Windows ‘File Recovery’ series
Part 1 Recover Deleted files with Recuva
DISCLAIMER: These examples use techniques that I actually employ in the real world to deal with real problems. They might be wrong or dangerous. They might be inefficient. If you try them yourself, it might cause damage or irreparable loss. I take no responsibility for anything you do based on my examples or the information that I provide here.
Data recovery from hard drives has not changed much in decades. However, the effectiveness and ease of use of free tools has increased greatly. Also, the fact that CD’s, DVD’s, flash drives, SD cards and USB keys are made to behave like hard drives makes them candidates for recovery using the same tools. SSD’s provide some new challenges due to techniques they use to extend their life expectancy but for the most part are recoverable in the same manner as platter based drives.
In this series we’ll look at some real world examples of disastrous situations salvaged and made better again.
We will be looking at Windows (FAT and NTFS) filesystems.
How files are deleted
Deleted files are not removed from the hard drive until the space that they occupy is needed by a new file.
When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. If the file wasn’t fragmented and the clusters haven’t been reused, you should have a great chance of getting it back.
Recovery is often done by looking at the raw data on the disk for unreferenced data, then determine the file type and directory structure, rebuild them and save them elsewhere.
Simple Recovery with Recuva
We’ll do this in Windows XP Professional Service Pack 3
Here are the files in the Important Files folder
Delete the files in the Important Files folder
Empty the Recycle Bin
Download and install Recuva
http://www.piriform.com/recuva
and run it
Choose Other to recover all types of problems.
Choose a location to scan for deleted files (the Important Files folder in our example)
Enable Deep Scan
Wait for it to work its magic
Now you see a list of the files that it found and whether or not they are recoverable. Click the button to Switch to Advanced Mode and click Options, go to the Actions tab and make sure that Restore Folder Structure is checked so you recover the files in their folders instead of all in one place.
Click Recover to recover files to Recovery folder.
And now the files have all been recovered.
What Happens When You Overwrite Some of the Deleted Data ?
This time we have our files in the Important Files2 folder
We Shift-Delete the files in the Important Files2 folder
Now before attempting to recover the files that we deleted, we put a bunch of images into the Important Files2 folder
Now the Globe image is unrecoverable because some of its data was overwritten by one of the pictures that we added after deleting.
This illustrates why it is important to attempt recovery before anything else is written on the disk and potentially overwrite the data that you need to recover.