Undeletion

Last updated April 07, 2024

Undeletion is a feature for restoring computer files which have been removed from a file system by file deletion. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data without an undeletion facility is usually called data recovery, rather than undeletion. Undeletion can both help prevent users from accidentally losing data, or can pose a computer security risk, since users may not be aware that deleted files remain accessible.

Support

Not all file systems or operating systems support undeletion. Undeletion is possible on all FAT file systems, with undeletion utilities provided since MS-DOS 5.0 ^[1]^[2] and DR DOS 6.0 in 1991. It is not supported by most modern UNIX file systems, though AdvFS is a notable exception. The ext2 file system has an add-on program called e2undel^[3] which allows file undeletion. The similar ext3 file system does not officially support undeletion, but utilities like ext4magic,^[4] extundelete,^[5] PhotoRec and ext3grep^[6] were written to automate the undeletion on ext3 volumes.^[7] Undelete was proposed in ext4, but is yet to be implemented.^[8] However, a trash bin feature was posted as a patch on December 4, 2006.^[9] The Trash bin feature uses undelete attributes in ext2/3/4 and Reiser file systems.^[10]

Command-line tools

Norton Utilities

Norton UNERASE was an important component in Norton Utilities version 1.0 in 1982.

MS-DOS

Microsoft included a similar UNDELETE program in versions 5.0 to 6.22 of MS-DOS, but applied the Recycle Bin approach instead in later operating systems using FAT.

DR DOS

DR DOS 6.0 and higher support UNDELETE as well, but optionally offer additional protection utilizing the FAT snapshot utility DISKMAP and the resident DELWATCH deletion tracking component, which actively maintains deleted files' date and time stamps and keeps the contents of deleted files from being overwritten unless running out of disk space. DELWATCH also supports undeletion of remote files on file servers. Since Novell DOS 7 the kernel will store the first letter of deleted files in the directory entries in order to further assist undeletion tools in recovering the original name.

PTS-DOS

PTS-DOS offers the same feature, configurable by a SAVENAME CONFIG.SYS directive.

FreeDOS

The FreeDOS version of UNDELETE was developed by Eric Auer and is licensed under the GPL.^[11]

Graphical programs

Graphical user environments often take a different approach to undeletion, instead using a "holding area" for files to be deleted. Undesired files are moved to this holding area, and all of the files in the holding area are deleted periodically or when a user requests it. This approach is used by the Trash can in Macintosh operating systems and by the recycle bin in Microsoft Windows. This is a natural continuation of the approach taken by earlier systems, such as the limbo group used by LocoScript.^[12] This approach is not subject to the risk that other files being written to the filesystem will disrupt a deleted file very quickly; permanent deletion will happen on a predictable schedule or with manual intervention only.

Another approach is offered by programs such as Norton GoBack (formerly Roxio GoBack): a portion of the hard disk space is set aside for file modification operations to be recorded in such a way that they may later be undone. This process is usually much safer in aiding recovery of deleted files than the undeletion operation as described below.

Similarly, file systems that support "snapshots" (like ZFS or btrfs), can be used to make snapshots of the whole file system at regular intervals (e.g. every hour), thus allowing recovery of files from an earlier snapshot.

Limitations

Undeletion is not fail-safe. In general, the sooner undeletion is attempted, the more likely it will be successful. This is because the more a system is used, the more data is written to the drive and potentially allocated to that deleted space. Fragmentation of the deleted file may also reduce the probability of recovery, depending on the type of file system (see below). A fragmented file is scattered across different parts of the disk, instead of being in a contiguous area.

Mechanics

The workings of undeletion depend on the file system on which the deleted file was stored. Some file systems, such as HFS, cannot provide an undeletion feature because no information about the deleted file is retained (except by additional software, which is not usually present). Some file systems, however, do not erase all traces of a deleted file, including FAT file systems:

FAT file systems

When a file is "deleted" using a FAT file system, the directory entry remains almost unchanged except for the first character of the file name, preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table , marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value.

When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:

The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory. Whether this is the case can fairly easily be detected by checking whether the remaining name of the file to be undeleted is still present in the directory.
The clusters formerly used by the deleted file must not be overwritten yet by other files. This can fairly well be verified by checking that the clusters are not marked as used in the File Allocation Table. However, if, in the meantime, a new file had been written to the disk, using those sectors, and then deleted again, freeing those sectors again, this cannot be detected automatically by the undeletion program. In this case an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.
For FAT32 devices, the lower 16 bits of the physical address is normally retained in the directory entry, but the high bits of the address are zeroed down. Many recovery programs ignore this fact and fail to recover data correctly.

Chances of recovering deleted files is often higher on FAT12 and FAT16 as compared to FAT32 volumes due to the typically larger cluster sizes used by the former systems and due to loss of upper 16 bits of logical cluster address for FAT32.

If the undeletion program cannot detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive clusters, beginning with the one as recorded in the old directory entry, as used in the File Allocation Table. It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.

