Undeletion
Encyclopedia
Undeletion is a feature for restoring computer file
s which have been removed from a file system
by file deletion
. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data without an undeletion facility is usually called data recovery
, rather than undeletion. Although undeletion can help prevent users from accidentally losing data, it can also pose a computer security
risk, since users may not be aware that deleted files remain accessible.
file systems, though AdvFS
is a notable exception. The ext2
file system has an addon program called e2undel which allows file undeletion. The similar ext3
file system does not officially support undeletion, but ext3grep was written to automate the undeletion of ext3 volumes. Undelete was proposed in ext4
, but is yet to be implemented. However, trash bin feature was posted as a patch back in 2006-12-04. The Trash bin feature uses undelete
attributes in ext2/3/4 and reiser file systems.
Graphical user environments often take a different approach to undeletion, instead using a "holding area" for files to be deleted. Undesired files are moved to this holding area, and all of the files in the holding area are deleted periodically or when a user requests it. This approach is used by the Trash can in Macintosh
operating systems and by the recycle bin in Microsoft Windows
. This is a natural continuation of the approach taken by earlier systems, such as the limbo group used by CP/M
. This approach is not subject to the risk that other files being written to the filesystem will disrupt a deleted file very quickly; permanent deletion will happen on a predictable schedule or with manual intervention only.
Another approach is offered by programs such as Norton GoBack (formerly Roxio GoBack): a portion of the hard disk space is set aside for file modification operations to be recorded in such a way that they may later be undone. This process is usually much safer in aiding recovery of deleted files than the undeletion operation as described below.
Similarly, file systems that support "snapshots" (like ZFS
or btrfs
), can be used to make snapshots of the whole file system at regular intervals (e.g. every hour), thus allowing recovery of files from an earlier snapshot.
, cannot provide an undeletion feature because no information about the deleted file is retained (except by additional software, which is not usually present). Some file systems, however, do not erase all traces of a deleted file, including the FAT file system:
file system, the directory entry
remains unchanged, preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter.
When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:
Chances of recovering deleted files is higher in FAT16 as compared to FAT32 drives; fragmentation of files is usually less in FAT16 due to large cluster size support (1024 Bytes, 2KB, 4KB, 8KB, 16KB, 32KB and 64KB which is supported only in Windows NT) as compared to FAT32 (4KB, 8KB, 16KB only).
If the undeletion program cannot detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the File Allocation Table. It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.
Recovery of fragmented files (after the first fragment) is therefore not possible by automatic processes, but only by manual examination of each (unused) block of the disk. This requires detailed knowledge of the file system, as well as the binary format of the file type being recovered, and is therefore only done by recovery specialists or forensics professionals.
Norton UNERASE was an important component in Norton Utilities
version 1.0 in 1982. Microsoft included a similar UNDELETE program in versions 5.0 to 6.22 of MS-DOS
, but applied the Recycle Bin approach instead in later operating systems using FAT.
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...
s which have been removed from a file system
File system
A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device which contain it. A file system organizes data in an efficient manner and is tuned to the...
by file deletion
File deletion
File deletion is a way of removing a file from a computer's file system.The reasons for deleting files are#Freeing the disk space#Removing duplicate or unnecessary data to avoid confusion#Making sensitive information unavailable to others...
. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data without an undeletion facility is usually called data recovery
Data recovery
Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as internal or external hard disk drives, solid-state drives , USB flash drive,...
, rather than undeletion. Although undeletion can help prevent users from accidentally losing data, it can also pose a computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
risk, since users may not be aware that deleted files remain accessible.
Support
Not all file systems or operating systems support undeletion. Undeletion is possible on FAT16 file systems, with Microsoft providing undeletion utilities for both MS-DOS 5-6.22 and 16-bit Windows operating systems. It is not supported by most modern UNIXUnix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
file systems, though AdvFS
AdvFS
AdvFS, also known as Tru64 UNIX Advanced File System, is a file system developed in the late 1980s to mid 1990s by Digital Equipment Corporation for their OSF/1 version of the Unix operating system...
is a notable exception. The ext2
Ext2
The ext2 or second extended filesystem is a file system for the Linux kernel. It was initially designed by Rémy Card as a replacement for the extended file system ....
file system has an addon program called e2undel which allows file undeletion. The similar ext3
Ext3
The ext3 or third extended filesystem is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions, including Debian...
file system does not officially support undeletion, but ext3grep was written to automate the undeletion of ext3 volumes. Undelete was proposed in ext4
Ext4
The ext4 or fourth extended filesystem is a journaling file system for Linux, developed as the successor to ext3.It was born as a series of backward compatible extensions to ext3, many of them originally developed by Cluster File Systems for the Lustre file system between 2003 and 2006, meant to...
, but is yet to be implemented. However, trash bin feature was posted as a patch back in 2006-12-04. The Trash bin feature uses undelete
attributes in ext2/3/4 and reiser file systems.
