a try to see if your files in your situation are actually recoverable.

Author: Michael Miroshnichenko

