Summary: this article describes mechanisms behind file
system level formatting and illustrates how files can be recovered
from formatted drives/volumes.
The article deals with FAT, FAT32 and NTFS file systems only.
|
Keywords: unformat, reformatted, formatted, file
recovery, data recovery, unformat recovery.
|
|
File system level formatting
The main purpose of any file system is organizing data on a disk.
Files should be safely stored and retrieved. File systems keep
structures to remember where free space is located, whether clusters are
bad and where files and directories are located. The source of
the file system structures is the boot sector. The boot sector
BIOS Parameter Block (BPB) describes the cluster size, disk
geometry and location of file system structures such as the File
Allocation Table (FAT) or the Master File Table (MFT).
Typically when a drive is formatted only some of the partition's
structures are updated or re-initialized; the actual contents of
the partition (the files and the folder structure) are not deleted
or destroyed.
File system level formatting on FAT based file systems:
When a drive is formatted with the FAT or FAT32 file system, the
boot sector is reinitialized and new data reflecting the new file
system parameters is stored. Usually those parameters remain the
same if the file system type was not changed for the format
command, but some values (such as cluster size) can be overruled
and changed by the user.
Location and size of the FAT does not change either (unless a new
cluster size is specified), but in the FAT all clusters are marked 'free'. Furthermore the
root directory is emptied.
From this point on clusters previously
allocated to directories and files can be used to store new data! If that
happens affected files can no longer be recovered.
| Directory
entry on FAT file system (simplified) |
| File Name |
Extension |
Attributes |
Date |
Start Cluster |
File Size |
| MyDir |
- |
directory |
16.10.06 |
3000 |
- |
| Myfile |
doc |
archive |
16.10.06 |
7000 |
45596 b |
Unformat or file recovery software scans the partition structures and locates directory entries. From directory entries
file names, file sizes and start positions can be determined. It
is assumed files were stored in contiguous blocks of clusters
(un-fragmented!). For FAT fragmented files can not be recovered intact!
Old style unformat utilities like Norton Unformat would now start
recreating a folder structure and FAT. Files and directories were
recovered 'in place'. Disadvantage of this approach is that there
is no turning back (no undo in case things go wrong; the file
system structures are changed by the recovery software).
Modern unformat software does not modify the file
system structures as it is considered bad practice to do so.
Instead it will prompt the user for a location where it can
recover the files to. Information from the directory entries
is used to retrieve file and directory names and recreate a
virtual directory structure in memory. From this representation of
the file system, data can be copied to an intact drive. Data as it is found in
clusters previously allocated to the lost files is copied in
binary form to new files: the files are now recovered.
File system level formatting on NTFS based file systems:
When a drive is formatted with the NTFS file system, the
boot sector is reinitialized and new data reflecting the new file
system parameters is stored. Usually those parameters remain the
same if the file system type was not changed for the format
command, but some values (such as cluster size) can be overruled
and changed by the user.
Recovering files from a NTFS formatted volume is treated in much
the same way as undeleting files from a NTFS formatted volume
(read here). There is just
one additional step that is executed before the file system is
analyzed: the disk is scanned to locate the necessary disk
structures. Once they have been located the rest of the procedure
is very much the same as the undelete procedure.
|
