Undeletion

Undeletion

Undeletion is a feature for restoring computer files which have been removed from a file system by file deletion. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data without an undeletion facility is usually called data recovery, rather than undeletion. Although undeletion can help prevent users from accidentally losing data, it can also provide a computer security risk, since users may not be aware that deleted files remain accessible.

upport

Not all file systems or operating systems support undeletion. Undeletion is supported by DOS, but is not supported by most modern UNIX file systems, though AdvFS is a notable exception. The ext2 file system has an addon program called e2undel [http://e2undel.sourceforge.net/] which allows file undeletion, although the similar ext3 file system does not support undeletion.

Graphical user environments often take a different approach to undeletion by introducing a "holding area" for files to be deleted. Undesired files are moved to this holding area, and all of the files in the holding area are periodically deleted. This approach is used by the "Trash can" in Macintosh operating systems and by the recycle bin in Microsoft Windows. This is a natural continuation of the approach taken by earlier systems, such as the limbo group used by CP/M [http://www.ansible.co.uk/ai/pcwplus/pcwtdy06.html] .

Another approach is offered by programs such as "Norton GoBack" (formerly "Roxio GoBack"): a portion of the hard disk space is set aside for file modification operations to be recorded in such a way that they may later be undone. This process is usually much safer in aiding recovery of deleted files than the undeletion operation as described below.

Limitations

Undeletion is not fail-safe. In general, the sooner undeletion is attempted, the more likely it will be successful. Fragmentation of the deleted file may also reduce the probability of recovery, depending on the type of file system (see below). A fragmented file is scattered across different parts of the disk, instead of being in a contiguous area.

Mechanics

The workings of undeletion depend on the file system on which the deleted file was stored. Some file systems, such as HFS, can not provide an undeletion feature because no information about the deleted file is retained (except by additional software, which is not usually present). Some file systems, however, do not erase all traces of a deleted file, including the "FAT" file system:

FAT file system

When a file is deleted on a FAT file system, its directory entry remains stored on the disk, slightly renamed in a way that marks the entry in FAT table as available for use by newly created files thereafter. Most of its name, time stamp, file length and — most importantly — location on the disk, remain unchanged in the directory entry (root directory which is represented using . or .. in FAT 16 or FAT32). The list of disk clusters occupied by the file will be erased from the File Allocation Table, however, marking those sectors available for use by other files created or modified thereafter.

When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:
* The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory. Whether this is the case can fairly easily be detected by checking whether the remaining name of the file to be undeleted is still present in the directory.
* The sectors formerly used by the deleted file must not be overwritten yet by other files. This can fairly well be verified by checking that the sectors are not marked as used in the "File Allocation Table". However, if, in the meantime, a new file had been written to, using those sectors, and then deleted again, freeing those sectors again, this cannot be detected automatically by the undeletion program. This means that an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.
* The file must not have been fragmented, meaning that the sectors its data occupied on the disk must have all been in one uninterrupted sequence. Whether this was the case may or may not be detectable by the undeletion program, depending on the arrangement of other files on the disk.

Chances of recovering deleted files is higher in FAT16 as compared to FAT32 drives, fragmentation of files somehow is less in FAT16 due to large cluster size support (1024Bytes, 2KB, 4KB, 8KB, 16KB, 32KB and 64KB which is supported only in Windows NT) as compared to FAT32 (4KB, 8KB, 16KB only).

If the undeletion program can not detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the "File Allocation Table". It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.

If the data of the recovered file is not correct, parts of the file may still be stored in other sectors of the disk, but recovery of those is not possible by automatic processes but only by manual examination of each (unused) block of the disk. This is usually unfeasible and can only be performed by specialists that have very good knowledge of both the disk structure and the data being searched.

Prevention

There are several ways to prevent file undeletion. In UNIX environments with the GNU Core Utilities, the shred command will delete a file and then repeatedly overwrite the sectors to make recovery difficult for even very expensive hardware probing techniques. In Windows, defragmenting (on FAT file systems, at least) after deletion may overwrite the original position of the file, making recovery more difficult, but it is not a recommended way to ensure secure data deletion.

References

http://www.win.tue.nl/~aeb/linux/fs/fat/fat-1.html

ee also

*PhotoRec features a carving approach for many operating systems
* [http://www.fileslost.com FilesLost.com] features a filesystem approach for windows systems
* [http://foremost.sourceforge.net/ Foremost] - open-source Linux program to recover files based on headers and footers (data carving)


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • undeletion — noun Restoration of previously deleted content …   Wiktionary

  • Wikipedia:Revision deletion — This page documents a procedural policy of Wikipedia. Shortcuts: WP:RVDL WP:REVDEL …   Wikipedia

  • File deletion — is a way of removing a file from a computer s file system. The reasons for deleting files are Freeing the disk space Removing duplicate or unnecessary data to avoid confusion Making sensitive information unavailable to others All operating… …   Wikipedia

  • File Allocation Table — For other uses, see Fat (disambiguation). FAT Developer Microsoft Full Name File Allocation Table FAT12 (12‑bit version) FAT16/FAT16B (16‑bit versions) FAT32 (32‑bit version with 28 bits used) Introduced …   Wikipedia

  • MSX — This article is about the home computer family. For other uses, see MSX (disambiguation) and MSX2 (disambiguation). MSX Sony MSX, Model HitBit 10 P …   Wikipedia

  • Data remanence — is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that… …   Wikipedia

  • Trj.PGPCoder.A — computer virus Common name=Gpcode Technical name=Trojan.PGPCoder, Virus.Win32.Gpcode Classification=Trojan Fullname=Trojan.PGPCoder IsolationDate=2005 05 20PGPCoder or GPCode is a trojan that encrypts files on the infected computer and then asks… …   Wikipedia

  • Data recovery — is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives,… …   Wikipedia

  • Recycle Bin (Windows) — In the Microsoft Windows operating systems, the Recycle Bin is a holding area for files and folders that are held before final deletion from a storage device.General Microsoft introduced the Recycle Bin in the Windows 95 operating system. The… …   Wikipedia

  • AdvFS — infobox filesystem name = AdvFS full name = Tru64 Unix Advanced File System developer = Digital Equipment Corporation introduction os = OSF/1 introduction date = 1993 partition id = directory struct = file struct = bad blocks struct = Table max… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”