NTFS File Recovery Concepts

The file recovery process can be briefly described as scanning a drive or folder to find deleted entries in the Master File Table (MFT), then for the particular deleted entry, defining the cluster chain to be recovered, and copying the contents of those clusters to a newly created file.

Different file systems maintain their own specific logical data structures, however basically each file system:

  • Has a list or catalog of file entries, so we can iterate through this list and find entries marked as deleted
  • Keeps for each entry a list of data clusters, so we can try to find the set of clusters that compose the file

After finding the proper file entry and assembling the set of clusters that compose the file, read and copy those clusters to another location.

Step by Step with examples:

  1. Scan Disk for deleted entries
  2. Defining clusters chain for the deleted entry
  3. Clusters chain recovery

However, not every deleted file can be recovered, there are some assumptions, for sure:

  • First, we assume that the file entry still exists (not overwritten with other data). The fewer files have been created on the drive where the deleted file resided, the greater the chance that the space for the deleted file entry has not been used for other entries.
  • Second, we assume that the file entry is more or less intact and points to the proper place where file clusters are located. In some cases (observed in Windows XP on large FAT32 volumes) the operating system damages file entries right after deletion so that the first data cluster becomes invalid and further entry restoration is not possible.
  • Third, we assume that the file data clusters are safe (not overwritten with other data). The fewer write operations have been performed on the drive where the deleted file resided, the greater the chance that the space occupied by data clusters of the deleted file has not been used for other data storage.

As general advice after data loss:

DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING YOUR IMPORTANT DATA THAT YOU HAVE JUST DELETED ACCIDENTALLY!

Even file recovery software installation could spoil your sensitive data. If the data is really important to you and you do not have another logical drive to install software to, take the whole hard drive out of the computer and plug it into another computer where data recovery software has been already installed or use recovery software that does not require installation, for example recovery software which is capable to run from bootable floppy.

DO NOT TRY TO SAVE ONTO THE SAME DRIVE DATA THAT YOU FOUND AND TRYING TO RECOVER!

When saving recovered data onto the same drive where sensitive data is located, you can interfere with the recovery process by overwriting FAT/MFT records for this and other deleted entries. It's better to save data onto another logical, removable, or network drive.