Windows ‘File Recovery’ series
Part 5 Manually Recover a Deleted File From an NTFS File System
DISCLAIMER: These examples use techniques that I actually employ in the real world to deal with real problems. They might be wrong or dangerous. They might be inefficient. If you try them yourself, it might cause damage or irreparable loss. I take no responsibility for anything you do based on my examples or the information that I provide here.
In this series we’ll look at some real world examples of disastrous situations salvaged and made better again.
For this post we will be looking at Windows NTFS filesystems.
How files are deleted
Deleted files are not removed from the hard drive until the space that they occupy is needed by a new file.
When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. If the file wasn’t fragmented and the clusters haven’t been reused, you should have a great chance of getting it back.
Recovery is often done by looking at the raw data on the disk for data in areas that are marked as being available for use, then determine the file type and directory structure, copy them and save them elsewhere.
NTFS and the MFT
In an NTFS file system deleted data is found by looking at the hidden $BitMap file for areas of the disk marked as available for use. The $BitMap file is a special file within the NTFS file system. This file keeps track of all of the used and unused clusters on an NTFS volume. If data is found in an area of the disk that is marked as ‘unused’ in the $BitMap file then it is probably deleted data.
Next the location of the data can be used to check for an existing entry in the MFT. Each file and folder on an NTFS volume is represented by a record in a special file called the master file table (MFT). That record contains the location of the clusters on the disk that hold the file’s data. The MFT record for the deleted file will stay there until something else is written to that location of the disk and overwrites the deleted files data (making it unrecoverable).
Enough talk, lets look at a real example.
Delete and recover a file
Our OS is Windows XP Pro SP3
We have a hard drive with two NTFS partitions that Windows sees as a C: drive and an E: drive.
On our E: drive we have a image stored in a file named globe.jpg
Let’s look at the MFT record for this file. To do that, we’ll download and run the free program NTFSWalker…
Here is the MFT record for globe.jpg
Some of the important things for us to note about the MFT record for globe.jpg
It is MFT record #132
‘Data runs’ 300130:31 tells us that it starts in disk cluster 300130 and occupies 31 clusters.
Lets take a look at that first cluster. We’ll use another free program called Disk Investigator…
Here is the data for our file…
Note that our starting sector is 1200520. That means there are 4 sectors per cluster (1200520 sectors / 300130 clusters) .
We’ll shift-delete it
Now when we look at it’s MFT record we see a red ‘X’ next to it. That is because the area it occupies on the disk is now marked as available for use by the $BitMap file.
If we look at the raw disk data, it is still there…
The NTFSWalker program allows us to recover it but lets do this by grabbing the raw data and see what happens. First lets look at the end of the file. Notice that it does not use all of the last cluster and ends in sector 1200640.
Now lets boot into Linux using a PartedMagic boot CD so we can grab the raw data using a Disk Dump command (dd).
We open a terminal window and type this command…
dd if=/dev/sda2 of=/media/sda1/recoverglobe bs=512 skip=1200520 count=120
dd (our disk dump command)
if=/dev/sda2 (read from the partition that Windows calls the E: drive)
of=/media/sda1/recoverglobe (save what we read to the file C:\recoverglobe)
bs=512 (read in blocks of 512 bytes which is the size of one sector)
skip=1200520 (skip the first 1200520 sectors)
count=120 (read 120 sectors)
When we look at our new recoverglobe file it is indeed our picture.
And when we boot back into Windows our recoverglobe picture is there in the root of our C: drive.
A deleted file’s data is overwritten
Now lets copy a bunch of random files to our E: drive and see what happens. Note that our record #132 in the MFT is now replaced with a new file that is occupying some of the space that our deleted file was in. The deleted file is now unrecoverable.