Knowledge Base

These articles provide basic information and helpful recommendations concerning data access and recovery.

Download software

Peculiarities of data recovery depending on the OS

A file system can be defined a method of organization and retrieval of data on a storage medium. It is the major instrument the operating system relies on to keep track of files. Different operating systems make use of different file systems, which not only determine the way information is managed on the disk, but also influence the chances for recovery of lost data, as each file system has its own series of steps it takes when performing file deletion or storage formatting.

Further information will help you to assess data recovery perspectives after accidental deletion of files and file system formatting based on the file system applied on your storage.


File systems of Windows

Major file systems of Windows include FAT (FAT32), exFAT and NTFS. Moreover, the next generation ReFS file system is used on some Windows-based servers. It is worthy of note that successful data recovery from storages relying on these file system types may be hindered by file fragmentation and is only possible until files are overwritten.

File system: FAT/FAT32

  • File deletion:The directory record is marked "unused". Clusters are marked "free" which destroys the chain of clusters used by the file.

    • Recovery of non-fragmented files: The file name, size and on-disk position remain inside the directory record increasing the possibility of file restoration up to almost 100%.

    • Recovery of fragmented files: The chain of file clusters is destroyed leaving no information about the file fragments. Yet, the file name, file size and start position remain known. With heuristics (the trial-and-error method) predicting fragments locations is possible, however, without any guarantee of correctness.

  • Formatting:The file allocation table is destroyed. A new root folder is created.

    • Recovery of non-fragmented files: The file name, size and on-disk position remain inside the directory record increasing the possibility of file recovery up to almost 100%.

    • Recovery of fragmented files: The chain of file clusters is destroyed leaving no information about file fragments. Yet, the file name, file size and start position remain known. With heuristics (the trial-and-error method) predicting fragments locations is possible, however, without any guarantee of correctness.

File system: NTFS

  • File deletion:The Master File Table record is marked as "unused". The bitmap of used space is updated to clear the used clusters. The file entry is deleted from the directory record.

    • File recovery: The file name, size and on-disk position remain inside the Master File Table record increasing file recovery chances up to almost 100%.

  • Formatting:The Master File Table record is marked as “unused”. The bitmap of used space is updated to release the used clusters. The file entry is deleted from the directory record.

    • Recovery of non-fragmented files: The file name, size and on-disk position remain inside the Master File Table record increasing file recovery chances up to almost 100%.

    • Recovery of fragmented files: The information about the file name, size and fragments chain remains inside the Master File Table record increasing file recovery chances up to almost 100%. The possibility of recovery is lower for very fragmented files.

File system: ReFS

  • File deletion:The structure of metadata is modified with the CoW operation marking the area free for new entries.

    • File recovery: The system stores a huge amount of older backup copies making data recovery possible with a recovery result up to 100%.

File systems of macOS

Apple's macOS used to apply HFS+ as the primary file system for Mac computers, iPods, etc., which was replaced in macOS High Sierra by the recently introduced APFS.

It is worth emphasizing that data recovery from HFS+ and APFS is possible only until the moment when files get overwritten.

File system: HFS+

  • File deletion:The file system wipes data from B-Tree metadata records (a B-Tree is a tree data structure that keeps stored data and in which a node can have more than two children) about the file and updates the map of free space.

    • File recovery:A file name, size and on-disk position are wiped; however, the file system journal may still contain this information allowing to recover good files. Using IntelliRAW™ increases chances to recover lost information, however, file name information can be lost.

File system: APFS

  • File deletion:The file system is optimized for Solid State Drive storage and applies the TRIM command to immediately wipe the blocks that hold the file deleted by the user, which helps it to accelerate subsequent writing.
    • File recovery:As has already been mentioned, the recovery of overwritten (wiped) data is impossible, therefore, the implementation of TRIM has a highly negative impact on the possibility of restoring files deleted from APFS. In general, the chances to get all of the files back are extremely low.

File systems of Linux

Modern Linux distributions use Ext2, Ext3, Ext4, XFS, ReiserFS, JFS (JFS2).

File system: XFS

  • File deletion:XFS clears a part of information about the file node and updates the tree of free blocks. Information about the file name is disconnected from the directory entry.

    • Recovery of non-fragmented files:Using heuristics, it is possible to find the file name and size and the position rounded to the block. The chances for recovery are close to 100%; whereas the chances to retrieve the real file name are almost 80%.

    • Recovery of fragmented files:The file name, its size and the fragment chain can be retrieved with the help of heuristics. If file data is not damaged, the possibility of file recovery is close to 100%. The chances to get the real file name are close to 80%.

