Undelete

For undeletion on World Heritage Encyclopedia, see World Heritage Encyclopedia:Undeletion.

Undeletion is a feature for restoring computer files which have been removed from a file system by file deletion. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data without an undeletion facility is usually called data recovery, rather than undeletion. Although undeletion can help prevent users from accidentally losing data, it can also pose a computer security risk, since users may not be aware that deleted files remain accessible.

Support

Not all file systems or operating systems support undeletion. Undeletion is possible on The Trash bin feature uses undelete attributes in ext2/3/4 and Reiser file systems.[6]

Graphical user environments often take a different approach to undeletion, instead using a "holding area" for files to be deleted. Undesired files are moved to this holding area, and all of the files in the holding area are deleted periodically or when a user requests it. This approach is used by the Trash can in Macintosh operating systems and by the recycle bin in Microsoft Windows. This is a natural continuation of the approach taken by earlier systems, such as the limbo group used by LocoScript.[7] This approach is not subject to the risk that other files being written to the filesystem will disrupt a deleted file very quickly; permanent deletion will happen on a predictable schedule or with manual intervention only.

Another approach is offered by programs such as Norton GoBack (formerly Roxio GoBack): a portion of the hard disk space is set aside for file modification operations to be recorded in such a way that they may later be undone. This process is usually much safer in aiding recovery of deleted files than the undeletion operation as described below.

Similarly, file systems that support "snapshots" (like ZFS or btrfs), can be used to make snapshots of the whole file system at regular intervals (e.g. every hour), thus allowing recovery of files from an earlier snapshot.

Limitations

Undeletion is not fail-safe. In general, the sooner undeletion is attempted, the more likely it will be successful. Fragmentation of the deleted file may also reduce the probability of recovery, depending on the type of file system (see below). A fragmented file is scattered across different parts of the disk, instead of being in a contiguous area.

Mechanics

The workings of undeletion depend on the file system on which the deleted file was stored. Some file systems, such as HFS, cannot provide an undeletion feature because no information about the deleted file is retained (except by additional software, which is not usually present). Some file systems, however, do not erase all traces of a deleted file, including the FAT file system:

FAT file system

When a file is "deleted" using a FAT file system, the directory entry remains unchanged, preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter.

When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:

  • The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory. Whether this is the case can fairly easily be detected by checking whether the remaining name of the file to be undeleted is still present in the directory.
  • The sectors formerly used by the deleted file must not be overwritten yet by other files. This can fairly well be verified by checking that the sectors are not marked as used in the File Allocation Table. However, if, in the meantime, a new file had been written to the disk, using those sectors, and then deleted again, freeing those sectors again, this cannot be detected automatically by the undeletion program. In this case an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.

Chances of recovering deleted files is higher in FAT16 as compared to FAT32 drives; fragmentation of files is usually less in FAT16 due to large cluster size support (1024 Bytes, 2KB, 4KB, 8KB, 16KB, 32KB and 64KB which is supported only in Windows NT) as compared to FAT32 (4KB, 8KB, 16KB only).

If the undeletion program cannot detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the File Allocation Table. It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.

Recovery of fragmented files (after the first fragment) is therefore not possible by automatic processes, but only by manual examination of each (unused) block of the disk. This requires detailed knowledge of the file system, as well as the binary format of the file type being recovered, and is therefore only done by recovery specialists or forensics professionals.

Norton UNERASE was an important component in Norton Utilities version 1.0 in 1982. Microsoft included a similar UNDELETE program in versions 5.0 to 6.22 of MS-DOS, but applied the Recycle Bin approach instead in later operating systems using FAT.

Prevention

Data erasure is term that refers to software-based methods of preventing file undeletion.

See also

References

External links

  • FreeUndelete
  • Media Investigator
  • win.tue.nl
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.