The File Table in Windows and its Role in Data Recovery

by PlatterSwapper

The purpose of this short article is to explain the basic structure and use of the file table with regard to recovering lost files from a hard disk that has been accidentally reformatted or has simply suffered system corruption.

Why is it so Important for Recovering my Documents?

The file table tells the Operating System (Windows, for the purposes of this article) where to find a document on the hard drive and what it is called (and therefore what application to use to open it). In the case of larger files it will identify where on the drive each fragment begins and ends, what size it is and many other pieces of information.

The file table is a part of the file system, as distinct from the operating system. An operating system may use different files systems, for example while Windows will usually use NTFS, it can also use FAT32.

The file table most commonly encountered is the one used by NTFS and is called the MFT (Master File Table).

In many ways the MFT can be thought of as analogous to the index of a reference book where each index entry is a file on the hard drive. In order to recover a file with its original name it is necessary to locate its original entry in the MFT. It can still be possible to recover some types of data when the table entry has gone completely but this is much more difficult, for more information have a look at this article on logical file retrieval.

Where a file has become fragmented, that is to say that it is not stored in a single contiguous area of the hard drive but is spread over multiple discrete locations around the drive, then the table entry is essential for recovery as there is no other way of locating the fragments. Typically larger files or those that are continually growing over time (such as email databases) will quickly become fragmented.

Where is the MFT on the Hard Drive?

When you first install Windows on a hard drive (or format/re-format a drive) a file table will be created. It will usually be created starting at around 3GB into the hard drive. The operating system will normally reserve a certain percentage of the available capacity for the MFT to fill in a single contiguous space.

Eventually the MFT becomes too large for the space on the hard drive reserved for it and it needs to expand. The MFT itself will then become fragmented. In other words additional MFT entries are created in other parts of the hard drive (as the available space allows). The MFT itself will point to the physical location on the hard drive of the next MFT extension. The file table is itself a single file spread across the hard drive, it can be thought of as a chain, each link in that chain contains the information about where on the drive to locate the next link in the chain. This in turn means that if one link is lost then all of the subsequent chain becomes isolated from the start of the MFT and consequently lost to the operating system.

A re-format creates a new MFT (consisting exclusively of Windows’ own operating files at first, as you have not yet created your own data), depending upon exactly how you reformat the drive you may or may not remove all of the previously installed MFT entries. Remember however that the new MFT is a single continuous entity and so, as far as the operating system is concerned the pre-reformat MFT entries are no longer seen, it will see only the MFT created by the re-format.

Older Windows operating systems will simply create a new bare-bones file table which will at least partially overwrite the pre-reformat files table. This means that while parts of your old file table will still exist, the operating system will not be aware of them (however scanning recovery software such as R-Studio or Getdataback for NTFS) will identify these and look for the files referred to by these now isolated remnants of the old MFT). Newer versions of Windows operating systems also have the ability to erase the drive before creating the new file table, where this option is exercised then there will be no data left to recover. If you are unsure as to which type of re-format has been done, then the time taken for the re-format to complete is the key. A quick format will take a minute or two at most, a complete wipe and reformat will take much longer (as a very rough guideline figure, around 1 hour per 100GB of hard drive capacity, so a 500GB drive might take 5 hours).

What Happens When You Delete Something?

When you delete a file the MFT entry is simply modified to show that the file in question is no longer required. The file itself is not deleted but, as far as the operating system is concerned, the space occupied can now be used again. The operating system uses a complex algorithm to decide where to place new data on a hard drive (the motivation being to get the maximum use from the available space) and so that deleted file may be over-written almost immediately or months or even years later depending upon where it is located.  This is why if you accidentally delete something critical it is essential that you stop using the drive until you have recovered it. The operating system may decide to use the space the deleted file occupies at any time. Once that has happened it has gone for good.

Previous post:

Next post:

Tierra EmailRead our RSS FeedFollow us on TwitterLike us on Facebook