Basic Data Recovery 2

Basic Data Recovery 2

Now that you have read through Basic Data Recovery, and have some quick and easy tools to run to recovery deleted files, lets take a more detailed look at how and why these tools work.

The most important thing to remember is that just because you deleted the file, does not mean it is gone. When deleted, it does not simply cease to be and is wiped from existence. It is many times in the exact same spot where it was, you just can't see it now.

Well, how could this be?

Meet "The Master File Table"

The Master File Table is a complex mechanism built into Microsoft Windows that essentially is meant to keep a record (or index of records) of all files, folders, permissions, etc on your hard drives.

Every file has an entry in this table and has various flags or attributes assigned to it. These change in one way or another every time the file is used or changed. So, as you may have guessed by now, a deleted file is merely marked as deleted in the MFT. It goes nowhere, the data is not destroyed. When you hit delete, you tell Windows that you don't need that file anymore, it marks it as such, and you think it is gone.

So what happens now?

Now that you have decided that this file is not needed, the space it takes up can now be used for new files. This is why it is important to recover deleted files as soon as possible. As soon as you mark it deleted Windows can start overwriting that space with new files. Windows does not write data in straight line, it uses a complex algorithm to determine what space to use and when.  So as you continue to use your computer that deleted file space will begin to get used up, just because the deleted file was at the end of the drive space does not mean it wont be the first to get used up. Now the good news is, that in most cases the space occupied by that file wont be overwritten in one pass, just small chunks of it will be used up as needed. This helps recovery attempts because you may be able to recovery a "corrupt" file long after deletion. The file will be missing a few bytes here and there but can often be repaired.

So how do these programs work?

The main way the simple data recovery programs work is to merely read the MFT and detect files marked for deletion and give you the option to restore them to a non-deleted state. As the MFT is quite detailed, these programs can pull additional information, including how much of the space has been over written, thus calculating your chances of a successful recovery.

It is that simple.  If you can recover it, great! If not it's time to dig deeper.

Just because this method may not be able to recover your files does not mean there is not a great many other methods to do so. 

Basic Data Recovery

Basic Data Recovery

Let's start simple.

Let's start by looking at a common situation where you may need data recovered.

The most common and what you have certainly experienced is simply deleting a file you should not have.  We have all done it, and we will all do it again.  So, on Windows this is an easy one, just restore it from the Recycle bin. Similarly on Mac OSX you can restore it from the Trash.  It's something of a safeguard against the all too common accidents.

    What if you have already emptied the trash? This is where you start to get into some real, but basic, Data Recovery. There are many software solutions for this crisis, some free, most not. You simply run the software and hopefully retrieve the file from the results. It is worth noting that, the more the hard drive gets used from the point the file is deleted, the less likely a successful data recovery is. So, don't wait.

Some software worthy of note:

Piriform Recuva - Windows -  Free and simple. Just download, run, and hope for the best. Very few settings to tweak, but it is meant for the casual user, not a Data Recovery Professional.

https://www.piriform.com/recuva

Recover My Files - Windows - Just as easy to use, but also has many settings to really pinpoint what you are looking for.  Available as free version, but only to view the files. In order to recover them you will have to pay for a software license.

http://www.recovermyfiles.com

Prosoft Data Rescue - Mac OSX - This one is great for Apple data recovery, but does not fair so well on Windows hard drives. It has a simple and advanced mode. The simple mode is very simple, and the advanced mode can get very, very advanced. This one is most certainly not free, but if you know what you are doing, pick up a copy. Nothing else compares for Apple Data Recovery.

Now for one most people overlook, that can be more effective than any of the above listed.

System Restore.  Built into windows and runs before any major updates, software installs, and even just regularly on a schedule.  Now, System restore on it's own is not great for data recovery. It merely attempts to restore the entire system to an earlier date. This is often not what you want when all you need is one or 2 files. It is also known to fail in its restoration and leave the operating system in an unusable state.

So why i am talking about this? Because of an excellent piece of software that leverages System Restore in a way never intended.

System Restore Explorer - Windows - This free software allows you to mount any restore point from any data and simple browse through the files. This way you can pick out only the files you need and restore those. It is quite easy to use, and generally very effective. It may not be the first choice for a restoring a deleted file, because there is a lot of manual searching involved, but it can be the best choice in the end.

http://nicbedford.co.uk/software/systemrestoreexplorer/

Now, keep in mind, this is possibly the simplest form of data recovery, and certainly not where you have to stop when trying to recover files. 

Check back for several more articles going deeper and deeper into Data Recovery Techniques in the ongoing series