Basic Data Recovery 2

Basic Data Recovery 2

Now that you have read through Basic Data Recovery, and have some quick and easy tools to run to recovery deleted files, lets take a more detailed look at how and why these tools work.

The most important thing to remember is that just because you deleted the file, does not mean it is gone. When deleted, it does not simply cease to be and is wiped from existence. It is many times in the exact same spot where it was, you just can't see it now.

Well, how could this be?

Meet "The Master File Table"

The Master File Table is a complex mechanism built into Microsoft Windows that essentially is meant to keep a record (or index of records) of all files, folders, permissions, etc on your hard drives.

Every file has an entry in this table and has various flags or attributes assigned to it. These change in one way or another every time the file is used or changed. So, as you may have guessed by now, a deleted file is merely marked as deleted in the MFT. It goes nowhere, the data is not destroyed. When you hit delete, you tell Windows that you don't need that file anymore, it marks it as such, and you think it is gone.

So what happens now?

Now that you have decided that this file is not needed, the space it takes up can now be used for new files. This is why it is important to recover deleted files as soon as possible. As soon as you mark it deleted Windows can start overwriting that space with new files. Windows does not write data in straight line, it uses a complex algorithm to determine what space to use and when.  So as you continue to use your computer that deleted file space will begin to get used up, just because the deleted file was at the end of the drive space does not mean it wont be the first to get used up. Now the good news is, that in most cases the space occupied by that file wont be overwritten in one pass, just small chunks of it will be used up as needed. This helps recovery attempts because you may be able to recovery a "corrupt" file long after deletion. The file will be missing a few bytes here and there but can often be repaired.

So how do these programs work?

The main way the simple data recovery programs work is to merely read the MFT and detect files marked for deletion and give you the option to restore them to a non-deleted state. As the MFT is quite detailed, these programs can pull additional information, including how much of the space has been over written, thus calculating your chances of a successful recovery.

It is that simple.  If you can recover it, great! If not it's time to dig deeper.

Just because this method may not be able to recover your files does not mean there is not a great many other methods to do so.