There is something magical about this: You delete files from a disk or USB stick, but they can still be recovered with data recovery tools and techniques. How can you recover deleted files? What makes it difficult and when is it no longer possible? Depending on what happened, you can try to fix it armed with the most suitable tools.
Need a new disk, SSD or USB stick? View data storage offer on bol.com
Data files are not lost when you delete them normally in your operating system, even when you empty the recycle bin or reformat the storage media. It may be a chance if you want to recover important data, but it may also be unintentional. For example, when you delegate a system to someone, assuming that all personal data such as financial documents, passwords, photos and videos are permanently deleted.
In this article, we will look at what elements can be effective in recovering long lost data and some data recovery tools and methods.
The file system determines the extent to which partially deleted files can be recovered. Here we limit ourselves to FAT/FAT32 (usually used for USB sticks) and NTFS (the most used file system under Windows).
If you delete a file on the FAT system, the first letter of the file name is replaced with a standard symbol. At the same time, all cluster numbers of that file in the file allocation table are removed, freeing those clusters to store new data. Only the number of the starting set in the file folder remains unchanged. If that file was stored in fragmented form (in non-contiguous sets), it would be more difficult to track datasets for that file.
You can try this yourself. Save a large text file to a USB stick that you reformatted with FAT32 so it’s stored in a contiguous cluster array. Then delete the file and check the result with a physical disk editor or a data recovery tool like Recuva. After shredding this file with Passmark Fragger, repeat this procedure and compare the result with data recovery.
File recovery is usually a little easier with NTFS. Windows also releases the datasets of the deleted file here, but retains certain file information, such as a list of all initially used filesets (run list).
Of course, you can also format a volume so that data is lost. This can be done, for example, from Explorer or via the Disk Management module (diskmgmt.msc). Either way, right click on the volume and select Format. What happens to the data in the datasets depends on whether you uncheck them. Quick format never mind or not. If you remove it, each disk sector (including all datasets) will have a pattern like 00h is overwritten, making data recovery nearly impossible (see Shredden box).
Removing the checkmark clears the file management structures such as the file allocation table and the root folder, but keeps the datasets and therefore the contents of the subfolders as they are in the data area.
With NTFS, only the first sixteen records of the MFT (Master File Table) are overwritten, but they only contain the metadata about the partition. Even though other records seem to be lost, the records remain intact as the length indicator of the MFT is reset and therefore can be recovered with smart data recovery tools.
Not only the file system and (re)formatting method, but also the storage media determine how difficult data recovery can be. For example, SSDs become tough customers, especially when the TRIM function is enabled. While new data can be written over the deleted data instantly in classical hard disks, with SSD this data must be deleted from the memory first.
The TRIM command ensures that unused memory blocks are pre-cleaned when the disk has time. This prevents a deletion when new data is saved, but allows accidentally deleted data to be overwritten.
For the TRIM status of an SSD, open Command Prompt as Administrator and run this command:
fsutil behavior query disableeletenotify
you get it as an answer (NTFS) DisableDeleteNotify = 0 back, TRIM is enabled. With this command you disable the function, even at the risk that your SSD will now perform slightly less well:
fsutil behavior set disabledeletenotify 1
There is a second reason why (professional) data recovery on an SSD is difficult, especially with a faulty SSD controller. Some SSD manufacturers encrypt all data on memory chips and the encryption key is baked (or baked) in this controller.
After (quick) formatting and deletion, datasets remain intact for a while. If the inability to recover lost data is exactly your intention, then there is little choice but to ‘smash’ these clusters, in other words, overwrite them with pseudo-random data. By the way, an alternative is to completely physically damage the storage medium, but even this is not always successful. Unless you’re afraid of analysis by super-equipped labs (as in some government agencies), a one-time overwrite of modern disks is usually sufficient to hinder successful data recovery. This is possible, for example, with the free SDelete tool. Run this command:
Or you can start with the Eraser tool. You can also shred the entire disk (partition) with it. Interesting option here unused disk space Bee Target Typein the same tab you also have the option Delete cluster hints can mark. This option also overwrites data between the file edge and the cluster edge, as privacy sensitive information can also be found here.
Now that you know how it works, you can try to recover deleted files with the appropriate software. In another article, we’ll take a closer look at the various recovery tools available.
Source: Computer Totaal