As a person specializing in computer work, some of my relatives and friends often call me to ask some questions about data loss. They encounter a variety of problems, sometimes the data is accidentally deleted, sometimes the data is infected by the virus and lost, sometimes the hard disk itself is a problem. No matter what the cause of the loss of data, these people who are experiencing problems have the same problem, that is, they are not IT professionals, and never back up their data.
The author has done a lot of data recovery work recently, so I decided to write some articles about data recovery. I intend to discuss some of the conventional techniques I use in these articles. In this article, I will talk about how to deal with data loss, under what circumstances can data recovery, in what situation data recovery is not able to, and the principle of data recovery and so on several aspects.
Although data recovery is a very complex process, it is based on a very simple principle. Data recovery can be possible because the file and the information associated with the file are two distinct things, and are stored in two different places respectively. The Windows operating system uses the file allocation table (Files allocation table) to determine which files reside on the hard disk and where the files are stored specifically.
If we need to make an analogy between how the file system works on a hard drive, it would be most appropriate to liken it to a book. A file allocation table is like a directory section of a book. The files stored on the real hard drive are like every page in the body of the book.
To get a clearer picture of how the data recovery process works, we need to do some more in-depth analogies. For example, if you want to install a new pool in the kitchen, you buy a book about home improvement. You opened the book and found a specific section on the installation method of the pool in the catalogue is on page 40th of the book. If you tore the catalogue part of the book and tore it to pieces, did you lose information about how to install the pool? Of course not, the way to install the pool is still in this book, just because you have no directory, so it will be difficult to find this method.
Data recovery works in much the same way as the above. Typically, when some data needs to be recovered, it is due to confusion in its file allocation table. Files that need to be recovered are still stored in your hard drive and are well preserved. If the file is still smashed and is not corrupted or encrypted, then the file is recoverable. What you need to do is find this file.
On the other side, if the file itself is corrupted or lost or encrypted, then using a generic method may not work. This is not to say that data recovery is not possible, but rather that data recovery needs to be done in unconventional ways. Because you have no way to change something that doesn't exist like a magician.
If the file is physically corrupted and you do not have a backup of the file, your only hope is to refactor the file (reconstruct). Many applications, such as Microsoft Office, write a uniform header (uniform header) at the beginning of the file to specify that the file belongs to a file that the application can invoke. Some tool software can be used to refactor the title of a file manually, so we can at least use it to recover parts of the file.
In most cases, data loss is not due to problems with the data itself, but to the file allocation table. An example of this is what you do when you delete a file. When you delete a file, the file is usually moved to the Recycle Bin. When you delete the file from the Recycle Bin, or you never use the Recycle Bin instead of deleting the file, the files are still not deleted.
In fact, the operating system simply modifies the first letter of the file's filename in the file allocation table to the "sigma" tag (a question mark used in the previous file system). The operating system also writes "0" to the cluster chain entrance in the file allocation table so that the previously used disk space of the file can be displayed as still available. When the file is deleted in this way, the file itself still exists, unless another file overwrites the area on the hard drive, which is exactly the area where the deleted file was previously stored.
I've explained how the deletion process actually happened, but we can still use similar concepts to understand the problem when the hard drive is formatted or the file allocation table is corrupted. In most cases, files are still present, and they are only removed from the file allocation table (or changed to some filenames that Windows defaults to not showing).