Why Deleted Files Can Be Recovered?

Get to know how files are stored on your hard disk and how Windows works when you delete files. With so many inexpensively priced data recovery and undelete tools on the market, one may wonder what magic they do to get deleted files back. Is it really a very complex and time-consuming process, or can anyone do it at home? To answer the question, we should first look at what Windows does when you delete a file.

Why Deleted Files Can Be Recovered?

How Windows Deletes Files

Files are stored as blocks of data on the sectors of a hard drive. Sectors can be placed sequentially or be scattered randomly across the drive’s surface. Sector placement depends on how free blocks were arranged at the time a particular file was being saved. If the system couldn’t find an uninterrupted block of sectors big enough for saving the file as a continuous sequence, it would fragment the file and write its parts into unoccupied blocks.

Go to view
How to Recover Files Deleted From Windows Recycle Bin or With Shift + Del 📁🔥⚕️

How to Recover Files Deleted From Windows Recycle Bin or With Shift + Del 📁🔥⚕️

Windows stores files on your hard disk, and indexes them in the file system. The file system keeps records of file names, sizes, attributes, and, most importantly, the exact location of actual data on the disk. When you delete a file (assuming the Recycle Bin is off), Windows does not actually erase, zero or otherwise alter the actual data. Instead, it just quickly changes the corresponding record in the file system to mark the file as “deleted”. Neither the actual file system record nor original file data are erased at this point.

As you can see, files aren’t really erased when you delete them. Windows makes a change to the file’s record in the file system, advertising the space occupied by the file as available. While the actual data is still there, the disk space it occupies is now marked as available for use. Eventually, when the system needs space to write another file, it may claim that space and store a different file in it. This is the point at which the actual data is lost. Until then, the data still exists on your disk and can be recovered. This very behavior allows various data recovery tools to exist and do their job.

How Tools Undelete Files

If you run a data recovery tool in a timeframe when the file has been deleted but its disk space not yet used by another file, you will be able to get that file back. Of course, many things depend on what kind of a tool you’ll be using.

Go to view
Restoring a Deleted Folder from Recycle Bin, Archive or with Specialized Software 📁⚕️👨‍💻

Restoring a Deleted Folder from Recycle Bin, Archive or with Specialized Software 📁⚕️👨‍💻

The simplest data recovery tools will look through the file system for all records marked as deleted. They will then analyze these records in an attempt to determine physical disk sectors containing the data belonging to the file. After a cross-check to make sure the disk space has not been used by another (non-deleted) file, the tool will go ahead and retrieve the content from the disk, saving the data to a new file.

Sometimes, however, this very simple approach will not work. Windows reuses file system records, making the reference to the deleted file no longer available. In this case, you won’t be able to undelete the file with a simple tool. Fortunately, there are tools that employ content-aware signature search analysis techniques to analyze the entire disk surface in order to detect the exact location of a file even if there is no record in the file system.

The algorithms essentially searches for a combination of specific bytes on a drive that mark the beginning or end of files. For instance, *.avi, *.docx, *.pdf, *.ppt, *.pst, *.zip files start with “52 49 46 46”, “50 4B 03 04”, “25 50 44 46”, “D0 CF 11 E0”, “21 42 44 4E”, and “50 4B 03 04”, correspondingly. Read the article about signature search for more information about this technique.

Solid-State Drives: The Exception

Things don’t look that rosy with SSD drives. When a file is deleted from an SSD drive, Windows will work the same way, leaving the content well alone and only marking the file system record. However, an extra step will be made: Windows will issue the TRIM command, telling the drive that disk space previously occupied by the file became available. The disk then will perform a physical erase of that space, effectively destroying the content of the file forever. Why does it need to do that? The reasons have to do with the way SSD drives store information. Detailed information is available in a separate article.

Go to view
Recovering Data from SSD After File Deletion or Disk Formatting ⚕️📁💥

Recovering Data from SSD After File Deletion or Disk Formatting ⚕️📁💥

Oleg Afonin

Author: , Technical Writer

Oleg Afonin is an expert in mobile forensics, data recovery and computer systems. He often attends large data security conferences, and writes several blogs for such resources as xaker.ru, Elcomsoft and Habr. In addition to his online activities, Oleg’s articles are also published in professional magazines. Also, Oleg Afonin is the co-author of a well-known book, Mobile Forensics - Advanced Investigative Strategies.

Vladimir Artiukh

Editor: , Technical Writer

Vladimir Artiukh is a technical writer for Hetman Software, as well as the voice and face of their English-speaking YouTube channel, Hetman Software: Data Recovery for Windows. He handles tutorials, how-tos, and detailed reviews on how the company’s tools work with all kinds of data storage devices.

  • Updated:
  • Evaluations:
  • 14
  • /
  • :

Share

Questions and answers

  • What are deleted files and how are they removed from a computer's storage device?

    Deleted files are files that have been removed from a computer's storage device. When a file is deleted, it is not immediately erased from the storage device; instead, the space it occupied is marked as available for use by the operating system. This means that the file's contents remain on the storage device until it is overwritten by new data. In order to permanently remove a file from a storage device, it must be securely erased using specialized software or hardware tools.

  • Can deleted files be recovered, and if so, how?

    In some cases, deleted files can be recovered. Depending on the type of file, the method of recovery may vary. For example, if the file was stored on a hard drive, recovery can often be done using data recovery software. If the file was stored on an external device, such as a USB drive or memory card, it may be possible to use specialized hardware and software to recover the file. In some cases, deleted files may also be recovered from cloud storage services.

