This article explains RAW Recovery vs. File System Recovery. File System Recovery is able to preserve the directory tree and recover data with the original file names. Some times however RAW Recovery is the only option.
To recover data from a disk, basically two methods are available to data recovery software:
- They can try to detect files using still available file system structures or metadata.
- Or they can do file carving or RAW recovery.
File System Recovery.
The data recovery software will scan the disk for ‘objects’ like boot sectors, directory structures, indexes, File Allocation Tables (FAT), and MFT entries. We call these file system structures or metadata.
It also needs to figure out volume or file system parameters: It needs to for example figure out where a volume starts, the size of the volume and the cluster size. If it can not figure out for example the cluster size, all references to clusters are meaningless. If for file X file system structures point to cluster N then the software needs to know that start of the volume. It also needs to know the cluster size (number of sectors per cluster) to know which sector address it needs to jump to, to find the file data.
File recovery using file system structures often allows the software to also determine the original folder structure and file names. In NTFS it is possible to reconstruct a directory tree even without indexes (directories), purely by using on information that can be found in MFT entries.
RAW Recovery or file carving is possible even then the file system or it’s properties such as cluster size are unknown. It relies on knowledge of actual file properties. Many file types start with an easy to recognize sequence of bytes, also called the ‘Magic Numbers’. For example, GIF image files all start with ASCII code for “GIF” (in Hex 47 49 46) . So basically, all the software does, is check each sector for the occurrence of specific sequences of bytes that can identify the sector as the start of a file.
Some file types, apart from the magic number also store some data about the file in the file header. There is no generic file header, the structure for a header depends on the file type’s specification. So, the header of a JPEG file looks completely different than the header of a PDF file. If the software ‘knows’ a header, it can some times determine for example the file name.
The types of files the software can recover depends on the amount of signatures or magic numbers it can recognize. The more rarely the file type is used, the less chance that the RAW file recovery tool will detect it.
Even for software performing RAW recovery or file carving it is an advantage to know something about the file system. Knowing where the file system starts and knowing the cluster size limits the places where to look for magic numbers as they will be at the start of a cluster.
Not knowing the start of the file system and cluster size means it has to read each sector and see if it finds a magic number at the start of the sector.
Drawbacks of RAW File Recovery.
There are several disadvantages using RAW file recovery.
- One major drawback of RAW recovery is that the files do not retain their original file name. The original folder structure is unknown. Instead the software organizes files by file type.
- Second disadvantage of RAW file carving is that fragmented files will be corrupt to some degree after recovery. The software assumes that when it finds a magic number for a specific file type, the rest of the file will follow in one piece.
Digital Image recovery software often uses the RAW file carving technique, which isn’t really a problem as filenames have no relation to to image subject. They are more or less generic (image011, image012 etc.) and assigned by the camera automatically. The files are also often in one single directory on the memory card, so recovering a directory structure is not a requirement.
During my tests of data recovery software I found that the majority of the software is very weak at recovering using file system structures. As kind of a fall back system they then use RAW file carving to produce results.
Test can be found here: DIY Data Recovery from unknown disk – Data Recovery Software Tested.
The test scenario is a little more complex than a formatted disk, but it should give an idea about the ability of the software tested to create a directory tree. Scenario is described here: DIY Data Recovery from unknown disk – Semi detailed analysis
Of the software tested so far only Ontrack EasyRecovery, MiniTool Power Data Recovery, Easeus DataRecovery Wizard and DIY DataRecovery iRecover were able to recover file names and a directory structure.