Saturday, July 18, 2009

FAT file system

When a file is deleted on a FAT file system, its directory entry remains stored on the disk, slightly renamed in a way that marks the entry in FAT table as available for use by newly created files thereafter. Most of its name, and its time stamp, file length and — most importantly — location on the disk, remain unchanged in the directory entry. The list of disk clusters occupied by the file will be erased from the File Allocation Table, however, marking those sectors available for use by other files created or modified thereafter.

When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:

  • The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory. Whether this is the case can fairly easily be detected by checking whether the remaining name of the file to be undeleted is still present in the directory.
  • The sectors formerly used by the deleted file must not be overwritten yet by other files. This can fairly well be verified by checking that the sectors are not marked as used in the File Allocation Table. However, if, in the meantime, a new file had been written to, using those sectors, and then deleted again, freeing those sectors again, this cannot be detected automatically by the undeletion program. In this case an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.
  • The file must not have been fragmented, meaning that the sectors its data occupied on the disk must have all been in one uninterrupted sequence. Whether this was the case may or may not be detectable by the undeletion program, depending on the arrangement of other files on the disk.

Chances of recovering deleted files is higher in FAT16 as compared to FAT32 drives; fragmentation of files is usually less in FAT16 due to large cluster size support (1024 Bytes, 2KB, 4KB, 8KB, 16KB, 32KB and 64KB which is supported only in Windows NT) as compared to FAT32 (4KB, 8KB, 16KB only).

If the undeletion program can not detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the File Allocation Table. It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.

If the data of the recovered file is not correct, parts of the file may still be stored in other sectors of the disk. Recovery of those is not possible by automatic processes but only by manual examination of each (unused) block of the disk. This usually must be done by specialists that have very good knowledge of both the disk structure and the data being sought.

Norton UNERASE was an important component in Norton Utilities version 1.0 in 1981. Microsoft included a similar UNDELETE program in the final version of MS-DOS, but applied the Recycle Bin approach instead in later operating systems using FAT.

No comments:

Post a Comment