Data Recovery Algorithm From NTFS Partition

Read how data is recovered from an NTFS disk . What algorithm is used by programs to recover files. Here we come close to the topic of file recovery. Unlike FAT , NTFS is a very convenient file system for Data Recovery, which allows you to completely restore all sectors on the disk occupied by a deleted file. But it also has a drawback: under certain circumstances, the file name is lost. However, the contents of the file are much more important than its name, so this shortcoming, although unpleasant, is not critical.

Let’s consider the situation when the file was deleted by the regular means of the system (i.e. the file system is present in full and not damaged). Restoring a deleted file on NTFS is easier than on most file systems. As we remember, when a file was deleted in the FAT file system, the chain of records pointing to the clusters occupied by the file was lost. Such disgrace does not occur in NTFS.

When a file is deleted from the HDD, USB disk, CompactFlash, Micro SD memory cards, its name is excluded from the index of the parent directory, and the corresponding MFT entry and the clusters it occupies are freed. The index is being re-sorted, as a result of which information about the file name may be lost. Accordingly, the name of the deleted file will no longer be present in the source directory.

Data Recovery

However, this disadvantage is more than compensated by the fact that MFT stores all records in one table. Thus, the search for free records is greatly simplified. Each entry contains an attribute with the base address of the parent directory. Accordingly, when a free entry is found, it becomes possible to determine its full path.

An order to recover files deleted in NTFS, you need to scan the MFT in search of free records. When a free record is found, it becomes possible to determine the file name – it is stored in one of the attributes. As mentioned earlier, the file name can not always be determined. But unlike the FAT file system, pointers to clusters occupied by a remote file continue to exist. Accordingly, it is possible to recover a file of any size and any degree of fragmentation – of course, provided that the clusters it occupies have not been overwritten with other Youtube data.

As we said earlier, some files can be stored entirely in the MFT area as an attribute. Such files are called resident. If a single MFT entry was sufficient to store a resident file, then such a file can be restored up to the moment the MFT entry is re-allocated.