Recovery of fragmented files (after the first fragment) is therefore not normally possible by automatic processes, only by manual examination of each (unused) block of the disk. This requires detailed knowledge of the file system, as well as the binary format of the file type being recovered, and is therefore only done by recovery specialists or forensics professionals.

NTFS file systems

NTFS stores file information as a set of fixed-size records (typically, 1KB) within the so-called Master File Table (MFT). File name and file allocation information are encapsulated into these records, providing complete information about each specific file. When the system deletes a file, the entry in the Master File Table is released to be either unlinked or reused, but it still remains on disk. Until the MFT entry is reused or overwritten, the file can be easily recovered: data recovery software can find the "lost" MFT entry and derive full information about the lost file from it.

Note however, when the SSD TRIM function is enabled, file content may be destroyed shortly after deletion to reuse SSD memory cells. This makes file content recovery impossible (only name, date and file size information will remain on the disk).

Prevention

Data erasure is a term that refers to software-based methods of preventing file undeletion.

Related Research Articles

New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred filesystem on Windows and is supported in Linux and BSD as well. NTFS reading and writing support is provided using a free and open-source kernel implementation known as NTFS3 in Linux and the NTFS-3G driver in BSD. By using the convert command, Windows can convert FAT32/16/12 into NTFS without the need to rewrite all files. NTFS uses several files typically hidden from the user to store metadata about other files stored on the drive which can help improve speed and performance when reading data. Unlike FAT and High Performance File System (HPFS), NTFS supports access control lists (ACLs), filesystem encryption, transparent compression, sparse files and file system journaling. NTFS also supports shadow copy to allow backups of a system while it is running, but the functionality of the shadow copies varies between different versions of Windows.

ext3, or third extended filesystem, is a journaled file system that is commonly used by the Linux kernel. It used to be the default file system for many popular Linux distributions. Stephen Tweedie first revealed that he was working on extending ext2 in Journaling the Linux ext2fs Filesystem in a 1998 paper, and later in a February 1999 kernel mailing list posting. The filesystem was merged with the mainline Linux kernel in November 2001 from 2.4.15 onward. Its main advantage over ext2 is journaling, which improves reliability and eliminates the need to check the file system after an unclean shutdown. Its successor is ext4.

File Allocation Table (FAT) is a file system developed for personal computers and was the default filesystem for MS-DOS and Windows 9x operating systems. Originally developed in 1977 for use on floppy disks, it was adapted for use on hard disks and other devices. The increase in disk drives capacity required three major variants: FAT12, FAT16 and FAT32. FAT was replaced with NTFS as the default file system on Microsoft operating systems starting with Windows XP. Nevertheless, FAT continues to be used on flash and other solid-state memory cards and modules, many portable and embedded devices because of its compatibility and ease of implementation.

Disk partitioning or disk slicing is the creation of one or more regions on secondary storage, so that each region can be managed separately. These regions are called partitions. It is typically the first step of preparing a newly installed disk, before any file system is created. The disk stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct "logical" disk that uses part of the actual disk. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. A disadvantage is that it can be difficult to properly size partitions, resulting in having one partition with too much free space and another nearly totally allocated.

<span class="mw-page-title-main">Defragmentation</span> Rearrangement of sectors on a hard disk into contiguous units

In the maintenance of file systems, defragmentation is a process that reduces the degree of fragmentation. It does this by physically organizing the contents of the mass storage device used to store files into the smallest number of contiguous regions. It also attempts to create larger regions of free space using compaction to impede the return of fragmentation. Some defragmentation utilities try to keep smaller files within a single directory together, as they are often accessed in sequence.

In computing, a file system or filesystem governs file organization and access. A local file system is a capability of an operating system that services the applications running on the same computer. A distributed file system is a protocol that provides file access between networked computers.

Norton Utilities is a utility software suite designed to help analyze, configure, optimize and maintain a computer. The latest version of the original series of Norton Utilities is Norton Utilities 16 for Windows XP/Vista/7/8 was released 26 October 2012.

File deletion is the removal of a file from a computer's file system.

In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows, Linux, FreeBSD, NetBSD, OpenBSD, SunOS, and MacOS. TestDisk handles non-partitioned and partitioned media. In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy.

PhotoRec is a free and open-source utility software for data recovery with text-based user interface using data carving techniques, designed to recover lost files from various digital camera memory, hard disk and CD-ROM. It can recover the files with more than 480 file extensions . It is also possible to add custom file signature to detect less known files.

The following tables compare general and technical information for a number of file systems.

ext4 is a journaling file system for Linux, developed as the successor to ext3.

<span class="mw-page-title-main">Trash (computing)</span> Temporary storage for deleted files

In computing, the trash, also known by other names such as dustbin, wastebasket, and others, is a graphical user interface desktop metaphor for temporary storage for files set aside by the user for deletion, but not yet permanently erased. The concept and name is part of Mac operating systems, a similar implementation is called the Recycle Bin in Microsoft Windows, and other operating systems use other names.

