Windows mistakenly deletes file recovery tips _win Server

If you can only use the tools that Windows itself provides, then we can assume that after emptying the Recycle Bin, the deleted file has been completely erased. But this is not the case, as long as there are dedicated hardware and software, even if the data has been overwritten, the drive has been reformatted, the boot sector is completely damaged, or the disk drive is no longer functioning, we can still recover almost all the files.

　　How a disk saves data

To understand how to recover deleted data, you first need to figure out how the disk holds the data. There is a set of platters inside the hard drive, the data is stored on the track of the disc (Track), the track on the disc is concentric circle distribution, read/write head on the disc surface mobile access to the hard disk, so the file can be randomly distributed to the various locations of the disk, the same file parts are not necessarily in order to store.

The data stored on disk is allocated in clusters, and the size of the cluster varies depending on the operating system and logical volume sizes. If the cluster size of a hard disk is 4 K, then the file holding 1 K will also occupy 4 K of disk space. Large files can occupy up to thousands of, tens of thousands of of the cluster, spread across the disk, the operating system's file subsystem is responsible for the organization and management of various parts.

Currently, there are three types of hard disk file systems that Windows supports. The first is fat, the so-called file allocation table (allocation table), which is the oldest file system that has been available since the beginning of the DOS era. Windows 95 introduces a second file system, where Fat 32,windows NT 4.0 introduces a third file system NTFS. The basic principles of these three file systems are the same, with a directory-like structure that organizes files, a directory structure that contains a pointer to the first cluster of files, a pointer to the first cluster's fat entry, and so on, until the end tag of the file appears.

　　Second, Windows cannot really erase files

In Windows, if we delete a file in a normal way, the file itself is not actually purged. For example, if we delete a file in Windows Explorer, Windows puts the file in the Recycle Bin, and even if we empty the Recycle Bin (or do not start the Recycle Bin feature), the operating system does not actually erase the file's data.

What Windows calls deletion actually simply changes the first letter of the file name to a special character, the cluster is then marked as idle, but the file contains data that is still on disk, and the next time the new file is saved to disk, the clusters may be used by the new file to overwrite the original data. Therefore, as long as the new file is not saved, the deleted file's data is actually still intact on disk.

Therefore, we can use tool software to bypass the operating system, directly manipulate the disk, restore the deleted files. This kind of tool software many, Easyrecovery is one of the outstanding.

If you accidentally delete an important file and want to recover, do not overwrite it. Deactivate the computer now, and do not save any files to the disk, including not installing the recovery tool on the hard drive where the deleted files are located, because any content written to the disk may overwrite the disk clusters released by the deleted files. If you must install the recovery tool, you can install to another hard disk partition, floppy disk, or simply remove the hard drive to another machine to recover.

　Three, cover seven times to clear the clues

If the data has been overwritten, there is nothing to do with the usual recovery tools, but that does not mean that we can never salvage the lost data. There are usually two ways to read overwritten data on your hard disk.

When the read/write head writes data to the disk, it adjusts the signal of the magnetized data bits to an appropriate intensity, but the signal is not as strong as possible and should not exceed a certain limit to avoid affecting the adjacent data bits. Because the signal strength is not sufficient to enable the storage medium to achieve saturation magnetization, the actual recorded signal on the media is affected by the previously saved signal in the same position, for example, if the data bits of the original record are 0 and now are covered by a 1, Then the actual record on the disk media signal strength is not as good as the original data bit is 1 strength.

A dedicated hardware device can accurately detect the actual value of the signal strength, subtracting this value from the standard strength of the current data bit, and obtains a copy of the overwritten data. Theoretically, this process can be pushed forward seven times, so if you want to completely erase the file, you must repeatedly overwrite the data more than seven times, each time with randomly generated data coverage.
The second data recovery technique is based on the fact that each time the head reads/writes the data, it is not possible to accurately position it at the same point, and the location where the new data is written is not just overwritten with the original data. The original data will always leave traces, using a dedicated device can analyze the original data copy-called Shadow data. Of course, if we repeatedly perform the overwrite operation, the traces of the original data will become weaker.

