Windows File Recovery: How does Microsoft’s new tool fit into the modern data recovery toolkit?
At the end of June, Microsoft released Windows File Recovery (WinFR). This is the first official Microsoft undelete utility since MS-DOS 5, and the first for Windows. When Microsoft launched Windows 95, the old DOS undelete tool was replaced with Recycle Bin, which all Windows users will be familiar with today. While Recycle Bin is useful (in some cases better than the undelete tool), it doesn’t cover all file loss scenarios, which makes WinFR a valuable addition to our data recovery toolkits.
Unfortunately, the tool isn’t that easy to find and install at the moment. It’s only available in the Microsoft store and the minimum OS it supports is Windows 10 2004. However, if demand and usage grows over the first few months of its release, there’s a chance that eventually it may ship directly with Windows — but only time will tell if that’s something Microsoft is seriously thinking about.
The Microsoft documentation for WinFR is a useful starting point if you want to learn more about it, but it’s important to understand the tool in the wider context of backup and data recovery. After all, it isn’t appropriate for all use cases, and certainly shouldn’t be the only thing you use to protect files and data.
In this post we’ll take a look at how WinFR works, and how it compares to other methods of data recovery — from Recycle Bin to regular backups.
What options are there for file recovery on Windows?
Undelete works on the principle that when you delete a file from a file system, the data isn’t actively erased. For efficiency, the file record is simply flagged as deleted in the file system index. Even if the partition is reformatted or the disk is repartitioned, the old data will remain until it is overwritten.
There are two methods of undeleting a file.
Recovery using existing file system metadata
As previously noted, when a file is deleted from a filesystem, the location and & metadata (information such as the filename, owner, date etc.) is often left behind (although this depends on the filesystem). Using this residual information is the most effective way to identify, locate and recover a file. WinFR uses this method both in default and file segment modes.
Microsoft doesn’t go into detail about the methods employed in both of these modes, but it seems that default mode scans the active MFT (NTFS index) for file entries marked deleted, while file segment mode assumes that the original MFT is unavailable or incomplete and instead scans the disk for individual MFT file entry records.
Recovery using a file signature
When there is no file system metadata remaining, the fallback method is to search for file signatures. By convention, most file formats start with a ‘magic number’ and a header, typically indicating the extent of the file. This can be used to locate the start of the file and its length. There are, however, some significant drawbacks to this approach it only works for known file types, the filename/date etc will not be known and it can also be slow.
For fragmented files, a technique called file carving can be used to reassemble the data.This technique is best illustrated by my own experience with a digital camera in the Mongolian winter. The harsh cold was too much for the camera to contend with, and two weeks of photos disappeared in an instant. I quickly replaced the memory card to avoid any data that might be recoverable from being overwritten, and when I returned home, created a surprisingly simple application that could to search the entire disk (even the partition table was toast) for jpeg signatures (every JPEG file begins with the 3 bytes ff d8 ff. Fortunately, I was able to recover 99% of my photographs without corruption.
Luckily, fragmentation is very unlikely if you fill a disk from empty without deletion.
Another useful tool for recovering files from cameras or other memory cards (which are invariably based on FAT or exFAT file systems) is PhotoRec. PhotoRec is an open source data recovery tool thatIt specialises in signature based file recovery and is very effective.
It’s worth noting that both methods rely on the underlying data remaining in place when the space is de-allocated. TRIM, by unmapping the underlying storage, will make it unavailable outside the disk firmware. This means that undeletion is unlikely to be successful on flash storage on either SSDs or NVMe devices, and even magnetic disks using shingled recording (SMR).
This concept was originally introduced by Apple. Microsoft introduced the Recycle Bin in Windows 95, though an earlier version was included with MS-DOS 6.
When a file is deleted, it is moved to the recycle bin. Files are only deleted on a first in/first out basis once the Recycle Bin has exceeded its allocated capacity or the disk is near capacity. Only the shell file functions (as used by File Explorer) will move files to the recycle bin; if a file is deleted by an application not using the shell functions or on the command line, the file will be deleted.
File / Image based backup
If you are in the fortunate position to have been making regular backups, this will be the most reliable mechanism for recovering your files. If you have configured a backup plan with sequenced Full and Incremental images, you can retrieve a copy of the file as it was at any of your backup points. It will also be your only option in case of corruption, cryptoware or accidental modification.
Undelete might still be your only option if you have deleted the file since the last backup point or if you have deleted the file on a memory card in a camera.
Note that it is possible to recover a file from a Macrium image, using undelete, even if it was deleted before a backup was taken. It can only work, however, if you have enabled the forensic copy option and you are not using storage that TRIMs deallocated space. The default option, Intelligent sector copy will only include in-use data in the backup, excluding any deallocated storage, this will defeat undelete as per TRIM.
Professional data recovery services
If the disk electronics, the head, or spindle mechanisms have failed and you don’t have a backup, there are, fortunately, specialist companies that can repair the faulty hardware or splice the media into a replacement unit. In extreme cases, there are techniques that can be used to read the data directly from the disk surface with a tunnelling microscope that can read the overwritten data. It goes without saying that this type of recovery will be very expensive.
Conclusion: backup is best
Clearly there are a wide range of options available to help you recover a deleted file; each one has its place in your toolkit, and no doubt WinFR is a welcome addition. Indeed, without a backup and if available, it will be your best option for NTFS file systems.
However, whatever your file recovery needs are, maintaining a regular backup set should form the foundations of your data protection measures. It’s a valuable insurance policy that will have your back in the widest range of scenarios, saving you potentially untold amounts of stress.