The data recovery industry has come a long way since the first undelete tool was introduced by Microsoft back in 1991. Back in the 1990’s, all a data recovery tool would do was tripping the “deleted” flag back into the “undeleted” state, with no safety checks and iffy results at best.
Today, the market offers a number of highly advanced tools with numerous safety checks and automation routines, allowing you to recover files even if you managed to rid of your file system completely. But first let’s look at why and how a data recovery tool works to help you get your files back.
Deleting a File Doesn’t Mean Wiping Its Content
The very reason why data recovery tools can work is the fact that Windows does not automatically wipe the content of a file once you delete it from the disk. Instead, the system simply marks the file’s record in the file system to label it as “deleted”, thus releasing disk space previously occupied by that file for other files to use.
Note: if your computer uses an SSD drive instead of a traditional hard drive with spinning magnetic plates, that SSD drive will go ahead and wipe the content of a file you’ve just deleted in order to boost future writes and improve lifespan.
So what a data recovery tool actually does is analyzing the file system looking for those “deleted” labels, figuring out where exactly on the disk the content of the deleted file is located, and saving those chunks into a new file on another disk (flash drive, network location and so on).
Note: using a separate hard drive, a different drive letter, USB flash drive or memory card to store recovered files is essential. If you attempt to save the deleted file onto the same disk it’s been deleted from, you’ll risk overwriting the content of this and other deleted files instead of saving them.
Sounds simple? OK, so let’s make things a bit more complex. How about recovering files from a disk that has no file system such as a freshly formatted memory card, repartitioned hard drive, or simply a disk with corrupted file system? Apparently, a different approach is required to recover information from such devices.
Recover Deleted Files and Repair Corrupted Partitions
Carving: The New Approach to Recovering Data
Today’s data recovery tools don’t let the lack of a file system stop them. Instead of relying entirely on the file system, they can now scan the entire content of the device in order to automatically identify known types of files such as documents, emails, pictures and videos (as well as hundreds of other formats). They do that by literally carving the disk, reading its content one sector after another and trying to match information they read against a database of known file formats. That database contains characteristic signatures allowing the tool to tell that this sector contains the beginning of a JPEG file and that sector has a file header belonging to a PDF document.
Once a known file format is identified, the algorithm performs a number of slower secondary checks to make sure that the signature really represents a file header. If it does, the tool analyzes the header and tries calculating the file’s length (for many formats, this information is often stored at the beginning of a file). The rest is easy: by knowing where the file begins and calculating the file’s length, the tool can extract the needed number of sectors and recover the file.
Note: carving works best on contiguous, non-fragmented files. Fragmentation is your worst enemy when it comes to recovering deleted files. While it may be possible to determine the address of the first fragment, if the rest of the file is scattered around the disk, the data recovery tool will have no way to recover those fragments UNLESS there is still a file system in place.
Carving is often called by different trade names. Signature Search, Deep Scan, Power Search, and Content-Aware Analysis are just a few names referring to the same technology. When choosing a data recovery tool, make sure to pick one that comes with full signature-search capabilities such as Starus Partition Recovery or Starus File Recovery.
If you have anything to add or have questions on the topic of File Recovery with content analysis - share in the comments and we will answer!