Peculiarities of data recovery depending on the OS

A file system can be defined a method of organization and retrieval of data on a storage medium. It is the major instrument the operating system relies on to keep track of files. Different operating systems make use of different file systems, which not only determine the way information is managed on the disk, but also influence the chances for recovery of lost data, as each file system has its own series of steps it takes when performing file deletion or storage formatting.

Hint: To learn more about file systems and their types, please, refer to the basics of file systems.

Further information will help you to assess data recovery perspectives after accidental deletion of files and file system formatting based on the file system applied on your storage.

Hint: The most typical cases of data loss referred to in this article are outlined in the principles of data recovery.


File systems of Windows

Major file systems of Windows include FAT (FAT32), exFAT and NTFS. Moreover, the next generation ReFS file system is used on some Windows-based servers. It is worthy of note that successful data recovery from storages relying on these file system types may be hindered by file fragmentation and is only possible until files are overwritten.

File system: FAT/FAT32

  • File deletion: The directory record is marked "unused". Clusters are marked "free" which destroys the chain of clusters used by the file.

    • Recovery of non-fragmented files: The file name, size and on-disk position remain inside the directory record increasing the possibility of file restoration up to almost 100%.

    • Recovery of fragmented files: The chain of file clusters is destroyed leaving no information about the file fragments. Yet, the file name, file size and start position remain known. With heuristics (the trial-and-error method) predicting the locations of fragments is possible, however, without any guarantee of correctness.

  • Formatting: The file allocation table is destroyed. A new root folder is created.

    • Recovery of non-fragmented files: The file name, size and on-disk position remain inside the directory record increasing the possibility of file recovery up to almost 100%.

    • Recovery of fragmented files: The chain of file clusters is destroyed leaving no information about file fragments. Yet, the file name, file size and start position remain known. With heuristics (the trial-and-error method) predicting the locations of fragments is possible, however, without any guarantee of correctness.

File system: NTFS

  • File deletion: The Master File Table record is marked as "unused". The bitmap of used space is updated to clear the used clusters. The file entry is deleted from the directory record.

    • File recovery: The file name, size and on-disk position remain inside the Master File Table record increasing file recovery chances up to almost 100%.

  • Formatting: The Master File Table record is marked as “unused”. The bitmap of used space is updated to release the used clusters. The file entry is deleted from the directory record.

    • Recovery of non-fragmented files: The file name, size and on-disk position remain inside the Master File Table record increasing file recovery chances up to almost 100%.

    • Recovery of fragmented files: The information about the file name, size and fragments chain remains inside the Master File Table record increasing file recovery chances up to almost 100%. The possibility of recovery is lower for very fragmented files.

File system: ReFS

  • File deletion: The structure of metadata is modified with the Copy-on-Write (COW) operation marking the area free for new entries.

    • File recovery: The system stores a huge amount of older backup copies making data recovery possible with a recovery result up to 100%.

Hint: Please rely on the instruction if you need to recover data from the file systems of Windows.

File systems of macOS

Apple's macOS used to apply HFS+ as the primary file system for Mac computers, iPods, etc., which was replaced by APFS intorduced in macOS High Sierra.

It is worth emphasizing that data recovery from HFS+ and APFS is possible only until the moment when files get overwritten.

File system: HFS+

  • File deletion: The file system wipes data from B-Tree metadata records about the file and updates the map of free space.

    • File recovery: A file name, size and on-disk position are wiped; however, the file system journal may still contain this information allowing to recover good files. Using IntelliRAW™ increases chances to recover lost information, however, the information about the file name can be lost

File system: APFS

  • File deletion: The file system is optimized for Solid State Drive storage and applies the TRIM command to immediately wipe the blocks that hold the file deleted by the user, which helps it to accelerate subsequent writing.
    • File recovery: As has already been mentioned, the recovery of overwritten (wiped) data is impossible, therefore, the implementation of TRIM has a highly negative impact on the possibility of restoring files deleted from APFS. In general, the chances to get all of the files back are extremely low.

Hint: Please rely on the instruction if you need to recover data from the file systems of macOS.

File systems of Linux

Modern Linux distributions use Ext2, Ext3, Ext4, XFS, ReiserFS, JFS (JFS2) and Btrfs.

File system: XFS

  • File deletion: XFS clears a part of information about the file node and updates the tree of free blocks. Information about the file name is disconnected from the directory entry.

    • Recovery of non-fragmented files: Using heuristics, it is possible to find the file name and size and the position rounded to the block. The chances for recovery are close to 100%; whereas the chances to retrieve the real file name are almost 80%.

    • Recovery of fragmented files: The file name, its size and the fragment chain can be retrieved with the help of heuristics. If file data is not damaged, the possibility of file recovery is close to 100%. The chances to get the real file name are close to 80%.

  • Formatting: XFS destroys the map of used clusters and creates a new root directory. The file allocation groups are updated as well.

    • Recovery of non-fragmented files: The information about user files remains on the disk. The chances for recovery are close to 100%; whereas the chances to retrieve the initial file name are close to 95%.

    • Recovery of fragmented files: The prospects are the same as for non-fragmented files.

Hint: Please rely on the instruction if you need to recover data from the file systems of Linux.

