|
|
General:
This is not a treatise or instruction manual on file recovery. It's a list of factors which can and will prevent successful deleted file recovery, so it may aid better comprehension and appreciation of the difficulties ahead. Oh yes, this is Windows only.
There are a number of reasons why deleted files can't be recovered with Recuva, or other recovery software. Neither FAT nor NTFS file systems were designed to assist in deleted file recovery, nor do they have any obligation to keep deleted files' metadata intact (that's why there is the recycler). Sometimes deleted file recovery can face insuperable difficulties, and quite often it's impossible. There's no substitute for backups.
Recuva:
This page was originally written to assist users of Piriform's Recuva, but most of what is here will apply to any recovery software. If Recuva isn't already downloaded and installed, download the portable version to another partition, or a flash drive, to avoid overwriting deleted data. Opening Recuva allocates and then deletes a zero-byte file called SomeRandomTmpFile in Recuva's program folder. If that program folder is on the drive being recovered from, then at least one deleted file record in the MFT will have been overwritten and lost forever. Launching Recuva for the first time also writes a prefetch file (and whatever else Windows decides) overwriting both MFT entries and clusters, so Recuva by itself is to some extent destructive.
FAT:
FAT is a file system developed by Microsoft and commonly used in SD Cards and flash drives of any manufacture.
FAT holds the file's first cluster address in the directory entry. Further clusters are chained in the FAT tables. On file deletion the first character of the file name in the directory is modified and the FAT chains set to zero. Recuva will ignore the FAT tables, follow the first cluster address in the directory and read forward from that point until it reaches an end of file indication.
FAT32 is a tweaked FAT16. However the cluster address in a FAT16 directory is only two bytes and will not hold a 32-bit address. To overcome this FAT32 uses a separate two-byte field to hold the high-end portiion of the address. On file deletion the additional field used for the FAT32 address is set to zero. When Recuva follows the directory address it will be using an invalid 'half' address. If Recuva thinks the address is below 65,536 then this is a clear sign that the address is corrupted.
Multiple file extents are chained in the FAT tables. As the chain is set to zero on file deletion only the first extent of a file can be recovered. Some recovery software may 'guess' where secondary extents are, with varied results.
FAT32 tries to avoid extents by allocating files at the last used position in the FAT table, which may be some help.
NTFS:
NTFS is a file system developed by Microsoft and commonly used in desktop PCs and laptops running Windows.
NTFS holds all file names, directories, cluster addresses etc in 1 kb records in the Master File Table (MFT). On file deletion the MFT record for the file is flagged as unused and the cluster bitmap updated. Larger and fragmented files can use many MFT records.
Unused MFT records are reused in lowest number first sequence (although probably any available record in memory is used first). This means that recently allocated and deleted files are more likely to have their MFT record overwritten.
If a file is greater than 4gb then the cluster addresses in the MFT record are zeroed on file deletion. The file name remains but the file's clusters can't be found.
If a file has many fragments then an extension MFT record is used. Cluster addresses in extension records are overwritten on file deletion. The file can't be recovered.
SSDs:
With TRIM enabled deleted clusters (pages) on an SSD are immediately remapped by the SSD controller to return zeroes when read. The deleted data cannot be recovered by any means. Recuva will find the deleted file names and cluster addresses in the MFT, but the data has gone forever.
SD cards and flash drives are commonly formatted as FAT and thus do not have TRIM enabled, so recovery may be possible.
Recycler:
Files sent to the recycler are renamed in XP to to D + the drive letter + a sequential index number + the original file extension. From Vista onwards they are renamed to $R + a set of random characters + the original file extension, and a smaller $I file of the same naming convention which contains no file data. When scanning for deleted files these names may be relevant.
Recuva Normal Scan:
Recuva reads the MFT and returns information from all file records flagged as deleted. Files with any extension or no extension are listed. The cluster addresses held in the MFT record are used to recover the file data. Recuva will copy whatever is at the cluster addresses, irrespective of the contents.
Recuva Deep Scan:
Recuva runs a normal scan first, then runs a scan of all unused clusters, checking each cluster for a specific subset of file signatures. If a match is found using Deep Scan, the cluster and following clusters in ascending sequence are recovered.
Deep Scan does not recover file or directory names, as they are held in the MFT.
Deep Scan can only recover the first extent of any file, as there is no link to subsequent extents in the file's data.
Deep Scan will not find files whose extension is not in the extension subset.
Deep Scan cannot recover text or bat files, etc. as they have no file signature, nor does it recover files with no extension.
Deep Scan will find nothing on an SSD.
All files found with a Deep Scan will be in an Excellent state, which can be misleading.
Recuva State:
Excellent means no clusters are overwritten by a live file, Poor that some clusters are overwritten, Very Poor that most clusters are overwritten, and Unrecoverable that all clusters are overwritten. Unfortunately Excellent does not mean that recovered data is valid, or is what the user is looking for.
Directories:
Recuva does not recover directories per se, but the directory structure for recovered files can be recreated. If the directory path ends with a /? then that directory record in the MFT is no longer available and the path back to the root can't be completed.
Anything Else:
Added to this list are anything I don't know about and anything I've forgotten.