Undeletion

From Wikipedia, the free encyclopedia

You have new messages (last change).
This article or section does not cite its references or sources.
Please help improve this article by introducing appropriate citations. (help, get involved!) This article has been tagged since August 2006.
For undeletion on Wikipedia see Wikipedia:Undeletion.

Undeletion is a feature for restoring computer files which have been removed from a file system by file deletion. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data without an undeletion facility is usually called data recovery, rather than undeletion.

Not all file systems or operating systems support undeletion. Undeletion was supported by MS-DOS, but is not supported by most modern UNIX file systems. The ext2 file system has an addon program called e2undel which allows file undeletion.

Undeletion can help prevent users from accidentally deleting files on their machines, but can also provide a computer security risk, since the user may not be aware that "deleted" files are still easily accessible.

It should be noted that undeletion is often not fail-safe. The general rule is: The sooner the undeletion attempt is performed after a file deletion operation, the more likely the recovery works. Another factor is the amount of fragmentation of the file that's to be undeleted: If it was fragmented, the chances of recovery may be lower (but this also depends on the type of file system, see below).

Graphical user environments often take a different approach to undeletion by introducing a "holding area" for files to be deleted. Undesired files are moved to this holding area, and all of the files in the holding area are periodically deleted. This approach is used by the Trash can in Macintosh operating systems and by the Recycle Bin in Microsoft Windows.

Another approach is offered by programs such as Norton GoBack (formerly Roxio GoBack): A certain amount of the hard disk space is set aside in which modification operations to files are recorded in such a way that they may later be undone. This process is usually much safer in aiding recovery of deleted files than the undeletion operation as described below.

[edit] How undeletion works

The workings of undeletion depends on the file system the deleted file was stored on. Some file systems, such as HFS, can not provide an undeletion feature because no information about the deleted file is retained (unless additional software takes care of this as an extra task, but which is not usually the case). Some file systems, however, do not erase all traces of a deleted file, one of them being the FAT file system:

[edit] FAT file system

When a file is deleted on a FAT file system, its directory entry remains stored on the disk, slightly renamed in a way that marks the entry as available for use by newly created files thereafter. Most of its name, its time stamp, file length and — most importantly - starting location on the disk, remains unchanged in the directory entry. The list of disk sectors (clusters, to be more specific) occupied by the file will be erased from the File Allocation Table, however, marking those sectors available for use by other files created or modified thereafter.

When an undeletion attempt is made, the following conditions must be met for a successful recovery of the file:

  • The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory. Whether this is the case can fairly easily be detected by checking whether the remaining name of the file to be undeleted is still present in the directory.
  • The sectors formerly used by the deleted file must not be overwritten yet by other files. This can fairly well be verified by checking that the sectors are not marked as used in the File Allocation Table. However, if, in the meantime, a new file had been written to, using those sectors, and then deleted again, freeing those sectors again, this can not be detected automatically by the undeletion program. This means that an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.
  • The file must not have been fragmented, meaning that the sectors its data occupied on the disk must have all been in one uninterrupted sequence. Whether this was the case or not may or may not be detectable by the undeletion program (it depends on the arrangement of other files on the disk).

If the undeletion program can not detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the File Allocation Table. It is then up to the user to open the recovered file and to verify that it really still contains the complete data of the formerly deleted file.

If the data of the recovered file is not correct, parts of the file may still be stored in other sectors of the disk, but recovery of those is not possible by automatic processes but only by manual examination of each (unused) block of the disk. This is, however, usually hardly feasible and can only be performed by specialists that have very good knowledge of both the disk structure and the data being searched.

Retrieved from "http://en.wikipedia.org../../../u/n/d/Undeletion.html"