  • What is the difference between a file being deleted and a file being overwritten?

    When a file is deleted, it is removed from the computer's directory and is no longer accessible. The file's data is still stored on the hard drive, but it can only be recovered with special data recovery software. When a file is overwritten, it is replaced with new data, and the original file is completely erased and cannot be recovered.

  • Is it possible to recover files that were deleted a long time ago?

    Yes, it is possible to recover files that were deleted a long time ago. However, the chances of successful recovery decrease the longer the file has been deleted. Depending on the type of storage device, there are various tools and techniques available to attempt to recover deleted files.

  • What factors affect the ability to recover deleted files?
    • The type of storage device used: Different storage devices have different levels of data recovery capabilities. For example, hard drives are more likely to allow for successful data recovery than flash drives.
    • The time since the deletion: The longer the time since the file was deleted, the less likely it is that the file can be recovered. As time passes, the space on the storage device where the file was located is overwritten with new data, making it difficult to retrieve the deleted file.
    • The type of deletion: Depending on how the file was deleted, it may be easier or harder to recover. For example, if the file was permanently deleted (i.e. bypassing the Recycle Bin), it may be more difficult to recover than if it was simply moved to the Recycle Bin.
    • File system used: Different file systems can affect the ability to recover deleted files. For example, some file systems are more resilient to data loss than others, making it easier to recover deleted files.

Comments (12)

  • Moon Cat
    Moon Cat 17.06.2016 15:04 #
    I've known for a long time that if one wants to delete certain files for sure, it is necessary to use certain programs which write new data on the disk space where those files were stored, thus deleting them forever. However, not long ago I stumbled upon a description of a certain technique which is claimed to be able to recover files from the spaces where new data have been written not even once, but several times! Frankly speaking, it was described in a scientific thriller, so maybe it is just the author's invention. But I wondered if perhaps similar technique exists in real life?
    Reply
  • Wilbur Bason
    Wilbur Bason 14.09.2012 00:29 #
    What precautions can individuals take to prevent the recovery of their deleted files by unauthorized users?
    Reply
    • Hetman Software
      Hetman Software 14.09.2012 00:58 #
      • Use strong passwords and two-factor authentication when possible.
      • Regularly back up your data to an external hard drive or cloud storage service.
      • Encrypt your data with a trusted encryption program.
      • Use disk-wiping software to securely erase files before deleting them.
      • Use a secure file-shredding program to delete files beyond recovery.
      • Be aware of the data recovery capabilities of the operating system you are using.
      • Disable system restore points and hibernation features on your computer.
      • Regularly scan your computer for malicious software and viruses.
      • Disable automatic mounting of external drives on your computer.
      • Avoid using public computers or networks to store sensitive data.
      Reply
  • Ezekiel Braithwaite
    Ezekiel Braithwaite 13.09.2012 22:34 #
    Can deleted files be recovered from a damaged or corrupted storage device?
    Reply
    • Hetman Software
      Hetman Software 13.09.2012 22:51 #
      In some cases, it is possible to recover deleted files from a damaged or corrupted storage device. However, this depends on the extent of the damage and corruption, and the type of storage device. If the data is still intact on the device, then a data recovery specialist may be able to recover the deleted files. If the damage is severe, however, then it may not be possible to recover the deleted files.
      Reply
  • Garth Short
    Garth Short 13.09.2012 19:26 #
    How does data recovery software work to recover deleted files?
    Reply
    • Hetman Software
      Hetman Software 13.09.2012 19:55 #
      Data recovery software works by scanning a storage device for the deleted files and folders. It looks for traces of the deleted files and attempts to restore them. The software can also scan for lost partitions and lost data due to formatting or corruption. In some cases, the software can even recover data that has been overwritten by other data.
      Reply
  • Dickon Pigott
    Dickon Pigott 13.09.2012 15:31 #
    What are some common methods used to recover deleted files?
    Reply
    • Hetman Software
      Hetman Software 13.09.2012 15:48 #
      • Restore from a Backup: This is the most reliable way to recover deleted files as it involves restoring a previously saved version of the file.
      • Use File Recovery Software: There are many file recovery programs available that can scan your hard drive and recover deleted files.
      • Use Data Recovery Services: Professional data recovery services can be expensive, but they are often able to recover deleted files that other methods cannot.
      • Use Undelete Commands: Depending on the operating system you are using, there may be an undelete command that can be used to recover deleted files.
      • Check the Recycle Bin: If you have recently deleted a file, it may still be in the Recycle Bin.
      Reply
  • Randy Manly
    Randy Manly 13.09.2012 13:35 #
    Are there any situations in which deleted files cannot be recovered?
    Reply
    • Hetman Software
      Hetman Software 13.09.2012 14:02 #
      Yes, there are situations in which deleted files cannot be recovered. For example, if the file was overwritten with new data, the original file will no longer exist and cannot be recovered. Additionally, if the data was stored on a hard drive that has been physically damaged, the file may be unrecoverable.
      Reply
  • Hetman Software: Data Recovery
    Hetman Software: Data Recovery 27.04.2018 10:22 #
    Read why deleted files can be recovered. If you do have any questions, don't hesitate to contact our technical support service - we will be happy to help you.
    Reply
Post comment
User
Leave a reply
Your email address will not be published. Required fields are marked *

Recommended For You
This website uses cookies to improve your experience. Description
Hello! This is AI-based Hetman Software virtual assistant, and it will answer any of your questions right away.
Start Chat