There’s something magical about it: you delete files from a disk or USB stick, but they can still be retrieved via data recovery tools and techniques. How can you recover deleted files? What makes it difficult and when is it no longer possible? Depending on what happened, you can try to fix it – armed with optimal tools.
Need a new disk, SSD or USB stick? View the data storage offer at Bol.com
Data files don’t just disappear when you delete them in your operating system in the normal way, not even when you empty the recycle bin or reformat the storage medium. That can be a stroke of luck if you want to recover important data, but it can also be unintentional. For example, when you pass a system on to someone assuming that all personal data, such as financial documents, passwords, photos and videos, have been permanently deleted.
In this article, we look at which elements can have an impact on the recovery of long-lost data and look at some data recovery tools and methods.
File system
The file system partly determines to what extent deleted files can still be recovered. We limit ourselves here to FAT/FAT32 (which is often used for USB sticks) and NTFS (the most used file system under Windows).
If you delete a file on a FAT system, the first letter of the file name is replaced by a standard symbol. At the same time, all cluster numbers of that file in the file allocation table are removed, freeing those clusters to store new data. Only the number of the starting cluster in the file folder remains intact. If that file was stored fragmented (in non-contiguous clusters), it would be more difficult to track down that file’s data clusters.
You can experiment with this yourself. Save a large text file to a USB stick that you’ve reformatted with FAT32 so that it’s stored in a contiguous cluster sequence. Then delete the file and check the result with a physical disk editor or data recovery tool like Recuva. Repeat this procedure after you have this file with Passmark Fragger fragmented and compare the result to data recovery.
File recovery with NTFS usually turns out to be a bit easier. Windows also releases the data clusters of the deleted file here, but initially retains certain file information, such as the list of all used file clusters (run list).
Format
Of course, you can also make data disappear by formatting a volume. This can be done, for example, from Explorer or via the Disk Management module (diskmgmt.msc). In either case, right click on the volume and choose Format. What happens to the data in the data clusters depends on whether you uncheck the Quick format let alone or not. If you remove this, each disk sector (including all data clusters) with a pattern like 00h overwritten, making data recovery virtually impossible (see the Shredden box).
Leaving the checkmark clears the file management structures, such as the file allocation table and the root folder, but keeps the data clusters intact – and thus the contents of the subfolders, since they are in the data area.
With NTFS, only the first sixteen records of the MFT (Master File Table) are overwritten, but they contain only metadata about the partition. Although the other records seem to have disappeared, because the length indicator of the MFT has been reset, the records remain intact and can therefore be recovered with smart data recovery tools.
SSD
Not only the file system and the way of (re)formatting, but also the storage medium determines how difficult data recovery can be. For example, SSDs turn out to be difficult customers, especially if the TRIM function is enabled. Where with classic hard disks deleted data can be immediately overwritten by new data, with an SSD it must first be erased from the memory.
The TRIM command ensures that unused memory blocks are pre-cleared when the disk has the time to do so. This avoids an erasure operation when new data is saved, but allows accidentally deleted data to be overwritten.
For the TRIM status of an SSD, open Command Prompt as an administrator and run this command:
fsutil behavior query disabledeletenotify
You get in response (NTFS) DisableDeleteNotify = 0 back, TRIM is enabled. With this command you disable the function, albeit with the risk that your SSD will now perform slightly less well:
fsutil behavior set disabledeletenotify 1
There is a second reason why (professional) data recovery on an SSD can be difficult, especially with a faulty SSD controller. Some SSD manufacturers encrypt all data on the memory chips and the encryption key is (or was) baked into that controller.
Shred!
The data clusters remain intact for a while after (quick) formatting and a delete operation. If it is precisely your intention that disappeared data cannot be recovered, then there is little other option than to ‘shred’ those clusters, in other words to overwrite them with pseudo-random data. By the way, an alternative is to physically damage the storage medium thoroughly, but even that is not always successful. Unless you fear analysis by super-equipped labs (as with some government agencies), one overwrite on modern drives is usually enough to thwart successful data recovery. This is possible, for example, with the free tool SDelete. Run this command:
sdelete
Whether you go with the tool Eraser to work. You can also shred an entire disk (partition) with this. Interesting here is the option Unused disk space Bee Target Typewhere on the same tab you also have the option Erase cluster tips can tick. This option ensures that data between the file end and the cluster end is also overwritten, as this is also the case here privacy-sensitive information can be located.
Recovery Tools
Now that you know how it works, you can try to recover deleted files with the appropriate software. In another article, we’ll take a closer look at the various recovery tools out there.
.