File system: Ext2

  • File deletion: Ext2 marks the file node as “free” and updates the map of free blocks. The information about the file name is disconnected from the directory entry. The file name to node reference gets wiped.

    • Recovery of non-fragmented files: The information about the file start and size can remain on the disk. The analysis of nodes can help to recover intact files. At the same time, the information about the file name is lost.

    • Recovery of fragmented files: The chances are the same as for non-fragmented files.

  • Formatting: All allocation groups as well as file nodes get wiped.

    • Recovery of non-fragmented files: The complete recovery of files is possible with heuristics, however, without the original file names.

    • Recovery of fragmented files: The recovery of undamaged files is possible only with the help of heuristics. However, the initial file names will be lost.

File system: Ext3/Ext4

  • File deletion: The file system wipes the file node and updates the map of free blocks. The information about the file name is disconnected from the directory entry, yet, it references the right node.

    • Recovery of non-fragmented files: The information about the file start and size is destroyed permanently but may remain in the file system journal. The link between the file name and on-disk location is missing. Heuristics and journal analysis enable the recovery of files, preserving the original file names.

    • Recovery of fragmented files: Usually, the information about the first 12 blocks of the file is missing. There also remains no information about the file name and size. The chances for recovery of deleted files are quite poor, however, the information about most recently deleted files may remain in the file system journal increasing the chances to recover a file with the initial file name up to 100%.

  • Formatting: All allocation groups as well as file nodes are wiped. Depending on a driver, the file system journal may still contain information about some recently created files.

    • Recovery of non-fragmented files: The recovery of undamaged files is possible only by applying advanced heuristics and journal analysis; however, in most cases the initial file names cannot be retrieved.

    • Recovery of fragmented files: Only advanced heuristics and journal analysis allow recovering files completely, however, in most cases, the initial file names get lost.

File system: ReiserFS

  • File deletion: The system updates the S+-tree to exclude the file and renews the map of free space.

    • Recovery of non-fragmented files: The S+-tree node may remain on the disk (a copy in the file system journal and an old copy, created with copy-on-write). In this case, the chances for file recovery are up to 100%.

    • Recovery of fragmented files: The same as for non-fragmented files.

  • Formatting: The file system creates a new S+-tree over the existing one.

    • Recovery of non-fragmented files: The S+-tree node may remain on the disk (a copy in the file system journal and an old copy, created with copy-on-write). In this case, the possibility of file recovery is close to 100%.

    • Recovery of fragmented files: The chances are the same as for non-fragmented files.

File system: JFS (JFS2)

  • File deletion: JFS updates the counter of object use and clears the inode in the inode use map. The directory is rebuilt to reflect changes.

    • Recovery of non-fragmented files: The file inode remains on the disk increasing the chances for files recovery up to almost 100%. The file name is unlikely to be recovered though.

    • Recovery of fragmented files: The prospects are the same as for non-fragmented files.

File system: Btrfs

  • File deletion: As the file system is based on Copy-on-Write (COW), changes to the metadata extents (B-tee nodes) and the data extents (file contents) are made to copies created on new locations while the original ones remain in-place, being marked as unused.

    • File recovery: Both the old data and the metadata pointing to it can be found on the disk, enabling a data recovery result up to 100%. Yet, heavy fragmentation may slow down the process.

File systems of BSD, Solaris, Unix

These file systems commonly use UFS, UFS2 and ZFS.

File system: UFS/UFS2

  • File deletion: UFS clears the file node and updates the map of free blocks. The information about the file name is disconnected from the directory entry.

    • Recovery of non-fragmented files: The information about the file start and size is destroyed permanently. The link between the file name and on-disk location is missing. Heuristic methods make it possible to recover good files the type of which is known. At the same time, you will rarely come across non-fragmented files on UFS due to the specifics of its Soft Updates algorithm.

    • Recovery of fragmented files: The information about the first 12 blocks of the file lacks. There also remains no information about the file name and size. The chances to recover deleted files are quite poor, yet, it is possible.

  • Formatting: All allocation groups as well as file nodes are wiped.

    • Recovery of non-fragmented files: The total recovery of files is possible with heuristics, though the initial file names get lost.

    • Recovery of fragmented files: The recovery of undamaged files is possible only with the help of heuristics. However, the results will lack initial file names.

File system: ZFS

  • File deletion: The file system manages all the modifications with the on Copy-on-Write (COW) method: a copy of the original block is created and allocated to free storage space. After that, the data block links are updated and the uberblock is replaced with a new uberblock.

    • File recovery: Depending on the file system usage and how full the pool is, the older copies can remain for quite a long time, enabling the restoration of files with their initial names in up to 100% of cases. However, as the data is scattered in blocks of dynamic sizes across the disks in the ZFS pool, the recovery is not possible unless the pool metadata is intact and can be read out to assemble storage layout correctly.

Hint: Please rely on the instruction if you need to recover data from the file systems of Unix, Solaris or BSD.

Clustered file systems

SysDev Laboratories LLC offers data recovery from clustered file systems, such as Apple Xsan (CentraVision file system, StorNext file system), RedHat Linux Global File System (GFS), VMware ESX Server Virtual Machine File System (VMFS). If you need to recover data from any of the mentioned file systems, contact us and request a remote recovery service.

Last update: March 26, 2021

If you liked this article, you can share it on social media: