Data Recovery Basics
File Storage: Sectors and Clusters: File Recovery
When you purchase a new hard drive and before it has any data on it, it is has usually already undergone a ’low level format’. The purpose of a low level format is to divide all the magnetic space on the hard drive into small storage areas. These storage areas are known as ’sectors’, however for efficiency purposes the Operating System (e.g. Windows XP) groups sectors together into ’clusters’.
A cluster is the smallest unit of storage space with which the Operating System (e.g. Windows XP) will deal. If you save a very small file to your computer it will all fit within 1 storage cluster on the hard drive. If you save a very large file it may fill up many clusters, that is, as many clusters as it takes to hold all the content of the file.
File Allocation Table (FAT) or Master File Table (MFT): NTFS recovery and FAT recovery
On older Operating Systems such as Windows 98 there is a storage area known as the ’Root Directory’. This is the place which stores the name of a file, the location of its starting cluster, and the size of the file. In order to find a file the Operating System uses this information to get to the first storage cluster of a file. It then uses a special table at the start of the disk know as the File Allocation Table or FAT to identify the remaining clusters that are used to store the file. It is important to realize that this information is stored completely separate from your file data and is why FAT data recovery is possible.
In newer Operating Systems the FAT and Directory Entry method has been merged and replaced by a single table known as the Master File Table or MFT. Whilst an MFT is more complex, the principal of locating the start of a file and its subsequent storage clusters is essentially the same.
What happens when I delete a file?
Lets look to see what happens when you intentionally delete a file and why it may be possible to bring that file back. When you select a file and press the delete key on a Windows computer the file is sent to the Recycle Bin. You may think of the Windows Recycle Bin as just another fancy storage folder on your hard drive. The ’real’ deletion (at least as far as this article is concerned) is what happens when the Recycle Bin is emptied or the deletion bypasses the Windows Recycle Bin altogether.
When a file is deleted the Operating System marks the file name in the MFT with a special character that signifies to the computer that the file has been deleted. The computer now looks at the clusters occupied by that file as being empty and therefore available space to store a new file. What the Windows Operating System does NOT do is go out to the clusters on the hard disk where the files data is actually stored and wipe the contents of these clusters. The deleted file data is still there, but the Computer Operating System no longer knows it exists.
This in fact is the underlying principal of data recovery. It is about finding data that still exists on the hard drive but which currently can’t be located by the Operating System. If the clusters containing the data have are, corrupted or physically damaged, then recovering the data they once contained is impossible.
Ok, so my data is still there, but for how long? The answer to this question is completely up to you. The only way that your deleted MFT record or your file data itself will permanently be destroyed is if it is overwritten by other data. This means that any computer activity after the deletion has the potential to permanently erase otherwise recoverable files.
If you are attempting data recovery from your hard drive, if possible connect it to another computer as the slave drive so that the operating system wont be doing a merry dance over you deleted files when you attempt the recovery process. If you use data recovery software, don’t install it on the drive on which the files were lost. Better yet, use a floppy disk or CD version if available. If you send your hard drive to a professional data recovery service they should not be working on the original hard drive. They should take a sector copy (an exact copy including all deleted information) of your hard drive and work on this. You may consider doing this yourself. There are a number of programs that will do this, the most common being Norton GHOST. But remember, you must make a complete sector copy of your hard drive to make sure the image includes all the deleted areas of the drive.
Data Recovery by Searching for Deleted MFT Records
Most data recovery programs search for deleted MFT entries to undelete files or unformat drives. These programs usually give a give a probability or hard drive data recovery rating of ’good’, ’medium’ or ’poor’. What they are actually doing is locating the MFT record for a deleted file and then checking the rest of the MFT records to determine if the clusters that the deleted file occupied are being used by any other file stored on the computer. As only one file can occupy any one cluster on a hard drive, if other files are using your deleted files storage space then it is likely that the original data has been overwritten and permanently destroyed. This recovery technique is usually relatively fast, as all the recovery program has to do is find the deleted file entries in the MFT and then go directly to that location of the hard disk to perform the data recovery. You will see an MFT search when you execute a "Fast Search" using Recover My Files Data Recovery Software.
