0

AFAIK, a file on a file system has two components.

  1. The pointer that stores the directory path of the file. Also stores the list of sectors/blocks on the disk that the file is composed of.
  2. The real sectors/blocks on the disk that store the file data.

When deleting a file, the pointer is removed without any changes to the blocks. But the list of blocks are marked free to be used whenever data is written. Considering no overwritten data,

  • If the pointer is completely removed, How can Recovery programs recover files?
  • From what source these Recovery programs get the list of blocks the deleted file is composed of?

And,

  • Can I shred file without overwriting its blocks? By completely clearing list of blocks that file to be deleted is composed of.
  • Can I make file recovery impossible of already deleted files by not overwriting free space? By completely clearing list of blocks that deleted file is composed of.

Consider a fragmented filesystem like ext4 on a 512 Byte physical sector sized disk. File Recovery is pretty much useless when a deleted file's list of blocks cannot be known. If such thing is possible maybe it gives the disk little more life.

Improve this question
4
  • 1
    Shredding a file places different data in the blocks assigned to the file, there isn't another way, the entire act of shredding a file indicates you don't want file recovery to be possible. What problem are you trying to solve?
    – Ramhound
    Commented Aug 31, 2015 at 15:45
  • I want to make recovery not possible for not-so-sensitive files. I don't want to overwrite all the disk data in such case. @Martin's answer clears this. Recovery with file headers and block to block linking.
    – Bharat G
    Commented Aug 31, 2015 at 16:02
  • Note that many file types have well-known standard headers and trailers, and it is by finding these that file carving utilities like photorec work. These kinds of tools cannot automatically recover binary files of an unrecognized layout.
    – Frank Thomas
    Commented Aug 31, 2015 at 16:04
  • @FrankThomas - Of course in those cases. it will detect the file as being something, it just might be labeled as unknown file extension.
    – Ramhound
    Commented Aug 31, 2015 at 16:10

1 Answer 1

Reset to default
3

If the pointer is completely removed, How can Recovery programs recover files?

It looks at disk blocks which aren't marked as being used by any file in the filesystem and examines the contents for non-random data. Eg known file format headers or text.

From what source these Recovery programs get the list of blocks the deleted > file is composed of?

Start with a list of all the blocks that are marked as used and look for all the others. However some filesystems do record the block chain for recently deleted files to aid in recovery

Can I shred file without overwriting its blocks? By completely clearing list of >blocks that file to be deleted is composed of.

It would still be discoverable if a block contained some recognisable data, eg a JPEG header, and that allowed the rest of the image to be recovered.

Can I make file recovery impossible of already deleted files by not overwriting >free space?

No , the data is still on disk and may be detectable.

By completely clearing list of blocks that deleted file is composed of.

My knowledge of filesystems is a little out of date but they used to store the link to the next block in the end of the previous block, so you only had to recognise one block of data and got the rest of the file from that point onward. The main index table only had to store the location of the first block int he file. I don't know if this applies to modern (eg. NTFS/EXT4) filesystems.

Improve this answer
1
  • Can u tell what file systems used block to block linking?
    – Bharat G
    Commented Aug 31, 2015 at 16:04

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .