Data recovery chances: The filesystems of Windows
The success of the data recovery depends greatly on the type of filesystem applied on a storage device. Provided that the files you seek haven't been destroyed by new information written over them and the medium itself is functional, it is easy to estimate the likelihood of getting them back just by looking at certain specifics of the employed format. This way, you can set real expectations of what is possible to achieve even before starting a data recovery tool.
If you have a computer running Windows, its internal drive is, most likely, formatted with NTFS. Portable devices, like thumb drives and memory cards, normally use FAT/FAT32 or exFAT. Proficient users sometimes choose ReFS, but this new-generation filesystem of Microsoft is more common for servers, so it won't be covered in this article.
NTFS
NTFS keeps the information about files in a special database called the Master File Table (MFT). Every file has at least one entry in the MFT, which knows everything about it, including its name, size and location on the storage device. Some very small files are also stored completely in the MFT, while larger ones are placed outside, and then the MFT entry points to the location of the actual file's content.
A directory in NTFS is also a particular kind of file that, instead of data, contains the list of names for files that belong to this directory.
Another special file called the Bitmap tracks which of the blocks are occupied, and which of them are free and can be reused.
Procedure: When a file is deleted, NTFS marks the MFT entry that describes it as free. The data blocks are also marked as free in the Bitmap. The name of the file is removed from the directory.
Recovery: Until NTFS decides to reuse this MFT entry, the file's name, size and location stay there. This information is more than enough to "undelete" the file in its original form. The success rate in this case is fairly high. When the MFT entry doesn't exist anymore, but the data blocks haven't been overwritten, the possibility of recovery still remains. But since the filesystem can no longer give a hint where the file's content is, a data recovery tool has to bypass it and analyze the entire storage on a lower level, identifying and reconstructing files based on the known specifics of different file formats. This method is also referred to as RAW data recovery. Its main drawback is that files will lose their initial names and will be probably put into some automatically created directories.
Procedure: The formatting procedure creates a new MFT table. It overwrites the first entries of the current MFT table. Yet, the rest of the entries continue to exist till reused for new files.
Recovery: The information about the first 256 files is not available in the MFT table. They can be retrieved only by means of RAW data recovery. The remaining files can be restored successfully with their original names and directories.
FAT/FAT32
FAT/FAT32 allocates the content of files in chunks that are called clusters. It is not always possible to use clusters found close to each other, which results in fragmentation. The location of each cluster that compose the given file and their sequence is recorded in the File Allocation Table (FAT). This table also indicates when a cluster is not taken at the moment and can be written to.
Each file in FAT/FAT32 belongs to some directory, where it has its individual entry. Such an entry stores its name, size and starting cluster. If the name is long, an additional directory entry may be created for it, besides the main one.
Directories themselves are special files. The principal one is called the root directory, and it is usually found somewhere at the start of a partition.
Procedure: FAT/FAT32 wipes from the FAT table the information about which clusters make up the file. The directory entry that has its name, size and starting cluster is marked as deleted. The first character in the name gets replaced.
Recovery: Provided that the directory entry still exists, it is possible to find the first cluster and size of the file. However, the sequence of clusters is lost. If they are adjacent to each other, the file will be successfully restored. Yet, in case of extensive fragmentation, data recovery will be incomplete, since it is hard to predict the locations of the following clusters.
Procedure: The information contained in the FAT table is destroyed. The root directory is deleted. The content of files remains untouched, though.
Recovery: Likewise, files stored in consecutive clusters can be recovered with high probability. However, fragmented ones do not stand much chance to be reconstructed.
exFAT
exFAT is a successor to FAT/FAT32 tailored to overcome some of its limitations. It organizes data much the same way, yet, with a few important differences. Instead of all clusters, the File Allocation Table describes only ones that belong to fragmented files. Meanwhile, a separate structure called the Allocation Bitmap indicates the state of each cluster - whether it is occupied or can be used for new files. This practice allows placing the content of files in a more contiguous manner, and, thus, reduce fragmentation.
Procedure: exFAT marks the corresponding clusters as released in the Allocation Bitmap. The directory entry is also marked as inactive. In case of a fragmented file, the sequence of its clusters remains in the FAT table.
Recovery: A non-fragmented file can be easily recovered using the information about its starting cluster and size that is left in the directory entry. A fragmented file can be reconstructed using the sequence of clusters available in the FAT table. Therefore, the recovery of deleted files, including fragmented ones, becomes much more accurate in comparison to FAT/FAT32.
Procedure: exFAT wipes the information about the content of fragmented files stored in the FAT table. It also deletes the root directory.
Recovery: In view of a lower degree of fragmentation, most files can be restored in their entirety using the method of RAW data recovery. However, as the information about the fragments is missing, a certain portion of files may appear to be incomplete and thus corrupted.
Read on to learn the chances for data recovery from other filesystems: