Why Can't Deleted Files be Recovered?

Why Can't Deleted Files be Recovered?

There are a number of reasons why deleted files can't be recovered with Recuva, or other recovery software. Neither FAT nor NTFS file systems were designed to assist file recovery, so sometimes recovery faces insuperable difficulties. Whilst we may already know that whenever a file is deleted the space it used is immediately available for other file allocation, we may not realise that the operating system is also burning the recovery bridges. There's no substitute for backups. This page deals mainly with NTFS and FAT, and Piriform's Recuva.

General:

If Recuva isn't already downloaded and installed, download the portable version to another partition, or a flash drive. Opening Recuva allocates and then deletes a zero-byte file called SomeRandomTmpFile in Recuva's program folder. If that program folder is on the drive being recovered from, then at least one deleted file record in the MFT will have been overwritten and lost forever. Launching Recuva for the first time also writes a prefetch file (and whatever else Windows decides) overwriting both MFT entries and clusters, so Recuva by itself is to some extent destructive.

FAT:

FAT is a file system developed by Microsoft and commonly used in SD Cards and flash drives of any manufacture.

FAT holds the file's first cluster address in the directory entry. Further clusters are chained in the FAT tables. On file deletion the first character of the file name in the directory is modified and the FAT chains set to zero. Recuva will ignore the FAT tables, follow the first cluster address in the directory and read forward from that point until it reaches an end of file indication.

FAT32 is a tweaked FAT16. However the cluster address in a FAT16 directory is only two bytes. To overcome this FAT32 uses a separate two-byte field to hold the high-end address. On file deletion the FAT32 address field is set to zero. When Recuva follows the directory address it will be using an invalid 'half' address. If Recuva thinks the address is below 65,536 then this is a clear sign that the address is corrupted.

Multiple file extents are chained in the FAT tables. As the chain is set to zero on file deletion only the first extent can be recovered. Some recovery software may 'guess' where secondary extents are, with varied results.

FAT32 tries to avoid extents by allocating files at the last used position in the FAT table, which is some help.

NTFS:

NTFS is a file system developed by Microsoft and commonly used in desktop PCs running Windows.

NTFS holds all file names, directories, cluster addresses etc in 1 kb records in the Master File Table (MFT). On file deletion the MFT record for the file is flagged as unused and the cluster bitmap updated. Larger and fragmented files can use many MFT records.

If a file is greater than 4gb then the cluster addresses in the MFT record are zeroed on file deletion. The file name remains but the file's clusters can't be found.

If a file has many fragments then an extension MFT record is used. Cluster addresses in extension records are overwritten on file deletion. The file can't be recovered.

MFT records are reused in lowest number first sequence (although probably any available record in memory is used first). This means that recently allocated and deleted files are more likely to have their MFT record overwritten.

SSDs:

With TRIM deleted clusters on an SSD are immediately mapped to a default zeroed cluster. The deleted data cannot be recovered by any means. Recuva will find the deleted file names and cluster addresses in the MFT, but the data has gone forever.

Recycler:

Files sent to the recycler are renamed in XP to to D + the drive letter + a sequential index number + the original file extension. From Vista onwards they are renamed to $R + a set of random characters + the original file extension. When scanning for deleted files these names may be relevant.

Recuva Normal Scan:

Recuva reads the MFT and lists all files found in deleted records. This includes files with any extension or no extension. The cluster addresses are used to recover the file data. Recuva will copy whatever is at the cluster addresses, irrespective of the contents.

Recuva Deep Scan:

Recuva runs a normal scan first, then runs a scan of all unused clusters, checking each cluster for a specific subset of file signatures. If a match is found, the cluster and following clusters are recovered.

Deep Scan does not recover file or directory names, as they are held in the MFT.

Deep Scan can only recover the first extent of any file, as there is no link to subsequent extents in the file's data.

Deep Scan will not find files whose extension is not in the extension subset.

Deep Scan cannot recover text or bat files, etc. as they have no file signature, nor does it recover files with no extension.

Deep Scan will find nothing on an SSD.

All files found with a Deep Scan will be in an Excellent state, which can be misleading.

Recuva State:

Excellent means no clusters are overwritten by a live file, Poor that some clusters are overwritten, Very Poor that most clusters are overwritten, and Unrecoverable that all clusters are overwritten. Unfortunately Excellent does not mean that recovered data is valid, or is what the user is looking for.

Directories:

Recuva does not recover directories per se, but the directory structure for recovered files can be recreated. If the directory path ends with a /? then that directory record in the MFT is no longer available and the path can't be completed.

The contents of this website are copyright © Webmaster. 2006 2007

www.000webhost.com