file-recovery-tips_01.jpg

How to Undelete Files from the System Disk

Windows, Mac OS X, and most popular distributions of Linux feature a “Recycle” or “Trash” bin that allows you to recover accidentally deleted files. But once the files are emptied from the trash, they can’t be retrieved quite as easily. The good news is that all or most of your deleted file may still be on your system disk. Using data recovery software, you can undelete files from your system disk with just a few clicks..

Before We Begin

If you are still using the computer where your deleted files resided, stop. Turn off your computer immediately and come back to this page on a secondary computer.
Why?
In its simplest terms, a file system consists of two parts. The first part is the data itself. The other part is information about how the data and files are organized.  When a file is deleted, the data remains intact, but the information about the data is removed from the file table or index. But the data won’t stay there forever. As soon as the system needs more disk space, it’ll overwrite that old data, rendering it completely irrecoverable.
When you are dealing with system disks, there are some special considerations when compared to undeleting files from an SD card or any logical disk other than the one where your operating system is installed. Operating systems are constantly writing data to the disk, even when you’re not downloading files or saving work. Even when your computer appears to be idle, it may writing data to the disk, such as browser history, system logs, temporary files, etc. or running background processes that affect the disk.
For that reason, you should avoid using the disk altogether.
The solution: dismount the disk and analyze it with read-only access. We’ll explain how to do this in the steps below.

Step 1: Turn Off the Computer

Power down your computer immediately. Don’t save any work (unless it’s equally as crucial as your deleted file) and don’t shut down or restart your computer. These processes cause even more read/write activity than idle use.
While pulling the plug on your machine isn’t a good habit for everyday use, when you want to control the damage by stopping all write activity, a hard shut down is the way to go.

Step 2: Mount the Drive without Booting It

Mount your drive without starting the operating system installed on it. How is that possible? There are a few ways:
  • Physically remove the disk and install it as a slave in another computer. When you boot the computer, be sure to tweak your BIOS setup so it boots the operating system on another disk, rather than the one you just installed. The BIOS will vary from system to system but are generally very similar. Check out this groovyPost article for instructions on setting your BIOS to boot from USB.
  • Physically remove the disk and connect it to another machine via a USB/FireWire enclosure or external drive bay. These run from $10 to $50—you can find them at Newegg.com, Best Buy and Amazon.com.
  • Boot the computer using a LiveCD or LiveUSB operating system or bootable data recovery program. This lets you start the computer while bypassing the main system disk (again, you may need to tweak the BIOS to boot from a USB device). For a complete operating system, try Ubuntu or Damn Small Linux (both free). For a dedicated file recovery program that boots from a USB device, try R-Studio (see this tutorial for detailed data recovery instructions for R-Studio Emergency). The benefit of this is that you don’t have to crack open the PC or laptop case.

Step 3: Run a File Recovery Scan

This is a basic undelete scan that searches a disk for recognizable files. This is the quickest option and, if the deletion was recent and the file had a common file type (such as JPG, AVI, MOV, DOCX, XLSX, and PST), a basic file search/undelete works very reliably on FAT, NTFS, exFAT and ext2/ext3/ext4 file systems. In these cases, a basic file undeletion utility can find remnants of the file’s meta data and quickly restore the file in its entirety. Most free programs will be limited to this feature.

Step 4: Run a RAW File Search

If a basic file search doesn’t work, you’ll need to do a raw data analysis. This is a more detailed search that looks for a file’s digital signature. If found, the software can restore the file even if the meta data—such as file length, file type, and file location—are permanently deleted. In some file systems, such as HFS and HFS+ (used in Mac OS), a raw file search is the only way to undelete a file.
A raw file search will look for a digital file signatures of common file types. The success of the software depends on the breadth of its “known file types.” Advanced software will let you add custom digital file signatures, essentially “teaching” the software how to find the specific type of file you are looking for.  R-Studio, mentioned above, has this feature.

Conclusion

These steps are the best practices for file undeletion. Note that these steps vary a bit from file recovery from a damaged or corrupted disk. In that case, you would want to avoid both write and read activity on the disk by creating an image of the disk.
Also note that these steps are very conservative. If the file deletion was very recent, the file size was relatively small, and the disk is very large with ample amount of free space, then you can likely skip Step 1 and Step 2. But if you want to maximize your chances for a successful file recovery, take the conservative route—especially if your system disk is nearing capacity.


Back to the main page