|
Contents > Understanding Advanced
UNDELETE Process
Chapter 4. UNDERSTANDING ADVANCED UNDELETE PROCESS
This chapter describes various processes of the application.
4.1. Overview
The process to undelete a file consists of scanning a drive or
folder to discover deleted entries, as listed in the Root Folder (File
Allocation Table) or Master File Table (NT File System). Once a
deleted entry has been found, a chain of file clusters is defined for
recovery and then the contents of these clusters is written to the
newly created file.
Different file systems maintain their own specific logical data
structures, however basically each file system follows these rules:
- A list or catalog of file entries and deleted files is kept.
This list can be scanned for entries marked as deleted.
- For each catalog entry, a list of data cluster addresses is
kept. From the deleted file entry, a set of clusters composing the
file can be located.
After finding the deleted file entry and assembling the associated
set of clusters, the data from them can be read and copied to another
location.
It is important to note, however that not every deleted file can be
recovered. To be successful, it is important to try every method
available. In order to try every method, sometimes it is necessary to
push ahead, even though going on assumed information, such as:
- In order to begin, assume that the file entry still exists (that
is has not been overwritten with other data). The sooner a recovery
or undelete attempt is made, the better. This reduces the chance
that new files have written on top of the deleted data, and improves
the chance that the file can be recovered.
- The second assumption is that the file entry in the Table is
reliable enough to point to the location of the file clusters. In
some cases (specifically in Windows XP, and on larger FAT32 volumes)
the operating system damages the Table file entries immediately
after a file is deleted. The important first data cluster becomes
invalid and further restoration might not be possible.
- The third assumption is that the file data clusters are intact
(they have not been overwritten with other data). The fewer write
operations that have been performed on the drive where deleted file
used to reside, the more chances that the space occupied by data
clusters of the deleted file have not been used for other data
storage.
In general, here's what to do immediately after data loss:
- PROTECT THE DRIVE LOCATION WHERE YOU HAVE ACCIDENTALLY DELETED
FILES. Any program that writes data to the disk, even the installation
of data recovery software can spoil your sensitive data.
- DO NOT SAVE DATA ONTO THE SAME DRIVE THAT YOU FOUND ERASED DATA, WHICH YOU ARE TRYING TO RECOVER! While saving recovered data
onto the same drive where sensitive data was located, you can spoil
the process of recovering by overwriting table records for this and
other deleted entries. It is better to save data onto another logical,
removable, network or floppy drive.
The rest of this chapter contains step-by-step examples on these
topics:
- Disk Scanning
- Defining the Chain of
Clusters
- Recovering the Chain of Clusters
Previous <
Contents > Next
|
