One of the most common issues we help our clients with is deleted files. Whether deleted by accident or maliciously, realizing that you no longer see your precious data is often petrifying.
Luckily, with a few minor caveats, deleted files are almost always recoverable. In today’s blog, we will provide our readers with a quick outline of what happens when files get deleted, what you can try on your own to recover them, what steps to avoid, and when it’s better to let a data recovery company handle it.
As a preamble, we’ll start with a data recovery story from a few years back. One of the services we are offering is an emergency after-hours diagnostics and recovery. The service comes with a rather high price tag and tailored to offer emergency assistance to big IT companies and data centres with failed servers. One night, around 11 pm, our call centre received an urgent call, asking to dispatch a data recovery specialist to meet a client at our lab. The description sounded very urgent, something about crucial data that has to be recovered by tomorrow morning.
As our specialist arrived at the scene, he encountered a man and his young son, holding a laptop. The man asked our specialist to recover a Word file, containing only 4 lines—part of the homework the son had to submit to his school teacher on the next day.
The best way to explain what happens when a file gets deleted, without going into a great amount of technical jargon, is by comparing the hard drive to a large car parking lot, and the files to cars. Imagine that you have just created a new document in your favourite word editor tool. After working hard and typing a bunch of important words, you click on the Save button. As a result, a new file is being saved onto your hard drive, or if we look at our imaginary parking lot —a new car drives in, and parks in any of the available spots.
Next, imagine that the parking lot hired an attendant, whose job is to sit by the entrance, meet and greet all the vehicles coming in, and instruct them where to park, based on which spot is available. He will send one car to spot A1 because he knows that it’s empty, the car afterwards to A2, and so on. In hard drives, this role is fulfilled by the MFT (Main File Table – In NTFS file systems that is).
Now let’s see what happens when we delete a file. In our imaginary parking lot, it would be equivalent to simply telling our parking attendant that a certain car is no longer parked at the lot. As the lot is rather big, he cannot see it completely, so as of this moment, he thinks that no one is parked at spot A1 (for example).
That is the only change that happened. The car didn’t move an inch, and it is still there. If we look for it by walking around the parking lot, we will find it in the same spot.
Same goes for files—whenever they get deleted, only the MFT entry is changed from “busy” to “occupied” so to speak. The file is still there, for now, and is still recoverable. If one acts fast, they can salvage 100% of the deleted data.
To complete that analogy, the only time when a file deleted will no longer be recoverable, is when a new data will be written on top of it—this is what we call “overwriting the deleted data.”
This is why it is extremely important, once you realized that your files are missing, to make sure they are not getting overwritten. New data constantly flows into our Internet-connected devices, most of the time in the form of updates downloaded by our operating systems or applications.
So step number one is: once you realize you deleted your files, turn your computer off. That way, you will prevent the deleted files from being overwritten.
This is usually the step where many users make the first, and often a fatal mistake. Instead of turning the computer off, they start researching online as per available data recovery tools, afterwards download a random tool to the same drive the data was deleted from, and then try to recover the deleted files, again onto the same drive the files were deleted from. All of that creates a huge mess, deleted files get overwritten, and often for good.
In scenarios like this, the best advice we can give you is: do not copy or install anything onto the drive where the deletion occurred. Instead, please remove it from your desktop/laptop, plug it into an external USB enclosure like this one, and connect it to another computer. Then you can experiment with different online data recovery tools, but please keep in mind that anything you would like to recover needs to be saved on another drive.
It’s not optimal because the original drive remains unprotected, but at least we know it’s not downloading any major updates and the chances to overwrite the data are minimal.
Another thing worth mentioning: very often, when files are deleted, their metadata (data about the file, such as dates, names, geolocation, etc.) is deleted as well. That, along with the fact that the MFT has no record of the previous location of the file, often causes the file to be recovered without its original attributes.
It means that if you had a nicely organized pictures library, after deleting and recovering it, you might get one huge folder with files labelled image001, image002, and so on. It’s a pain to reorganize everything back, but hey, it is much better than losing those files for good.
In the end, if you decide not to take your chances with DIY solutions, and send the drive to a data recovery lab, the process there should be the following:
- The drive will be cloned using a write blocking device, to minimize the chances that even a single bit gets overwritten.
- All further work will be done on the clone.
- Data recovery companies use professional-grade or proprietary data recovery software that allows us to maximize the results and to extract the maximum.
- In cases necessary, we often “carve” the drive for remnants of data—meaning that we have tools that examine the drive sector by sector or even bit by bit, and extract anything that looks like the user data, even if it’s a partial result.
To sum up this post, DIY data recovery is possible if followed by the guidelines mentioned above, as long as you make sure you do not overwrite your deleted files.
Comments? Send us an email