CID Security logo NorwegianEnglish
 
Besøk vår nedlastingsside
Besøk vår nettbutikk
 

What is file undelete/recovery?
Undeletion
Undeletion is a feature for restoring computer files which have been removed from a file system by file deletion. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data without an undeletion facility is usually called data recovery, rather than undeletion. Although undeletion can help prevent users from accidentally losing data, it can also provide a computer security risk, since users may not be aware that deleted files remain accessible.
 
When a file is deleted on a FAT or NTFS file system, its directory entry remains stored on the disk in a way that marks the entry in the file table as available for use by newly created files thereafter. Most of its name, time stamp, file length and location on the disk, remain unchanged in the directory entry.

When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:

  • The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory.
     
  • The sectors formerly used by the deleted file must not be overwritten yet by other files. However, if, in the meantime, a new file had been written to, using those sectors, and then deleted again, freeing those sectors again, this cannot be detected automatically by the undeletion program. This means that an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.
     
  • The file must not have been fragmented, meaning that the sectors its data occupied on the disk must have all been in one uninterrupted sequence. Whether this was the case may or may not be detectable by the undeletion program, depending on the arrangement of other files on the disk.

If the undeletion program can not detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the file table. It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.

If the data of the recovered file is not correct, parts of the file may still be stored in other sectors of the disk, but recovery of those is not possible by automatic processes but only by manual examination of each (unused) block of the disk. This is usually unfeasible and can only be performed by specialists that have very good knowledge of both the disk structure and the data being searched.

Limitations
Undeletion is not fail-safe. In general, the sooner undeletion is attempted, the more likely it will be successful. Fragmentation of the deleted file may also reduce the probability of recovery, depending on the type of file system.
A fragmented file is scattered across different parts of the disk, instead of being in a contiguous area.

Source: Wikipedia - the free encyclopedia.

   Tilbake til artikler ...  

Copyright © CID Security, 2008. All Rights Reserved
 Privacy Policy