The client in this data recovery case study came to us to help them get back a number of photos they’d accidentally overwritten. They’d had a handful of photos in one folder, and a handful of photos in another folder, some of which just happened to have the same file name. They dragged and dropped the contents of one folder into another, and, of course, Windows noticed that some of the files had the same names. One slip of the finger later, and the photos the client had dragged-and-dropped replaced the other photos. And they were gone. But gone forever—perhaps not. It was up to the logical data recovery specialists at Gillware to see what files we could recover. Our overwritten file recovery experts were on the case.
Overwritten File Recovery Case Study: Identity Crisis
Drive Model: Western Digital WDBACY5000ABK-00
Drive Capacity: 500 GB
Operating/File System: Windows NTFS
Data Loss Situation: Moved pictures from one folder over to another. They had the same file name but were different pictures. This seemed to have overwritten the original files.
Type of Data Recovered: Original photo files that had been overwritten
Binary Read: 100%
Gillware Data Recovery Case Rating: 6
Windows doesn’t like it when two files in the same folder have the exact same name, because it can’t tell which is which. The fact that the two files have different contents doesn’t matter—what matters is that they have the same name and live at the same address.
Imagine you have a friend named Bob Smith. And Bob has a cousin, who is also named Bob Smith, living at the same address. The mailman has to deliver a package to Bob Smith, but it doesn’t know which Bob Smith is which. In the real world, this would be a confusing, but easily resolved, situation.
But computers do not handle confusion well. If your computer were delivering that package, it would adopt a novel (but very messy) solution to the “two Bobs problem” by killing one of them, or perhaps dragging the younger Bob to court to process a legal name change to Bob Smith (2) so as to prevent any further confusion.
Windows is typically polite enough to ask you upfront what you would like it to do when it encounters an identity crisis, so you don’t have to worry about getting Bob’s blood out of the carpet. You can choose to replace the original file, rename the newcomer, or cancel the operation altogether. But it only takes a slip of the finger to choose the wrong option. Many logical data loss situations, like this one, are the results of accidents.
Windows deletes the old file in order to replace it with the new file. When you delete a file normally (such as when you empty the recycle bin on your desktop), the part of the filesystem that keeps track of used hard disk sector clusters goes and marks the clusters containing the file as “unused” (and therefore, fair game to reuse).
Recovering overwritten files tends to be a bit trickier than recovering deleted files, although much of the process is the same, and our engineers use many of the same tools and techniques we use to recover deleted files.
One important thing to note is that shuffling files around from one folder to another only influences where the files are located in the directory structure. The physical locations of the files—that is, the actual spots on the hard disk platters that store their data—don’t change.
Shuffling data back and forth across your hard drive’s directory structure changes filesystem metadata, such as the file definitions, however. You’ve rearranged the furniture; the signposts that point to your files need adjusting. The signposts that pointed to the file you’ve overwritten don’t point to the old file anymore. They point to the new one. As for the old file… it’s not on the map anymore.
As in deleted data recovery situations, the more you use your computer and the more data you write to the hard drive (even inadvertently), the closer you come to overwriting the actual physical sectors containing the deleted data. This can lead to irreparable file corruption—which is why, after deleting or overwriting data, it is imperative that you use as little of the hard drive as possible.
To find the overwritten files, our engineers need to search for any old and out-of-date filesystem metadata (such as old $MFT file records) that might point to files that, as far as Windows is concerned, are no longer extant. If that proves insufficiently fruitful, our engineers can scan for file headers to find files that have been “orphaned” from the directory structure as well.
Due to the severe amount of logical damage that had taken place, there was a great deal of irreparable file corruption, but after searching for deleted file records and scanning for file headers, our engineers managed to turn up a large amount of overwritten photos that were still in good shape. We sent the client a sheet of thumbnails of the overwritten files we’d successfully recovered for them to peruse. The client then let us know that our overwritten file recovery efforts had paid off. This data recovery case turned out to have a happy ending.