When you delete a file or folder in the system, the command essentially just marks it as “deleted” in the Directory Entry and related information in the File Allocation Table – FAT (for FAT/FAT32 formatted partitions) or marks it as “deleted” in the Master File Table – MFT Entry (for NTFS formatted partitions). At this point, the clusters containing the file’s data are considered empty and are counted as unused disk space, even though the data still exists.
When new data is written, the old data is actually deleted and overwritten by the new data. Both we (and the operating system) cannot “see” the deleted data, but data recovery software can still detect it when scanning the disk surface. This is why we need these software tools for data recovery.
There are many software options available to help you with this task, ranging from free to paid options like Ontrack Easy Recovery, Winternals Disk Commander, Active Uneraser, PC Inspector File Recovery, and Drive Rescue. Each software has its own strengths and weaknesses, but generally speaking, the likelihood of “rescue” largely depends on the data structure on the hard drive and the actions that affect the data regions.
DATA STRUCTURE ON HARD DRIVES
Firstly, let’s take a look at how the information of a file is stored on the hard drive. For FAT partitions, data is stored in three places on the hard drive, including: the Directory Entry that contains information about the file such as name, size, creation time, and the cluster number where the file data begins; FAT that contains the cluster numbers used for the file and the clusters that hold the file’s data (Allocation area). For NTFS partitions, data is stored in the MFT (Master File Table) Entry and the Allocation area (as illustrated).
Any data recovery software attempts to retrieve information from these three locations to fully restore the content of a file. If any of this information is missing (or lost), the data may be incomplete or irretrievable (see the table).
Thus, considering the above scenarios, the likelihood of data recovery is generally quite low. In cases where the Allocation clusters are damaged or overwritten, you will almost certainly be unable to recover the data, as it has been deleted and overwritten by new data. Theoretically, you could recover old data using Magnetic Force Microscope (MFM) techniques; however, this technique is not widely applied in practice due to its time-consuming nature and high costs.
| Allocation | Directory Entry | FAT | |||||||||
| ok | ok | ok | File fully restored | ||||||||
| ok | ok | – | File restored but content may be incomplete or unreadable. | ||||||||
| ok | – | ok | File may be recoverable but lacks full information | ||||||||
| ok | – | ||||||||||
| – | ok | ok | Cannot be recovered but the file name is still visible. | ||||||||
| – | ok | – | |||||||||
| – | – | – |
Allocation DATA RECOVERY CAPABILITIES – Deleted files: As mentioned earlier, deleting a file marks it as deleted in the Directory Entry and associated information in the File Allocation Table (FAT) or Master File Table (MFT) Entry. In theory, the chances of fully recovering this file are high. However, actual results can sometimes fall short due to several reasons: after deletion, users may attempt various actions to recover data, and the operating system (OS) may overwrite new data onto the clusters marked as deleted… – Deleted (or recreated) partitions that have not been formatted: Most data can be recovered in this case, as the FAT and MFT remain unaffected when users delete and recreate a partition. – Formatted partitions: For FAT partitions, formatting will erase the FAT table, Boot Record, and Root Directory, but the Partition Table and data in Allocation remain. Files smaller than the size of a cluster (32KB, the default for FAT32 or as per your formatting options) can be completely recovered since they do not require information from the FAT table. For larger files that span multiple clusters, they may become fragmented over time due to content changes. Finding and reassembling related clusters is a challenging task, especially for large and frequently changing files. Some data recovery software can recover files without needing information from the FAT table; however, the content of these files may be incomplete or unreadable. Therefore, you will need software capable of extracting readable content from these files (we will discuss this issue in another article when conditions permit). For NTFS partitions, formatting creates a new MFT, and recovery results are typically better than for FAT partitions since NTFS does not use the FAT table to determine which clusters contain data for a given file. – Formatted partitions with a new OS installation or using Ghost: This scenario presents significant challenges as the Directory Entry (FAT) or MFT (NTFS) has been deleted. Suppose you have 10GB of data stored on a 20GB partition, and this partition is formatted and overwritten with 5GB of new data. In this case, you cannot recover the data that has been overwritten; you can only recover data from the 5GB onwards. IMPORTANT NOTES You can use any data recovery software within your reach, but we would like to point out a few important considerations. – Some software offers trial versions and only requires users to enter a registration number (license key) when backing up the data to be recovered. Therefore, take advantage of this to try out different software to find the one best suited for the type of data you need to recover. – Some software allows the creation of a boot disk and operates in MS-DOS mode. However, you may find it more challenging to select the data you wish to recover. If possible, install the data recovery software on a different system and connect the drive that needs recovery once you are ready. You will find it easier to work with files in a tree structure, allowing you to preview the contents of recoverable files before purchasing a license key. Note: Don’t worry if the OS does not recognize the hard drive that needs recovery; the recovery software will perform better if the BIOS Setup still recognizes this hard drive. – Avoid writing data to the hard drive that needs recovery. After deletion, the locations of the file’s clusters are not protected, ready for new data to be written over. Even if users do not create new files, the activities of the OS can affect deleted data by generating log files that record system activity. Additionally, accessing the internet can download many temporary files that are also written to the hard drive. It is best to stop using this hard drive immediately and only connect it to another system once you are prepared for data recovery. – Do not delay in recovering data. Act quickly when you realize your mistake; you will have a better chance of recovering deleted data. Additionally, the recovery capability depends on the type of data. If it involves image files, you can often recover 9 out of 10 images. However, if it involves databases or spreadsheets, even if you recover 90%, they may still be useless due to the interlinked structure of databases. – A “dead” hard drive is one that the BIOS or disk management utility cannot recognize. Dead hard drives often exhibit strange phenomena, such as not hearing the motor spin or making clicking noises during operation. These are signs of physical malfunctions in the controller board, read/write head, motor, or magnetic disks. Try to create a disk image of the hard drive using Norton Ghost, Drive Image, or similar features from data recovery software. When the hard drive fails, you can recover data from the disk image. – If the data is truly critical, you should take the hard drive to a reputable data recovery service for inspection. Do not operate on the hard drive yourself, as this may affect the ability to recover data or worsen the situation. And of course, the cost for this service will not be cheap. However, do not expect too much from data recovery when a hard drive is dead, as success is rare. Đông Quân Leave a Reply |