However, if your MFT is corrupt, defective or has itself been overwritten, this method isn’t going to help you get data back even though the file data still remains out on the disk waiting to be found. What you need to do is search unallocated clusters.
Things get a bit more complicated by the fact that a single file does not have to reside within contiguous clusters. It may be that the Operating System stores a single file in clusters on different parts of the hard disk. This is called a ’fragmented’ file. The problem with a fragmented files is that it can slow your computer down as it needs to spend time and resources sending the actuator arm to different parts of the hard disk to read the complete file. This is why many people regularly use a defragmentation program. The amount of fragmentation in a file can also reduce your ability to recover deleted files as we will explain later in this article.
So we can now think of our hard drive as being broken down into many clusters which hold the contents of our files. A cluster that is being used to store a file is called an ’allocated cluster’, and if it is not being used to store a file an ’unallocated cluster’.
The next question is, ’how does the computer know where to look when it wants to find a specific file?’. Well, if you wanted to find a specific chapter in a book the best thing to do would be to go and look up the Table of Contents. A computer does much the same thing, which is also important if you want to recover data, recover a file, or undelete.
Data recovery software
Most data recovery program search for deleted MFT entries to undelete files. These programs usually give a give a probability of recovery rating of ’good’, ’medium’ or ’poor’. What they are actually doing is locating the MFT record for a deleted file and then checking the rest of the MFT records to determine if the clusters that the deleted file occupied are being used by any other file stored on the computer. As only one file can occupy any one cluster on a hard drive, if other files are using your deleted files storage space then it is likely that the original data has been overwritten and permanently destroyed.
This recovery technique is usually relatively fast way to get data back, as all the recovery program has to do is find the deleted file entries in the MFT and then go directly to that location of the hard disk to perform the data recovery. You will see an MFT search when you execute a "Fast Search" using Recover My Files Data Recovery Software.
However, if your MFT is corrupt, defective or has itself been overwritten, this method isn’t going to help you even though the file data still remains out on the disk waiting to be found. What you need to do is search unallocated clusters.
Searching Unallocated Clusters for Deleted Files
A good data recovery program will have the option to ignore the MFT (or lack there of) and to search all the unallocated clusters to try and find and recover files. This means we need to know what a deleted file looks like. Luckily most file types have a unique file header and footer. This means that if you look inside a Microsoft Word document for example, the first characters and the last characters of the file are always the same. So therefore a data recover program can search the entire hard drive and identify files by their unique header and footers. You will see this technique used in Recover My Files Data Recovery Software when you select a ’Complete Search’. Recover My Files recognizes more than 160 different file types using this technique.
Why are Some Files Partially Corrupt after a software File Recovery?
Remember that a computer will only use as many clusters as it needs to store a complete file. This means that your original data may only have been partially overwritten. You may still be able to retrieve some of the clusters containing the file. Unfortunately, in most cases that won’t be helpful, as most programs need a file to be complete before they will process it. Rebuilding partially damaged files is a another area of data recovery. It requires specialized knowledge about the particular file types one is dealing with. Some links to software for repairing specific file types are provided above.
Data Recovery from a Formatted Hard Drive
When you run the format command you are simply erasing the Root Directory Entries and FAT, or MFT. It is possible to run the format command and wipe the entire hard drive but format must be executed with special options. There are a number of tricks that data recovery programs use to recover from format commands. This includes searching for deleted Directory Entries which are in fact stored as files on the computer. If a directory entry is located, then we now know the name, starting cluster location, and size of the files. Of course you can also search the data area of a formatted drive for file header and footers and locate individual file types by this method.
What is the problem with File Fragmentation?
The problem of file fragmentation is that most of the data recovery techniques available must work on the assumption that all files are contiguous, that is, that they are stored in consecutive sectors one after the other from the beginning to the end of the file. The information to track fragmentation of a file is overwritten when the FAT or the MFT records are destroyed.
Source: http://www.recovermyfiles.com/data-recovery-software.php