Recovery using metadata
When this technique is possible, it yields the most complete results. Metadata is structural information about the files and folders maintained by a file system, such as:
File recovery using metadata is the most basic and preferred technique. It can restore
both the file contents and folder structures. Basically File Scavenger™ scans a drive looking for file system metadata and uses the metadata to
reconstruct the files and folders.
- The file (or folder) name and the path of the parent folder.
- The date and time the file (or folder) was created.
- Who can access the file (or folder) and with what access rights (such as read, write and execute.)
- Most importantly the size and locations on disk of the contents. The contents of a file are user data. The contents of a folder are the metadata of
the files and sub-folders contained inside the folder.
This technique works well when metadata is still present, such as in the following scenarios:
This technique is not possible without metadata, such as in the following scenarios:
- Volume corruption due to transient hardware issues, power interruption, etc. causing the volume to become inaccessible.
- Volume deletion. The operating system usually removes the volume from a master table but otherwise leaves intact the metadata contained inside the volume.
- Some file systems such as NTFS preserve the metadata when a file is deleted
- Some file systems such as NTFS and XFS preserve most metadata when a volume is reformatted.
- The metadata has been overwritten due to various reasons.
- ext3, ext4, UFS1, UFS2, FAT and FAT32 zero out all or part of the metadata when a file is deleted.
- ext3, ext4, UFS1, UFS2, FAT and FAT32 zero out most metadata when a volume is reformatted.
When file system metadata is absent, File Scavenger™ resorts to raw recovery. This technique works for file types with a unique data patterns that
indicate where a file begins and ends. The beginning of a file can be detected by the presence of a unique "header". The header may also contain the length of the
file, therefore indicating where the file ends. For example, a bitmap (.BMP) file starts with a unique bitmap header that also contains the length of the bitmap file.
When the header does not contain the length, a unique end-of-file data pattern may exist, such as in the case of a PDF file. The following file types have a
unique header and are well suited for raw recovery: JPEG, bitmap, PDF, ZIP, etc.
Raw recovery restores a file without the original name and folder path. This limitation necessitates manually sorting out the recovered files.
For a large number of files this task may be practically impossible.
Raw recovery requires the contents of a file to be contiguous on disk. For a file with fragmented contents, it can
restore the first fragment but will miss the remaining fragments.
File contents are usually contiguous when the file is first created on or copied to a volume. The contents become fragmented when the file is modified.
The data storage scheme used by ext3, UFS1 and UFS2 causes all files larger than 12 blocks (a block
is usually 4KB) to have fragmented contents.
In many cases this technique can recover a file with fragmented contents when the file's metadata is either missing or incomplete. It is very complex and only
possible for certain file types with detectable data patterns. It consists of two steps:
File carving uses many complex algorithms specific to the file type and individual situation. It is too complex to be incorporated in a program. Instead it is available
only through our fee-based data recovery service, primarily for high-valued data due to the associated costs. For example we used this technique to recover
several VHD files on a reformatted ext3 volume. In principle a reformatted ext3 volume is unrecoverable because most metadata is zeroed out. However
using our knowledge of VHD file format, we were able to recover the VHD files.
- Detect the file fragments by looking for the file type's data patterns.
- Using knowledge of the file format, arrange the fragments in the correct order to form the original file.