Why Deleted Files Can Be Recovered?
Get to know how files are stored on your hard disk and how Windows works when you delete files. With so many inexpensively priced data recovery and undelete tools on the market, one may wonder what magic they do to get deleted files back. Is it really a very complex and time-consuming process, or can anyone do it at home? To answer the question, we should first look at what Windows does when you delete a file.
- How Windows Deletes Files
- How Tools Undelete Files
- Solid-State Drives: The Exception
- Questions and answers
- Comments
How Windows Deletes Files
Files are stored as blocks of data on the sectors of a hard drive. Sectors can be placed sequentially or be scattered randomly across the drive’s surface. Sector placement depends on how free blocks were arranged at the time a particular file was being saved. If the system couldn’t find an uninterrupted block of sectors big enough for saving the file as a continuous sequence, it would fragment the file and write its parts into unoccupied blocks.
How to Recover Files Deleted From Windows Recycle Bin or With Shift + Del 📁🔥⚕️
Windows stores files on your hard disk, and indexes them in the file system. The file system keeps records of file names, sizes, attributes, and, most importantly, the exact location of actual data on the disk. When you delete a file (assuming the Recycle Bin is off), Windows does not actually erase, zero or otherwise alter the actual data. Instead, it just quickly changes the corresponding record in the file system to mark the file as “deleted”. Neither the actual file system record nor original file data are erased at this point.
As you can see, files aren’t really erased when you delete them. Windows makes a change to the file’s record in the file system, advertising the space occupied by the file as available. While the actual data is still there, the disk space it occupies is now marked as available for use. Eventually, when the system needs space to write another file, it may claim that space and store a different file in it. This is the point at which the actual data is lost. Until then, the data still exists on your disk and can be recovered. This very behavior allows various data recovery tools to exist and do their job.
How Tools Undelete Files
If you run a data recovery tool in a timeframe when the file has been deleted but its disk space not yet used by another file, you will be able to get that file back. Of course, many things depend on what kind of a tool you’ll be using.
Restoring a Deleted Folder from Recycle Bin, Archive or with Specialized Software 📁⚕️👨💻
The simplest data recovery tools will look through the file system for all records marked as deleted. They will then analyze these records in an attempt to determine physical disk sectors containing the data belonging to the file. After a cross-check to make sure the disk space has not been used by another (non-deleted) file, the tool will go ahead and retrieve the content from the disk, saving the data to a new file.
Sometimes, however, this very simple approach will not work. Windows reuses file system records, making the reference to the deleted file no longer available. In this case, you won’t be able to undelete the file with a simple tool. Fortunately, there are tools that employ content-aware signature search analysis techniques to analyze the entire disk surface in order to detect the exact location of a file even if there is no record in the file system.
The algorithms essentially searches for a combination of specific bytes on a drive that mark the beginning or end of files. For instance, *.avi, *.docx, *.pdf, *.ppt, *.pst, *.zip files start with “52 49 46 46”, “50 4B 03 04”, “25 50 44 46”, “D0 CF 11 E0”, “21 42 44 4E”, and “50 4B 03 04”, correspondingly. Read the article about signature search for more information about this technique.
Solid-State Drives: The Exception
Things don’t look that rosy with SSD drives. When a file is deleted from an SSD drive, Windows will work the same way, leaving the content well alone and only marking the file system record. However, an extra step will be made: Windows will issue the TRIM command, telling the drive that disk space previously occupied by the file became available. The disk then will perform a physical erase of that space, effectively destroying the content of the file forever. Why does it need to do that? The reasons have to do with the way SSD drives store information. Detailed information is available in a separate article.
Recovering Data from SSD After File Deletion or Disk Formatting ⚕️📁💥
I've known for a long time that if one wants to delete certain files for sure, it is necessary to use certain programs which write new data on the disk space where those files were stored, thus deleting them forever. However, not long ago I stumbled upon a description of a certain technique which is claimed to be able to recover files from the spaces where new data have been written not even once, but several times! Frankly speaking, it was described in a scientific thriller, so maybe it is just the author's invention. But I wondered if perhaps similar technique exists in real life?
What precautions can individuals take to prevent the recovery of their deleted files by unauthorized users?
Can deleted files be recovered from a damaged or corrupted storage device?
In some cases, it is possible to recover deleted files from a damaged or corrupted storage device. However, this depends on the extent of the damage and corruption, and the type of storage device. If the data is still intact on the device, then a data recovery specialist may be able to recover the deleted files. If the damage is severe, however, then it may not be possible to recover the deleted files.
How does data recovery software work to recover deleted files?
Data recovery software works by scanning a storage device for the deleted files and folders. It looks for traces of the deleted files and attempts to restore them. The software can also scan for lost partitions and lost data due to formatting or corruption. In some cases, the software can even recover data that has been overwritten by other data.
What are some common methods used to recover deleted files?
Are there any situations in which deleted files cannot be recovered?
Yes, there are situations in which deleted files cannot be recovered. For example, if the file was overwritten with new data, the original file will no longer exist and cannot be recovered. Additionally, if the data was stored on a hard drive that has been physically damaged, the file may be unrecoverable.
Read why deleted files can be recovered. If you do have any questions, don't hesitate to contact our technical support service - we will be happy to help you.