Getting Started with Undelete Plugin
The Undelete plugin allows you to recover deleted files from NTFS, FAT12, FAT16, FAT32, and exFAT partitions. On NTFS partitions, it also restores ADS (alternate data streams), compressed, and encrypted files. You can recover files and directories from all local volumes (mounted to drive letters or to directories, or even not mounted) and also from disk image files.
See File System and Menu Extension sections in Using Plugins for a description of basic work with file system plugins and menu extensions.
Principles and Limitations
Each file on a disk is stored in short blocks called clusters. After a file is deleted, its clusters are only marked as free: the actual data are left on the disk until the clusters are used again for a different file. If used early enough, the Undelete plugin is able to find the clusters of the deleted file and copy them to a new file on another volume.
It is important to avoid writing any data to the volume containing the deleted file so that the deleted clusters are not overwritten. This also means that deleted files should only be recovered to a different volume in order to avoid overwriting the files by themselves. If there are no alternate volumes on your computer usable for the recovery, removable media (e.g. diskettes, USB disks) and network drives are also good candidates.
On FAT partitions it is unfortunately not possible to reliably identify all clusters of a deleted file, especially if the file was very large. A heuristic algorithm has to be used whose results may be incorrect. Note that this applies to all undelete programs.
In general, successful recovery of deleted files is not guaranteed and the recovered data may be damaged. You should always check if the obtained data are valid.
The chance to recover deleted file is displayed in the Condition column (switch panel to Detailed view):
Good | File is not deleted, or is MFT-resident, or is deleted but no collision with other deleted or existing files was detected. | There is a chance to recover the entire file. |
Fair | Some clusters of the deleted file conflict with clusters of other deleted files. | There is a smaller chance to recover the entire file. |
Poor | Some clusters of the deleted file conflict with existing files. | Some parts of file are certainly damaged. |
Lost | All clusters of the deleted file are used again by existing files. | Zero chance to even partially recover such file. |
Unknown | Damage estimation failed or was not performed at all. |