There’s a lot of not accurate information about recovery of non contiguous or fragmented files on the internet. Since my specialized data recovery service deals with this a lot I’ll share some information with you on the topic.
What is a fragmented file?
The answer is simple: If file data is stored in two or more non contiguous blocks we speak of a fragmented file. If the file is somehow lost or deleted it must be determined which exact blocks were allocated to the file.
The file system matters
Recovery of a fragmented file is impeded IF the file system no longer points to clusters that were allocated to the file. But not all file systems are equal. If we look at the commonly used Windows file system NTFS we find that even after a file was deleted the MFT still contains pointers to all clusters that were allocated to the file (so called run-lists). This is even the case if the file was not stored in a contiguous block of clusters (=fragmented). As such even a fragmented file is fully recoverable as long as no new data was written to the vacant clusters. What also follows is that if a file recovered from an NTFS drive is corrupt after recovery then this is NOT a result of file fragmentation as is often suggested.
So in short, if you deleted files from a NTFS formatted drive, you do not need special software to recover fragmented files. You can use generic file recovery software like ReclaiMe.
Note that if you deleted data from an SSD there’s a good chance the file can not be recovered due to TRIM, but that’s a different subject!
Other file systems such as Linux EXT3/4 or FAT file systems are less forgiving when comes to recovery of fragmented files. Meaning that meta data pointing to allocated clusters is lost. This makes recovery of fragmented files far more complex and less likely.
Recovering fragmented files
If we can not rely on file system meta data, we need to rely on file (meta) data to reconstruct fragmented files. Rather than requiring knowledge on a specific file system, we require knowledge about each specific file format we need to recover! We should also take into account that on a file system of say 1000000 clusters, each of the clusters is potentially part of our file. This is why I limit my specialized data recovery service for photos from small flash based devices (memory cards and flash drives).
What also follows is that such procedures will only work for specific file types: only files for which structure is known. If you work out a solution for JPEG files, this will not work for Excel files for example. For each and every file we will need a different algorithm.
In short the method involves:
- Determine file starts
- Determine clusters which are unlikely to be part of file type you’re recovering
- Per file determine point of fragmentation
- Per file look for candidate blocks of data
- Test the possible combination. You can do this visually or automated. To automate this you need to decode end result and use rules of thumb to either accept or reject result. Automating the task requires significant CPU power (and RAM) and can keep a PC occupied for even days!
Manual reconstruction of a fragmented photo follows these same steps, from accurately determining point of fragmentation upto evaluating combinations:
Conclusion: Depending on file system recovery of fragmented files is far from trivial. Many labs use professional though off the shelf tools to recover files. Even if they’re able to dump NAND flash memory of severely physically hampered devices, in the end if files were fragmented to start with, their recovery may produce corrupt files.
Apart from DiskTuna, very few can recover such files. DiskTuna offers this service for JPEG, CR2, NEF and some video and office formats, as long as source media (memory card or flash drive) is available. If your lab is unable to recover the files after dumping the NAND, ask for the logical drive image and share that with us so we can perform the logical recovery.