Recuva is an undeletion program for Windows, developed by Piriform Software. It is able to undelete files that have been marked as deleted; the operating system marks the areas of the disk in which they were stored as free space. Recuva can recover files deleted from internal and external hard disk drives, USB flash drives, memory cards, portable media players or all random-access storage mediums with a supported file system. Preview thumbnails of intact photos can be displayed in grid view mode and in the side bar.

FreeUndelete is a freeware data recovery software utility, running under Microsoft Windows 7, Vista, XP, 2003 and 2000. FreeUndelete supports NTFS and FAT file systems.

<span class="mw-page-title-main">Partition-Saving</span> Disk imaging utility

Partition-Saving is a disk imaging utility for Linux, Windows and DOS environments that can save disk partitions in one of the several supported disk image formats.

The FAT file system is a file system used on MS-DOS and Windows 9x family of operating systems. It continues to be used on mobile devices and embedded systems, and thus is a well suited file system for data exchange between computers and devices of almost any type and age from 1981 through the present.

Mac Data Recovery Guru is a data recovery application, for macOS. It was designed to recover deleted files from hard disk drives, USB flash drives, memory cards of cameras and portable devices, MP3 players, PlayStations, X-Boxes, Wii's, palm devices and optical media.

DMDE is a data recovery and disk editing tool for hard drives and other storage media. It can work with physical devices, logical disks, disk images, as well as RAID-arrays and recovers files that have been accidentally deleted or lost due to other incidents.

References

↑ "When Not to Use MS-DOS 5.0 CHKDSK and UNDELETE Commands". Support.microsoft.com. 2006-11-16. Archived from the original on 2012-02-02. Retrieved 2012-01-09.
↑ "Using a Common UNDELETE.INI File with Undelete". Support.microsoft.com. 1999-11-16. Archived from the original on 2009-08-26. Retrieved 2012-01-09.
↑ "the e2undel home page". e2undel.sourceforge.net. Retrieved 2020-07-02.
↑ "Ext4magic". ext4magic.sourceforge.net. Retrieved 2020-07-02.
↑ "extundelete: An ext3 and ext4 file undeletion utility". extundelete.sourceforge.net. Retrieved 2020-07-02.
↑ "Google Code Archive - Long-term storage for Google Code Project Hosting". code.google.com. Retrieved 2020-07-02.
↑ Carlo Wood (2008-02-07). "HOWTO recover deleted files on an ext3 file system". Xs4all.nl. Archived from the original on 2010-09-19. Retrieved 2012-01-09.
↑ New ext4 features Archived December 18, 2008, at the Wayback Machine
↑ "Secure Deletion and Trash-Bin Support for Ext4". Article.gmane.org. Archived from the original on 2008-07-09. Retrieved 2012-01-09.
↑ "Gmane Loom". Thread.gmane.org. Archived from the original on 2016-01-11. Retrieved 2012-01-09.
↑ "FreeDOS 1.2 Updates Package - Undelete (FreeDOS Base)". Ibiblio.org. 2009-04-05. Retrieved 2022-09-04.
↑ "Langford in PCW TODAY column #6". Ansible.co.uk. Archived from the original on 2012-02-14. Retrieved 2012-01-09.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "When Not to Use MS-DOS 5.0 CHKDSK and UNDELETE Commands". Support.microsoft.com. 2006-11-16. Archived from the original on 2012-02-02. Retrieved 2012-01-09.

[2] "Using a Common UNDELETE.INI File with Undelete". Support.microsoft.com. 1999-11-16. Archived from the original on 2009-08-26. Retrieved 2012-01-09.

[3] "the e2undel home page". e2undel.sourceforge.net. Retrieved 2020-07-02.

[4] "Ext4magic". ext4magic.sourceforge.net. Retrieved 2020-07-02.

[5] "extundelete: An ext3 and ext4 file undeletion utility". extundelete.sourceforge.net. Retrieved 2020-07-02.

[6] "Google Code Archive - Long-term storage for Google Code Project Hosting". code.google.com. Retrieved 2020-07-02.

[7] Carlo Wood (2008-02-07). "HOWTO recover deleted files on an ext3 file system". Xs4all.nl. Archived from the original on 2010-09-19. Retrieved 2012-01-09.

[8] New ext4 features Archived December 18, 2008, at the Wayback Machine

[9] "Secure Deletion and Trash-Bin Support for Ext4". Article.gmane.org. Archived from the original on 2008-07-09. Retrieved 2012-01-09.

[10] "Gmane Loom". Thread.gmane.org. Archived from the original on 2016-01-11. Retrieved 2012-01-09.

[11] "FreeDOS 1.2 Updates Package - Undelete (FreeDOS Base)". Ibiblio.org. 2009-04-05. Retrieved 2022-09-04.

[12] "Langford in PCW TODAY column #6". Ansible.co.uk. Archived from the original on 2012-02-14. Retrieved 2012-01-09.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]