Shadow data: The overwritten data is always the same as the new write, just as the shadow of a human is always close to the person, so the overwritten data is called shadow data. A good English reader can refer to this monograph: http://www.forensics-intl.com/art15.html.

In general, the ability to recover deleted, overwritten data should be a good thing, of course, except for certain situations where data must be completely erased. The most famous standard in this regard is the disk cleaning specification of the U.S. Department of Defense, which requires data to be overwritten three times: the first is covered with a 8-bit character, and the second is covered with the complement of the character (0 and 1), and finally with a random character. However, this cleaning method does not apply to media containing highly classified information, such media must be degaussing, or destroy its physical carrier. Of course, for most situations, simple overlay processing is enough.

　　Four, The forgotten corner

Deleting and overwriting files also does not erase all sensitive data on the hard drive because the data may be hidden in some unexpected places, so every sector that is occupied by the file must completely clear the so-called sector, which is a 512-byte piece of data, each containing multiple sectors.

When a file is written to disk, the last part of the file usually does not exactly fill the last sector, and the operating system randomly extracts some of the memory data to fill the free area. The data obtained from memory is called RAM slack (memory dross), which may be any data created, accessed, modified after the computer was started. In addition, the last cluster is not used in the sector is intact, that is, retain the original data, known as drive slack (disk dross). The problem is that many of the tools known to safely delete files do not properly remove the memory dross and disk dross, and these sites, called dross, may contain a large amount of sensitive information.

In the NTFS file system, each file contains more than one stream, one of which is used to hold information such as access rights, and another stream is used to hold real file data. In addition, NTFS allows for additional data streams, ads (alternative data stream), ads can be used to hold any information, and the most common use is to save thumbnail images of graphics files. Because many of the tools that safely delete files cannot purge ads, thumbnails can still leak secrets even if the stream that holds the actual data for the file is cleared. Microsoft Knowledge Base article 319300 (http://support.microsoft.com) Describes how to prevent the system from creating the stream that the thumbnail uses, that is, deleting the registry key hkey_local_machine/system/ Currentcontrolset/control/contentindex/filtertrackers.

Ads:ads This abbreviation is often used to represent the Active Directory service (Active Directory services), but in this article, ADS refers to an "optional digital stream", which is a secondary information storage area outside the file principal data. It's like your briefcase, which is the main space for the official store, but there will be one or two small pockets on the outside of the bag for quick access, which is equivalent to ads.

Ads are already well known for hiding data and viruses, and are often exploited by computer criminals. In addition, there are other areas on your hard disk where you can hide data.

Sectors are created during low-level formatting and are typically completed by the hard drive manufacturer. The low-level formatting tool marks a damaged sector, thereby preventing the disk controller from writing data to the damaged zone. A cluster contains multiple sectors that are created by the advanced formatting tool, such as the Windows or DOS Format command. If bad sectors are found during advanced formatting, the entire cluster is labeled as bad, but there are good sectors in the bad clusters, and some people use these sectors to hide the data.

On older disks, data can also be hidden in areas called sector gaps. Older disks have the same number of sectors for each track, but the outer ring is obviously longer than the inner ring, and some people use the gap between the sectors on the outer ring track to hold the data. New disks use a technology called Partition Records (Zoned recording) to avoid this space waste, which adjusts the number of sectors per track based on the position of the track.

To access such hidden areas on the disk, you must use a tool that bypasses the disk access features of the operating system. Search the network, you can see the formal professional tools are very expensive, such as EnCase forensic Edition (www.guidancesoftware.com) to more than 2000 dollars; Directory Snoop may be the cheapest, but also 29 dollars, However, it does not support NTFS.

To sum up, we can say that restoring data is actually simpler than wiping out the data completely. If you accidentally delete an important file (who will encounter this sort of thing), the recovery tool is the straw that saves lives. Conversely, if you want to sell two mobile phones or second-hand disks, you should consider whether it is necessary to thoroughly clean the hard drive.

The above content is the whole narration of this article, Hope everybody likes.