|
DATA RECOVERY — A simple explanation
You may wonder how when you have deleted a file or reformatted a drive how that data can be recovered; after all it’s gone isn’t it?
In a word no!
In order to understand this we must first look at how the data is stored upon the media, this varies with the different file systems but the underlying principles are the same.
In order to more easily understand the principles involved, the data storage area of a media could be likened to a long roll of paper, which has lines across it dividing it into equal sections, the size of which vary depending upon the size of the media and the file system in use.
However small a file you create, the smallest amount of storage space that can be allocated to it is one of these sections (clusters). Even if it only actually needs the smallest part of this cluster, it is considered by the OS as occupying the whole of it. The vast majority of files would occupy a great many clusters.
When you create a file, in order that it may be accessed in the future a record must be created about the file. Most importantly filename, size, and the location (cluster No) where the start of the file resides upon the media — for example under the FAT file system used on digital cameras the filename, filesize and the cluster where the file begins (along with other attributes) are stored in the directory entry.
The location of the other clusters where the file resides are recorded in the file allocation table.
When you access a file its start location is looked up in the directory and that cluster is read, the location of the next cluster is then looked up in the file allocation table and that cluster is read, this process is repeated until the data for the whole file has been read at which stage all the relevant data has been gathered and the file is opened.
What happens when I delete a file?
The process, which occurs when a file is deleted and the recycle bin emptied, varies depending on the operating system in use, but in general terms, the operating system is told that the area upon which the file resided may be used. In the example given, using the FAT file system the file allocation table entries for that file would also be removed. The OS now considers the area of the media where the deleted file resides as ‘free space’, as such it is available for use when another file is created.
The data of the file itself still exists on the media in its original state until and unless it is overwritten.
What happens when I reformat a drive/media?
The process again varies depending on the file system and OS in use. In general when a drive or media is reformatted the data held in the root directory will be removed as will the records in the file allocation table (using FAT example) this is a 'normal' or non destructive format. A new file allocation table and root directory are then written to the drive. The actual data area of the media remains unchanged. A destructive format is one where the entire media is overwritten - making normal recovery impossible. A few digital cameras use the 'destructive format' (All Fuji Cameras appear to use this method) method making recovery of pictures from these cameras impossible.
Unless a 'destructive format' has been used the data of the file itself still exists on the media in its original state until and unless it is overwritten.
There are a number of implications that arise from this some of which are outlined below.
1.) If you wish to have data recovered from a media, avoid saving anything else on that media. If you do save any more files you risk overwriting part or all of the area of the media that contained the data you wish to have recovered, (now marked as free space by the OS) making recovery more difficult or even impossible.
2.) Fragmented files (fragmentation is where information, rather than being stored in consecutive clusters is located in non consecutive locations on the media) can make the task of recovery much more difficult and time consuming - to the point of being virtually impossible in some cases.
If you consider that a 32MB camera card using the FAT16 system would contain in the region of 8,000 clusters it is easily understood that if the references to the clusters contained in the file allocation table have been removed and the media is in a fragmented state the task is difficult to say the least. In order to lessen the chances of this occuring to your camera card avoid deleting the odd photo as much as possible. It is better to delete all the photos once you have downloaded them to your PC and checked they are ok.
The same principles also apply to the hard drive on your PC.
It is recommended that regular defragmentation of your hard drives is carried out. This will also have the benefit of speeding up processes carried out on your computor as the hard drive will be able to access data more quickly as it will not have to 'search' for data that is stored in non contiguous clusters.
If you have already suffered a data loss DO NOT defragment your drive or the data that you wish to have recovered may be overwritten during the process!
3.) Another consideration is that files that you thought had been removed from your media may still be resident there!
In what is termed ‘free space’(areas of the drive which are available for the storage of data) Sensitive information, or personal details and files which have previously been on your media could be accessed by third parties e.g. after selling a PC.
This is the case even if the drive has been reformatted and a different operating system installed.
Secure wiping of the media can make these files irrecoverable thus ensuring that sensitive information cannot be accessed at a later date by third parties.
4.) Slack space ( the area of space between the end of a file and the next cluster boundary)— Going back to the analogy with the sections of paper, imagine that a file containing sensitive material has been deleted. (remember that the actual data contained in that file still resides on the media) A new file has been created which ends on the area of the media where the deleted file resides. Even if there is only one byte of data from the new file to be stored which will not fit into the preceeding cluster, it requires another complete cluster to be allocated to it for storage. The resultant cluster would then contain one byte only of the new file the rest of its area would contain data from the file which previously existed in that space. In that way the previously existing data could be inadvertently passed on to third parties. In certain cases this could have devastating results. The way to ensure this cannot occur is through secure wiping of the media.
| 
