Lost and Found: Demystifying the Recovery of Deleted Files!
Have you ever wondered why deleted files can sometimes resurface? In this article, we unravel the mystery behind deleted files, explaining why they can be recovered and how this process works. Whether you’re a curious tech enthusiast or someone concerned about data privacy, understanding the resilience of deleted files is essential in today’s digital age. Uncover the truth behind deleted file recovery!
- How Windows Deletes Files
- How Tools Undelete Files
- Solid-State Drives: The Exception
- Questions and answers
- Comments
How Windows Deletes Files
Files are stored as blocks of data on the sectors of a hard drive. Sectors can be placed sequentially or be scattered randomly across the drive’s surface. Sector placement depends on how free blocks were arranged at the time a particular file was being saved. If the system couldn’t find an uninterrupted block of sectors big enough for saving the file as a continuous sequence, it would fragment the file and write its parts into unoccupied blocks.
Windows stores files on your hard disk, and indexes them in the file system. The file system keeps records of file names, sizes, attributes, and, most importantly, the exact location of actual data on the disk. When you delete a file (assuming the Recycle Bin is off), Windows does not actually erase, zero or otherwise alter the actual data. Instead, it just quickly changes the corresponding record in the file system to mark the file as “deleted”. Neither the actual file system record nor original file data are erased at this point.
As you can see, files aren’t really erased when you delete them. Windows makes a change to the file’s record in the file system, advertising the space occupied by the file as available. While the actual data is still there, the disk space it occupies is now marked as available for use. Eventually, when the system needs space to write another file, it may claim that space and store a different file in it. This is the point at which the actual data is lost. Until then, the data still exists on your disk and can be recovered. This very behavior allows various data recovery tools to exist and do their job.
How Tools Undelete Files
If you run a data recovery tool in a timeframe when the file has been deleted but its disk space not yet used by another file, you will be able to get that file back. Of course, many things depend on what kind of a tool you’ll be using.
The simplest data recovery tools will look through the file system for all records marked as deleted. They will then analyze these records in an attempt to determine physical disk sectors containing the data belonging to the file. After a cross-check to make sure the disk space has not been used by another (non-deleted) file, the tool will go ahead and retrieve the content from the disk, saving the data to a new file.
Sometimes, however, this very simple approach will not work. Windows reuses file system records, making the reference to the deleted file no longer available. In this case, you won’t be able to undelete the file with a simple tool. Fortunately, there are tools that employ content-aware signature search analysis techniques to analyze the entire disk surface in order to detect the exact location of a file even if there is no record in the file system.
The algorithms essentially searches for a combination of specific bytes on a drive that mark the beginning or end of files. For instance, *.avi, *.docx, *.pdf, *.ppt, *.pst, *.zip files start with “52 49 46 46”, “50 4B 03 04”, “25 50 44 46”, “D0 CF 11 E0”, “21 42 44 4E”, and “50 4B 03 04”, correspondingly. Read the article about signature search for more information about this technique.
Step | Description |
---|---|
1. Initial scanning | The program performs low-level disk scanning, analyzing each sector to detect potential file signatures. |
2. Signature search | The scanner searches for unique byte sequences (signatures) that identify specific file types (e.g., PDF, JPEG, MP3). |
3. File type identification | Based on the detected signatures, the program identifies the file type and evaluates its size and structure. |
4. File reconstruction | The program reconstructs files by combining the detected data into a single file matching the identified signature. |
5. Integrity check | Files are checked for integrity to ensure they are not corrupted and can be opened. |
6. Saving recovered data | Recovered files are saved to a user-specified location, typically on a different storage device to prevent overwriting. |
Solid-State Drives: The Exception
Things don’t look that rosy with SSD drives. When a file is deleted from an SSD drive, Windows will work the same way, leaving the content well alone and only marking the file system record. However, an extra step will be made: Windows will issue the TRIM command, telling the drive that disk space previously occupied by the file became available. The disk then will perform a physical erase of that space, effectively destroying the content of the file forever. Why does it need to do that? The reasons have to do with the way SSD drives store information. Detailed information is available in a separate article.