Re: What happens physically when files are delete or recovered?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


'Dennis Marks' wrote, in part:
| I know the following.
|
| The directory keeps track of filenames and pointers to where all the
| segments of a file are located.
|
| When a file is deleted from the recycle bin the directory entry is
| either deleted or flagged to indicate that the file is deleted. The
| physical data remains where it was and can be overwritten at any time.
|
| This is my question.
|
| When you run a recovery program does it:
_____

'Ken Blake' gave you a good, short answer for the FAT file system.
The details for NTFS are different, and there are many more things to
consider.
There is an important follow-up question to your initial post; are you
asking from a recovery standpoint, or a security standpoint?

NTFS is a much more rugged file system; files are less likely to be damaged
by application, OS, or hard drive problems.
NTFS detects bad clusters during operations and remaps good cluster
replacements (FAT does this only during formatting.)
NTFS creates extra information (data streams) as part of files (one of the
purposes is to help in recovery operations, but these data streams also
contain information that is persistent through multiple file content
changes.
NTFS has a Master File Table (MFT) that contains one record for each folder
and for each file (more records are required for very large and fragment
files to hold all the pointers for a large number of fragments). Small
files ( < 900 bytes) can be ENTIRELY in the MFT record for that file.
NTFS marks a file as deleted by setting a flag in the MFT file record for
the file marking the record as free for reuse. The free cluster map is also
modified to show the clusters used by the file (if any) as available.
NTFS keeps logs of committed and pending file transactions; "During recovery
operations, NTFS redoes each committed transaction found in the log file.
Then NTFS locates in the log file the transactions that were not committed
at the time of the system failure and undoes each metadata operation ..."
"Windows XP Professional Resource Kit, 3rd Edition, Microsoft Press

These difference between NTFS and the FAT file system have ordinary recovery
and security implications. With NTFS, recovery is less likely to be needed,
and easier when needed. This also means that files deleted or modified in
the ordinary fashion leave more traces.

Depending on the recovery methods, your A. AND your B. are possible. As to
'how does it know?' for case B, the answer is lots of human intervention,
time, and perhaps money B^)

Phil Weldon


"Dennis Marks" <denmarks@xxxxxxxxx> wrote in message
news:OBPi35VdHHA.1000@xxxxxxxxxxxxxxxxxxxxxxx
|I know the following.
|
| The directory keeps track of filenames and pointers to where all the
| segments of a file are located.
|
| When a file is deleted from the recycle bin the directory entry is
| either deleted or flagged to indicate that the file is deleted. The
| physical data remains where it was and can be overwritten at any time.
|
| This is my question.
|
| When you run a recovery program does it:
|
| A: go back to the directory and find entries flagged as deleted and
| follow the entry to try to find recoverable segments.
|
| or B: Somehow do the recovery without any directory entry to start with.
|
| If A then when would a flagged entry be finally removed from the
directory.
|
| or If B: how does it know file names and which pieces to put back
together.
|
| I know that this is a lot and would like to be pointed to a web site
| that explains it without actually referring to using recovery software.
| I don't want to know what to do. I want to know how it does it.
|
| --
| Dennis M. Marks
|
| Disclaimer: The above is my opinion. I do not guarantee it. Be sure to
| back up any files involved and use at your own risk. Batteries not
| included. Not for internal use. Don't run with knives.


.

Relevant Pages