What happens physically when files are delete or recovered?

D

Dennis Marks

I know the following.

The directory keeps track of filenames and pointers to where all the
segments of a file are located.

When a file is deleted from the recycle bin the directory entry is
either deleted or flagged to indicate that the file is deleted. The
physical data remains where it was and can be overwritten at any time.

This is my question.

When you run a recovery program does it:

A: go back to the directory and find entries flagged as deleted and
follow the entry to try to find recoverable segments.

or B: Somehow do the recovery without any directory entry to start with.

If A then when would a flagged entry be finally removed from the directory.

or If B: how does it know file names and which pieces to put back together.

I know that this is a lot and would like to be pointed to a web site
that explains it without actually referring to using recovery software.
I don't want to know what to do. I want to know how it does it.

--
Dennis M. Marks

Disclaimer: The above is my opinion. I do not guarantee it. Be sure to
back up any files involved and use at your own risk. Batteries not
included. Not for internal use. Don't run with knives.
 
K

Ken Blake, MVP

Dennis said:
I know the following.

The directory keeps track of filenames and pointers to where all the
segments of a file are located.

When a file is deleted from the recycle bin the directory entry is
either deleted or flagged to indicate that the file is deleted.
Click to expand...


The directory slot is changed to indicate that the space is available for
use. The first character of the file's name is overwritten with the Greek
sigma character (at least that's the way it used to be; it's possible that
the details may have changed--particularly with NTFS--but the idea is still
the same).

Then the FAT is changed to deallocate each cluster that the file used (I
don't know the exact procedure with NTFS, but again, the idea must be very
similar).

The
physical data remains where it was and can be overwritten at any time.

This is my question.

When you run a recovery program does it:

A: go back to the directory and find entries flagged as deleted and
follow the entry to try to find recoverable segments.

or B: Somehow do the recovery without any directory entry to start
with.

A.


If A then when would a flagged entry be finally removed from the
directory.
Click to expand...


When the clusters for the file are reused for another file. The flagged
entries aren't really removed; they are overwritten with the info for the
new file occupying the space.
 
P

Phil Weldon

'Dennis Marks' wrote, in part:
| I know the following.
|
| The directory keeps track of filenames and pointers to where all the
| segments of a file are located.
|
| When a file is deleted from the recycle bin the directory entry is
| either deleted or flagged to indicate that the file is deleted. The
| physical data remains where it was and can be overwritten at any time.
|
| This is my question.
|
| When you run a recovery program does it:
_____

'Ken Blake' gave you a good, short answer for the FAT file system.
The details for NTFS are different, and there are many more things to
consider.
There is an important follow-up question to your initial post; are you
asking from a recovery standpoint, or a security standpoint?

NTFS is a much more rugged file system; files are less likely to be damaged
by application, OS, or hard drive problems.
NTFS detects bad clusters during operations and remaps good cluster
replacements (FAT does this only during formatting.)
NTFS creates extra information (data streams) as part of files (one of the
purposes is to help in recovery operations, but these data streams also
contain information that is persistent through multiple file content
changes.
NTFS has a Master File Table (MFT) that contains one record for each folder
and for each file (more records are required for very large and fragment
files to hold all the pointers for a large number of fragments). Small
files ( < 900 bytes) can be ENTIRELY in the MFT record for that file.
NTFS marks a file as deleted by setting a flag in the MFT file record for
the file marking the record as free for reuse. The free cluster map is also
modified to show the clusters used by the file (if any) as available.
NTFS keeps logs of committed and pending file transactions; "During recovery
operations, NTFS redoes each committed transaction found in the log file.
Then NTFS locates in the log file the transactions that were not committed
at the time of the system failure and undoes each metadata operation ..."
"Windows XP Professional Resource Kit, 3rd Edition, Microsoft Press

These difference between NTFS and the FAT file system have ordinary recovery
and security implications. With NTFS, recovery is less likely to be needed,
and easier when needed. This also means that files deleted or modified in
the ordinary fashion leave more traces.

Depending on the recovery methods, your A. AND your B. are possible. As to
'how does it know?' for case B, the answer is lots of human intervention,
time, and perhaps money B^)

Phil Weldon


|I know the following.
|
| The directory keeps track of filenames and pointers to where all the
| segments of a file are located.
|
| When a file is deleted from the recycle bin the directory entry is
| either deleted or flagged to indicate that the file is deleted. The
| physical data remains where it was and can be overwritten at any time.
|
| This is my question.
|
| When you run a recovery program does it:
|
| A: go back to the directory and find entries flagged as deleted and
| follow the entry to try to find recoverable segments.
|
| or B: Somehow do the recovery without any directory entry to start with.
|
| If A then when would a flagged entry be finally removed from the
directory.
|
| or If B: how does it know file names and which pieces to put back
together.
|
| I know that this is a lot and would like to be pointed to a web site
| that explains it without actually referring to using recovery software.
| I don't want to know what to do. I want to know how it does it.
|
| --
| Dennis M. Marks
|
| Disclaimer: The above is my opinion. I do not guarantee it. Be sure to
| back up any files involved and use at your own risk. Batteries not
| included. Not for internal use. Don't run with knives.
 