Graphical user environments often take a different approach to undeletion, instead using a "holding area" for files to be deleted. Undesired files are moved to this holding area, and all of the files in the holding area are deleted periodically or when a user requests it. This approach is used by the Trash can in Macintosh
Macintosh
The Macintosh , or Mac, is a series of several lines of personal computers designed, developed, and marketed by Apple Inc. The first Macintosh was introduced by Apple's then-chairman Steve Jobs on January 24, 1984; it was the first commercially successful personal computer to feature a mouse and a...
operating systems and by the recycle bin in Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
. This is a natural continuation of the approach taken by earlier systems, such as the limbo group used by CP/M
CP/M
CP/M was a mass-market operating system created for Intel 8080/85 based microcomputers by Gary Kildall of Digital Research, Inc...
. This approach is not subject to the risk that other files being written to the filesystem will disrupt a deleted file very quickly; permanent deletion will happen on a predictable schedule or with manual intervention only.
Another approach is offered by programs such as Norton GoBack (formerly Roxio GoBack): a portion of the hard disk space is set aside for file modification operations to be recorded in such a way that they may later be undone. This process is usually much safer in aiding recovery of deleted files than the undeletion operation as described below.
Similarly, file systems that support "snapshots" (like ZFS
ZFS
In computing, ZFS is a combined file system and logical volume manager designed by Sun Microsystems. The features of ZFS include data integrity verification against data corruption modes , support for high storage capacities, integration of the concepts of filesystem and volume management,...
or btrfs
Btrfs
Btrfs is a GPL-licensed copy-on-write file system for Linux.Development began at Oracle Corporation in 2007....
), can be used to make snapshots of the whole file system at regular intervals (e.g. every hour), thus allowing recovery of files from an earlier snapshot.
Limitations
Undeletion is not fail-safe. In general, the sooner undeletion is attempted, the more likely it will be successful. Fragmentation of the deleted file may also reduce the probability of recovery, depending on the type of file system (see below). A fragmented file is scattered across different parts of the disk, instead of being in a contiguous area.Mechanics
The workings of undeletion depend on the file system on which the deleted file was stored. Some file systems, such as HFSHierarchical File System
Hierarchical File System is a file system developed by Apple Inc. for use in computer systems running Mac OS. Originally designed for use on floppy and hard disks, it can also be found on read-only media such as CD-ROMs...
, cannot provide an undeletion feature because no information about the deleted file is retained (except by additional software, which is not usually present). Some file systems, however, do not erase all traces of a deleted file, including the FAT file system:
FAT file system
When a file is "deleted" using a FATFile Allocation Table
File Allocation Table is a computer file system architecture now widely used on many computer systems and most memory cards, such as those used with digital cameras. FAT file systems are commonly found on floppy disks, flash memory cards, digital cameras, and many other portable devices because of...
file system, the directory entry
Directory (file systems)
In computing, a folder, directory, catalog, or drawer, is a virtual container originally derived from an earlier Object-oriented programming concept by the same name within a digital file system, in which groups of computer files and other folders can be kept and organized.A typical file system may...
remains unchanged, preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter.
When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:
- The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory. Whether this is the case can fairly easily be detected by checking whether the remaining name of the file to be undeleted is still present in the directory.
- The sectors formerly used by the deleted file must not be overwritten yet by other files. This can fairly well be verified by checking that the sectors are not marked as used in the File Allocation Table. However, if, in the meantime, a new file had been written to the disk, using those sectors, and then deleted again, freeing those sectors again, this cannot be detected automatically by the undeletion program. In this case an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.
Chances of recovering deleted files is higher in FAT16 as compared to FAT32 drives; fragmentation of files is usually less in FAT16 due to large cluster size support (1024 Bytes, 2KB, 4KB, 8KB, 16KB, 32KB and 64KB which is supported only in Windows NT) as compared to FAT32 (4KB, 8KB, 16KB only).
If the undeletion program cannot detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the File Allocation Table. It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.
Recovery of fragmented files (after the first fragment) is therefore not possible by automatic processes, but only by manual examination of each (unused) block of the disk. This requires detailed knowledge of the file system, as well as the binary format of the file type being recovered, and is therefore only done by recovery specialists or forensics professionals.
Norton UNERASE was an important component in Norton Utilities
Norton Utilities
Norton Utilities is a utility software suite designed to help analyze, configure, optimize and maintain the computer. The current version 15 of Norton Utilities Premier Edition for Windows XP/Vista/7 was released December 27, 2010....
version 1.0 in 1982. Microsoft included a similar UNDELETE program in versions 5.0 to 6.22 of MS-DOS
MS-DOS
MS-DOS is an operating system for x86-based personal computers. It was the most commonly used member of the DOS family of operating systems, and was the main operating system for IBM PC compatible personal computers during the 1980s to the mid 1990s, until it was gradually superseded by operating...
, but applied the Recycle Bin approach instead in later operating systems using FAT.
Prevention
Data erasure is term that refers to software-based methods of preventing file undeletion.See also
- List of data recovery software
- Rollback (data management)Rollback (data management)In database technologies, a rollback is an operation which returns the database to some previous state. Rollbacks are important for database integrity, because they mean that the database can be restored to a clean copy even after erroneous operations are performed...
- UndoUndoUndo is a command in many computer programs. It erases the last change done to the document reverting it to an older state. In some more advanced programs such as graphic processing, undo will negate the last command done to the file being edited....
- BackupBackupIn information technology, a backup or the process of backing up is making copies of data which may be used to restore the original after a data loss event. The verb form is back up in two words, whereas the noun is backup....
- Paper shredder#Unshredding