How to recover information
Since when a file is deleted, it is not physically destroyed from the disk, it can be restored. As well as recovering all files in the case of, for example, accidentally formatting a disk. If the FAT file allocation table is intact, then you can easily find the first cluster that belongs to the file. However, the remaining clusters may lie anywhere on the disk. To restore a file, it is necessary not only to find all the clusters belonging to the file, but also to correctly determine the order of their sequence.
This task is very difficult and almost impossible to algorithmize. Accordingly, there are no reliable tools that automatically recover deleted files. The available tools are designed primarily to recover individual files deleted by mistake. The most widely used is probably the UnErase utility from the Norton Utilities bundle. This utility confidently restores files if fragmentation is missing. If sequentially located clusters are free, then they most likely belong to one remote file. In the absence of fragmentation – it really is. If the file is fragmented, then it is assigned the required number of nearby free clusters. Something like this, the operating system assigns clusters to a file when it is created.
However, this is not always true. Therefore, if there is fragmentation, the automatic file recovery utility may restore the file incorrectly. If many files are deleted, or, as in the case of the Win95.CIH virus, the FAT is completely deleted, then the utilities are useless. The worst thing is that if an attempt was made to restore the file, and this attempt was unsuccessful, then most likely the file cannot already be restored. The recovery utility has made corrections to the FAT and the directory.
There are more powerful professional data recovery utilities. In particular, the TIRAMISU utility suite (http://www.recovery.de). These are several utilities for recovering information on disks with FAT16, FAT32, NOVELL, NTFS. Utilities are commercial. Cost from 95 to 650 USD each. Protection against unauthorized use is carried out using a key diskette. Several such key floppy disks “walk” around Kiev, since the technology of copying key floppy disks is well mastered. These utilities allow you to save recoverable files to another drive. Therefore, it can be used without fear of irretrievably losing information. Nevertheless, if the disk is highly fragmented, then this utility is often not able to recover information (at least, this applies to the case when both copies of FAT are completely destroyed).
In the process of recovering information on disks infected with the Win95.CIH virus, the capabilities of the TIRAMISU utility were tested in the EPOS service center. The utility confidently coped with the task in many cases when disk fragmentation was not very significant. However, with the help of this utility it was not possible to restore a single disk from those that came from the accounting departments of enterprises. Moreover, it was impossible to recover information on such disks with the help of Norton utilities. In the accounting department of any enterprise, intensive work with databases is carried out, most often with the use of programs written in FoxPro. In this case, a lot of temporary files are created in the process. Database files are constantly being updated. Therefore, on accounting machines, file fragmentation occurs in a very short time and develops very quickly.