Undeletion is a feature to recover computer files that have been deleted from file system by file deletion. Deleted data can be recovered on many file systems, but not all file systems provide a cancellation feature. Recovering data without a destruction facility is usually called data recovery, not a cancellation. Although undeletion can help prevent users from accidentally losing data, it can also pose a computer security risk, as users may not be aware that deleted files are still accessible.
Video Undeletion
Support
Not all file systems or operating systems support undeletion. Cancellation of deletion is possible on all FAT file systems, with the undeletion utility provided since MS-DOS 5.0 and DR DOS 6.0 in 1991. This is not supported by most modern UNIX file systems, although AdvFS is an important exception. Ext2 system files have an additional program called e2undel that allows file deletion. A similar ext3 file system does not officially support cancellation, but ext3grep is written to automate the removal of ext3 volumes. Undelete proposed on ext4, but not yet implemented. However, the trash can feature was posted as an attachment on December 4, 2006. The Trash Can feature uses the undelete attribute on ext2/3/4 and the Reiser file system.
A graphical user environment often takes a different approach to undelete, instead of using "storage area" for files to delete. Unwanted files are moved to this storage area, and all files in the storage area are deleted periodically or when the user requests them. This approach is used by Trash can in the Macintosh operating system and by the recycle bin in Microsoft Windows. This is a natural continuation of the approach taken by the previous system, such as the limbo group used by LocoScript. This approach is not subject to the risk that other files written to the filesystem will interrupt deleted files very quickly; permanent deletion will occur on a predictable schedule or with manual intervention only.
Other approaches are offered by programs like Norton GoBack (formerly Roxio GoBack): some of the hard disk space is set aside for file modification operations to be recorded in the way they can later be undone. This process is usually much safer in helping to recover deleted files than cancellation operations as described below.
Similarly, file systems that support "snapshots" (such as ZFS or btrfs) can be used to periodically create a snapshot of the entire file system (such as every hour), allowing file recovery from previous snapshots.
Maps Undeletion
Limitations
Unauthorized removal. In general, the sooner undeletion is attempted, the more likely it will be to succeed. This is because the more systems used, the more data is written to the drive and potentially allocated to the deleted space. Fragmented deleted files can also reduce the possibility of recovery, depending on the file system type (see below). Fragmented files are scattered across different parts of the disk, rather than being in adjacent areas.
Mechanics
How the undeletion works depends on the file system where deleted files are stored. Some file systems, such as HFS, can not provide destructive features because no information about deleted files is retained (except by additional software, which usually does not exist). However, some file systems do not delete all traces of deleted files, including the FAT file system:
FAT file system
When a file is "deleted" using the FAT file system, directory entries remain almost unchanged except for the first character of the file name, preserving most of the "deleted" file names, along with the time. cap, file length and - most importantly - its physical location on disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table , marking the sectors available for use by other files created or modified thereafter.
When the operating removal operation is attempted, the following conditions must be met for successful file recovery:
- The deleted files entry must remain in the directory, which means that it has not yet to be overwritten by a new file (or folder) that has been created in the same directory. Is this the case can be easily detected by checking if the filename left to be deleted still exists in the directory.
- Clusters previously used by deleted files should not be overwritten by other files. This can be verified fairly well by checking that the cluster is not marked as used in File Allocation Table . However, if, meanwhile, new files have been written to disk, using those sectors, and then deleted again, freeing those sectors again, this can not be detected automatically by its removal program. In this case the cancellation operation, even if it appears successful, may fail because the recovered file contains different data.
- For FAT32 devices, 16 bits lower than physical addresses are usually stored in directory entries, but the high address bits are zeroed down. Many recovery programs ignore this fact and fail to recover data correctly.
The possibility of recovering deleted files is often higher in FAT12 and FAT16 than with FAT32 volumes because of the usually larger cluster size used by previous systems.
If the undeletion program can not detect clear signs of the above requirements unfulfilled, it will restore the directory entries as being in use and mark all consecutive groups, starting with those as recorded in old directory entries, as used in > File Allocation Table . It then gets to the user to open the restored file and to verify that it contains the complete data from the previously deleted file.
Recovery of fragmented files (after the first fragment) is therefore not normally possible by automated processes, only by manual inspection of each (unused) block from the disk. This requires detailed knowledge of the file system, as well as the binary format of the recovered file types, and therefore only by recovery specialists or forensic experts.
Norton UNERASE was an important component in Norton Utilities version 1.0 in 1982. Microsoft incorporated a similar UNDELETE program in versions 5.0 to 6.22 from MS-DOS, but applied the Recycle Bin approach instead of the next operating system using FAT. DR DOS 6.0 and higher UNDELETE support as well, but optionally offer additional protection using the FAT DISKMAP snapshot utility and the DELWATCH removal component of the population, which actively maintains deleted date and time stamps of files and stores deleted file contents so as not to be overwritten unless running out of disk space. DELWATCH also supports remote file deletion on the file server. Since Novell DOS 7 kernel will store the first letter of the deleted file in the directory entry to help the removal tool further in recovering the original name. PTS-DOS offers the same features, can be configured by SAVENAME CONFIG.SYS directives.
Prevention
Data deletion is a term that refers to software-based methods to prevent cancellation of files.
See also
- Back up
- List of data recovery software â ⬠<â â¬
- Paper shredder
- Rollback (data management)
- Undo
References
External links
- FreeUndelete
- Media Searcher
- win.tue.nl
- FAT32 cluster pointer bit high problem
Source of the article : Wikipedia