  • Formatting:XFS destroys the map of used clusters and creates a new root directory. The file allocation groups are updated as well.

    • Recovery of non-fragmented files:The information about user files remains on the disk. The chances for recovery are close to 100%; whereas the chances to retrieve the initial file name are close to 95%.

    • Recovery of fragmented files:The prospects are the same as for non-fragmented files.

File system: Ext2

  • File deletion:Ext2 marks the file node as “free” and updates the map of free blocks. The information about the file name is disconnected from the directory entry. The file name to node reference gets wiped.

    • Recovery of non-fragmented files:The information about the file start and size can remain on the disk. The analysis of nodes can help to recover intact files. At the same time, the information about the file name is lost.

    • Recovery of fragmented files:The chances are the same as for non-fragmented files.

  • Formatting:All allocation groups as well as file nodes get wiped.

    • Recovery of non-fragmented files:The complete recovery of files is possible with heuristics, however, without the original file names.

    • Recovery of fragmented files:The recovery of undamaged files is possible only with the help of heuristics. However, the initial file names will be lost.

File system: Ext3/Ext4

  • File deletion:The file system wipes the file node and updates the map of free blocks. The information about the file name is disconnected from the directory entry, yet, it references the right node.

    • Recovery of non-fragmented files:The information about the file start and size is destroyed permanently but may remain in the file system journal. The link between the file name and on-disk location is missing. Heuristics and journal analysis enable the recovery of files, preserving the original file names.

    • Recovery of fragmented files:Usually, the information about the first 12 blocks of the file is missing. There also remains no information about the file name and size. The chances for recovery of deleted files are quite poor, however, the information about most recently deleted files may remain in the file system journal increasing the chances to recover a file with the initial file name up to 100%.

  • Formatting:All allocation groups as well as file nodes are wiped. Depending on a driver, the file system journal may still contain information about some recently created files.

    • Recovery of non-fragmented files:The recovery of undamaged files is possible only by applying advanced heuristics and journal analysis; however, in most cases the initial file names cannot be retrieved.

    • Recovery of fragmented files:Only advanced heuristics and journal analysis allow recovering files completely, however, in most cases, the initial file names get lost.

File system: ReiserFS

  • File deletion:The system updates the S+-tree to exclude the file and renews the map of free space.

    • Recovery of non-fragmented files:The S+-tree node may remain on the disk (a copy in the file system journal and an old copy, created with copy-on-write). In this case, the chances for file recovery are up to 100%.

    • Recovery of fragmented files:The same as for non-fragmented files.

  • Formatting:The file system creates a new S+-tree over the existing one.

    • Recovery of non-fragmented files:The S+-tree node may remain on the disk (a copy in the file system journal and an old copy, created with copy-on-write). In this case, the possibility of file recovery is close to 100%.

    • Recovery of fragmented files:The chances are the same as for non-fragmented files.

File system: JFS (JFS2)

  • File deletion:JFS updates the counter of object use and clears the inode in the inode use map. The directory is rebuilt to reflect changes.

    • Recovery of non-fragmented files:The file inode remains on the disk increasing the chances for files recovery up to almost 100%. The file name is unlikely to be recovered though.

    • Recovery of fragmented files:The prospects are the same as for non-fragmented files.

File systems of BSD, Solaris, Unix

These file systems commonly use UFS and UFS2.

File system: UFS/UFS2

  • File deletion:UFS clears the file node and updates the map of free blocks. The information about the file name is disconnected from the directory entry.

    • Recovery of non-fragmented files:The information about the file start and size is destroyed permanently. The link between the file name and on-disk location is missing. Heuristic methods make it possible to recover good files the type of which is known. At the same time, you will rarely come across non-fragmented files on UFS due to the specifics of its Soft Updates algorithm.

    • Recovery of fragmented files:The information about the first 12 blocks of the file lacks. There also remains no information about the file name and size. The chances to recover deleted files are quite poor, yet, it is possible.

  • Formatting:All allocation groups as well as file nodes are wiped.

    • Recovery of non-fragmented files:The total recovery of files is possible with heuristics, though the initial file names get lost.

    • Recovery of fragmented files:The recovery of undamaged files is possible only with the help of heuristics. However, the results will lack initial file names.

Clustered file systems

SysDev Laboratories LLC offers data recovery from clustered file systems, such as Apple Xsan (CentraVision file system, StorNext file system), RedHat Linux Global File System (GFS), VMware ESX Server Virtual Machine File System (VMFS). If you need to recover data from any of the mentioned file systems, contact us and request a remote recovery service.

Last update: 20.06.2018