Deleted Files                 

 

How files are Stored, Deleted and Recovered (FAT file systems) 

When a file is created three things occur: 

1. An entry is made into the File Allocation Table (FAT) to indicate where the actual data is stored in the Data Area. (A File Allocation Table is the means by which the operating system keeps track of where the pieces of a   file are stored on a hard disk.)

2. A Directory entry is made to indicate file name, size, the link to the FAT and other information. 

3. The data is written to the Data Area. 

When a file is deleted only two things occur: 

1. The File Allocation Table entry for that particular file is zeroed out and shown as available for use by a new file. (A File Allocation Table is the means by which the operating system keeps track of where the pieces of a file are stored on a hard disk.)

2. The first character of the Directory Entry file name is changed to a special character. (E5 HEX) 

3. Nothing is done to the Data Area.  The data is untouched. 

Recovery of a FAT file system file can be accomplished in 2 ways.  

1.The File Allocation Table entry for that particular file is linked to the particular location in the data area where the file data is stored. 

2. The first character of the Directory Entry file name is changed to a legal character. 

3. Nothing is done to the Data Area. 
 
OR

1.The data can be "carved" from unallocated space using a specialized extraction utility. 
 

 How files are Stored, Deleted and Recovered (NTFS file systems) 

When a file is created three things occur: 

1. An entry is made into the Bitmap to indicate where the actual data is stored in the Data Area. (A Bitmap is the means by which the operating system keeps track of where the pieces of a file are stored on a hard disk.)

2. A Master File Table (MFT) entry is made to indicate file name, size and a lot of other information. 

3. The data is written to the Data Area. 

When a file is deleted only two things occur: 

1. The Bitmap entries for that particular file are cleared (zeroed out) and shown as available for use by a new file. (A Bitmap is the means by which the operating system keeps track of where the pieces of a file are stored on a hard disk.)

2. A Bit is cleared in the MFT entry. 

3. Nothing is done to the Data Area.  The data is untouched. 

Recovery of a NTFS file system file is normally accomplished in 1 way because the MFT is quickly cleared of deleted MFT entries.  

1.The data can be "carved" from unallocated space using a specialized extraction utility.

 

Whether a FAT or NTFS file system, as long as the actual data in the Data Area is not overwritten by a new file, deleted files can be recovered. 

When a Hard Disk Drive or Diskette is formatted, the Data Area is also left untouched.  The FAT and Directory Entry are zeroed out and more steps are required to recover this data. Normally most of the original data can be recovered from formatted media.
 
image
 image