D

Dennis Marks

'Dennis Marks' wrote, in part:
| I know the following.
|
| The directory keeps track of filenames and pointers to where all the
| segments of a file are located.
|
| When a file is deleted from the recycle bin the directory entry is
| either deleted or flagged to indicate that the file is deleted. The
| physical data remains where it was and can be overwritten at any time.
|
| This is my question.
|
| When you run a recovery program does it:
_____

'Ken Blake' gave you a good, short answer for the FAT file system.
The details for NTFS are different, and there are many more things to
consider.
There is an important follow-up question to your initial post; are you
asking from a recovery standpoint, or a security standpoint?

NTFS is a much more rugged file system; files are less likely to be damaged
by application, OS, or hard drive problems.
NTFS detects bad clusters during operations and remaps good cluster
replacements (FAT does this only during formatting.)
NTFS creates extra information (data streams) as part of files (one of the
purposes is to help in recovery operations, but these data streams also
contain information that is persistent through multiple file content
changes.
NTFS has a Master File Table (MFT) that contains one record for each folder
and for each file (more records are required for very large and fragment
files to hold all the pointers for a large number of fragments). Small
files ( < 900 bytes) can be ENTIRELY in the MFT record for that file.
NTFS marks a file as deleted by setting a flag in the MFT file record for
the file marking the record as free for reuse. The free cluster map is also
modified to show the clusters used by the file (if any) as available.
NTFS keeps logs of committed and pending file transactions; "During recovery
operations, NTFS redoes each committed transaction found in the log file.
Then NTFS locates in the log file the transactions that were not committed
at the time of the system failure and undoes each metadata operation ..."
"Windows XP Professional Resource Kit, 3rd Edition, Microsoft Press

These difference between NTFS and the FAT file system have ordinary recovery
and security implications. With NTFS, recovery is less likely to be needed,
and easier when needed. This also means that files deleted or modified in
the ordinary fashion leave more traces.

Depending on the recovery methods, your A. AND your B. are possible. As to
'how does it know?' for case B, the answer is lots of human intervention,
time, and perhaps money B^)

Phil Weldon


|I know the following.
|
| The directory keeps track of filenames and pointers to where all the
| segments of a file are located.
|
| When a file is deleted from the recycle bin the directory entry is
| either deleted or flagged to indicate that the file is deleted. The
| physical data remains where it was and can be overwritten at any time.
|
| This is my question.
|
| When you run a recovery program does it:
|
| A: go back to the directory and find entries flagged as deleted and
| follow the entry to try to find recoverable segments.
|
| or B: Somehow do the recovery without any directory entry to start with.
|
| If A then when would a flagged entry be finally removed from the
directory.
|
| or If B: how does it know file names and which pieces to put back
together.
|
| I know that this is a lot and would like to be pointed to a web site
| that explains it without actually referring to using recovery software.
| I don't want to know what to do. I want to know how it does it.
|
| --
| Dennis M. Marks
|
| Disclaimer: The above is my opinion. I do not guarantee it. Be sure to
| back up any files involved and use at your own risk. Batteries not
| included. Not for internal use. Don't run with knives.
Click to expand...
The reason I ask this question is because I try to answer people's
questions on Yahoo Answers. People regularly ask if they can recover
deleted files. In simple words would the following be true?

When you delete a file all records in the directory pointing to the file
are flagged to indicate it has been deleted.

A recovery program goes back and reverses the flags.

As fragment areas of a file are overwritten the directory entry for that
fragment is removed.

At this point recovery is still possible but parts may be missing.

--
Dennis M. Marks

Disclaimer: The above is my opinion. I do not guarantee it. Be sure to
back up any files involved and use at your own risk. Batteries not
included. Not for internal use. Don't run with knives.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to Recover files from Emptied Trash on Mac OS X? 8
Panasonic cf-29 boot from CD 0
Mysterious file crowding my laptop's hard drive - HELP!!! 15
Description pop up window 2
Credit Score 5
accidently deleted folder 1
A required device isn't connected or can't be accessed. Error code:0xc0000225 5
Deleted/rsurrected files 3

Top