• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

Just an information... how can a program restore a file...

I just want to know how some programs can restore deleted files or How can a program restore a file even the disk is formatted? I just seen a program that can do this... just want to know how does this program restore the files?

well all your suggestions are welcome...
please explain thanks...
0
JackOfPH
Asked:
JackOfPH
  • 3
  • 3
  • 2
  • +3
5 Solutions
 
Jay_Jay70Commented:
Hi JackOfPH,

the theory from what i understand is that there are still traces of information left on a disk, kind of like a screen when you leave a logo on there for a couple of days, for a little while after you get a kind of outline of that logo, same as data on a disk, its a faint imprint that doesnt get deleted, the programs enhance that image and recreate your data

i may be way off but thats always been my understanding of it
0
 
GuruGaryCommented:
The answer depends on which filesystem we are talking about.  For NTFS, here are some answers (in a simplified format):
The information for files are kept in a Master File Table (MFT).  This information includes the file name, location of the starting sector (starting extent) of the file, timestamp information, and for small files, the entire contents of the file can be stored in the MFT.  When a file is deleted, the OS will usually do this in the most efficient method possible, which is to simply mark the entry in the MFT as "unused" ... so no data is overwritten at this point.  Since that entry and associated space on the disk is now marked as unused, it can now be overwritten at any time.  But until something writes to that MFT entry, or the space where the file was residing on the disk, it remains in tact.

So in this case all that has to be done to un-delete that file is to go back to the MFT, and set that entry back to "in-use", and you have your file back.

In cases where the MFT entry was overwritten, there is still a chance that the data pointed to by the entry is still in tact ... so you can use a "data carving" program which can look for file header and footer information to restore a file.  In this case the file name is typically lost, but you can often still recover all, or part of the file.

In another case, an MFT may be completely erased (or a directory entry in FAT / FAT32) and if the signature of the MFT is found it can be restored along with the filenames and file data.

Or sometimes a hard drive may be totally formatted, in which case the MFT structures can be searched for and rebuilt.

Or of the drive is re-partitioned, or partitions removed, you can often simply rebuild the partition table (which is actually just 16 bytes of data) and the entire drive can be recovered.

This is a very basic explanation, but if you have more specific questions, just post them here, and we will be glad to answer for you.
0
 
JammyPakCommented:
Gary's right...the data on the drive is not actually overwritten by a delete or a regular format. Windows can't readily see it, but it's still there. To really clear the drive you need to do a secure format that overwrites the individual sectors on the drive, often multiple times. If you search for secure disk cleaning tools, you'll find different options for this.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
JackOfPHAuthor Commented:
so the files really is not deleted right? but how come that the size of the disk reduces?
0
 
gidds99Commented:
Also some software may hold back up versions of files in another location.  Windows also does this with DLL's via the DLL cache. So if a DLL is removed or replaced with an inappropriate version the correct version will be restored from the cache.

But as has been discussed above software which can restore deleted files or recover files from a formatted disk works on the basis that files are basically simply flagged for deletion and as such the data is still present and can therefore be recovered.
0
 
kevinf40Commented:
JackOfPH

You are correct - when you delete a file it isn't actually deleted, what happens is the reference to that file in the partition index (e.g. FAT table or whatever - depends on file system in use) is removed.  Once this occur the O/S trates that part of the drive as writable and will store data there as and when it needs to.

Hence the drive space is available even theough there is still technically data stored there.  On a full / busy drive this means that the data could be over written quite quickly, other times the data may remain untouched for some time.

Simple tools such as recoverall can be used to recover previously deleted files (and parts of files) that have not yet been completely over written.

On a more advanced level hardware tools can be used to recover data unless it has been over written several times (usually 0's, then 1's, then random data for 7+ passes) - but this is expensive equipment.  If really worried use a tool such as eraser to wipe your drives 'free' space - there are several tools available for this purpose.

cheers

Kevin
0
 
JammyPakCommented:
how much actual data is on the disk is irrelevant, it 's a matter of how much space Windows thinks is in use...
just think, there's always something stored in every single sector on the drive, so technically the drive is always full!
0
 
JackOfPHAuthor Commented:
but why is the size of the disk chages? for example I have 40gb harddisk the used portion is 20gb when I delete the 20gb files in the disk it became 40 gb again... if this is not deleted why it return to 40 gb?
0
 
JammyPakCommented:
I'll say it again: how much actual data is on the disk is irrelevant, it 's a matter of how much space Windows thinks is in use...

The disk was always 40GB in size. First Windows had a FAT or MFT table which indicated that it was 20GB in use, but then it cleared out the FAT table or the MFT table to make it look like that extra 20 GB wasn't in use anymore.
0
 
GuruGaryCommented:
At that point (as soon as you delete 20GB of files) it is "deleted" but not yet "overwritten".  The data can usually be recovered after it is deleted, but before it is overwritten.

The files and data that are exist on the computer is that amount of space that is used up.  After a file is deleted, that space is no longer considered "in use" so that space is freed up by the filesystem.  So if you have a 40 GB disk that has 20 GB used, and you delete all 20 GB of files, then there is all 40 GB free space.  BUT you will likely be able to recover much of that 20 GB of files that you just deleted.

Think of your hard drive as a bunch of VCR tapes.  You can erase your tapes keep taping over them, like you can delete a file and keep using that space on your hard drive to keep saving information.  So you record a bunch of shows (like saving a bunch of files), and when you are done watching them, you decide what to do with them.  The tapes that you want to keep (save your files) get labeled and put in one section.  The tapes that you don't want to keep (files to be deleted) get put in the stack of tapes that you can record over.  Until you actually record over over the tape, you can still go back and watch what was on it.  If you originally had a 1 hour show on the tape, and then you recorded a 30 minute show on top of it, then you can recover part of the show (like recoveing part of a file).

Does that make sense?
0
 
kevinf40Commented:
JackOfPH -

in response to your query, I'd ask you to re-read my previous post - it is all down to what window thinks is there, not what is actually there.

If the the information pointing to the data is removed from the 'index' then windows treats that portion of the drive as empty and will overwrite it when it needs to, but the 0's and 1's are actiually still on the drive so undelete tools can often recover the data.

cheers

K
0
 
JackOfPHAuthor Commented:
okey! now I get it... thanks ofr the post guys...
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now