Data Recovery Definitions (2023)

Alternate Data Stream (ADS)An Alternate Data Stream (ADS) is a feature of the NTFS file-system. ADS were originally included in Windows NT for compatibility with Macintosh HFS file-systems resource fork and a data fork. The ADS provides a means to allow programmers to add additional metadata to be stored for a file, without adding this data directly to the file. The additional data is attached as a stream which is not normally visible to the user. Recover My Files shows ADSs with a blue file icon with an “A” character.ASCIIThe American Standard Code for Information Interchange (ASCII) is a 7-bit character encoding scheme that allows text to be transmitted between electronic devices in a consistent way. The ASCII character set comprises codes 0–127, within which codes 0–31 and 127 are non-printing control characters. The addition of Codes 128–255 make up the Extended ASCII character set (see for more information)(8).ClusterA cluster is the smallest logical unit of drive storage space on a hard drive that can be addressed by the computers Operating System. A single computer file can be stored in one or more clusters depending on its size.Cluster Boundaries

A cluster boundary refers to the start or the end position of a cluster (a group of sectors). If a file is fragmented (stored in non-contiguous clusters), the fragmentation happens at the cluster boundary, as there is no smaller unit of storage space that can be addressed by a computer.

Examining data at cluster boundaries can be an important technique to improve the speed of some search routines. For example when file carving for file headers, it is faster to search the cluster boundary (i.e. the beginning of a cluster) rather than a sector by sector search of the drive.

Computer forensicsComputer forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data with a view to presenting evidence in a court of law.Data carveSee file carve.Deleted File

A deleted file is one which has been marked as deleted by the file-system (usually as a result of being sent to and emptied from with Recycle Bin). A deleted file can be recovered by reading the file-system record for the file, then reading and restoring the file data. As long as the data for the file is intact (i.e. the space once occupied by the file has not been used to store new data) the recovered file will be valid.

(Video) What is data recovery, how it works, how to recover lost or deleted data? | TechTerms

In some cases the file-system record itself can be overwritten and destroyed. If this is the case the file can only be recovered by “file carving” and it is returned and displayed in Recover My Files as a “carved”. Because file and folder information is only stored with the file-system record, a carved file does not retain its original file or folder name.

DeviceA device refers to the electronic media being examined. It usually refers to a physical device, such as a hard drive, camera card etc., but can also mean the forensic image of a device in DD, E01 or other formats.DirectorySee Root DirectoryDirectory Entry (FAT)A component of the FAT file-system. Each file or folder on a FAT partition has a 32 byte directory entry which contains its name, starting cluster, length and other metadata and attributes.Drive SlackThe area between the end of a partition and the end of the drive. It is usually considered to be blank, but can hold remnants of previous drive configurations or could be used to purposely hide data.Drive view

A graphical representation in Recover My Files of sectors on the examined device. Drive view can be used to:

  • Examine the content of the data in a specific sector/s;
  • Quickly navigate to a desired sector position on the device;
  • Obtain a graphical overview of the file types which make up the drive and where they are position on the examined media;
  • Identify the location and fragmentation of individual files.
DSTDaylight Savings TimeE01A forensic file format used to create drive image files. Developed by Guidance Software ( ViewFile display technology written by GetData and used in the Recover My Files Display view to show the contents of more than 300 different file types.FAT

FAT (File Allocation Table) is the file-system that pre-dates NTFS. Once popular on Windows 95, 98 and XP, it is now primarily used on memory cards, USB drives, flash memory etc. due to its simplicity and compatibility between Operating Systems (e.g. Windows and MAC).

(Video) What is clock and data recovery?

For more information see:

FAT SlackThe unused space in the last cluster of the FAT where the logical size of the FAT does not fill the complete cluster.File carve

File carving (also known as file carving or carving) is the process of searching for files based on a known content, rather than relying of file-system metadata. This usually involves searching for a known header and footer of a specific file type.

Recover My Files has built in code to data carve for more than 300 file types.

(Video) Data Recovery Tutorial - Getting started with DDRescue and TestDisk

File SignatureThe header component of a file which has unique identifiers that assigns it to a type, e.g. a jpeg. Most common file types have a signature set by the International Organization for Standardization (ISO).Identifying a file by its signature is a more accurate method of assessment that using the file extension, which can easily be altered.File SlackThe unused space in the last cluster of a file where the logical size of the file does not fill the complete cluster. The file slack can contain fragments of old data previously stored in that cluster.File-systemThe organization of files into a structure accessible by the Operating System. The most common types of file-systems used by Widows are FAT and NTFS. Others include EXT (Linux) and HFS (MAC).FlagIn Recover My Files a flag is used to mark a file as relevant. It is a colored box (flag) that is applied to a List view when the “Flag” column is displayed. Eight colored flags are available for use. Flags are applied by highlighting and artifact and double clicking the opaque flag color in the flag column, or by using the right click “Add Flag” menu.FolderSee Root DirectoryForensic IntegrityIn computer forensic the term “forensic integrity” commonly refers to the ability to preserve the evidence being examined so that it is not altered by the investigator or the investigative process. This enables a third party to conduct an independent examination of the evidence on an identical data set. Forensic integrity is usually achieved through the use of write blocking devices (to protect original media from being changed) and the forensic image process (the acquisition of an identical copy which can be re-verified at a later date.)Fragmented FileThe distribution of a file on a drive so that it's written in non-contiguous clusters.Free SpaceFree space is often used to describe unallocated clusters, the available drive storage space that is not allocated to file storage by a volume. Free space can however also refer to the unused area of a drive not taken up byHash

A Hash is a mathematical calculation to generate a unique value for specific data. The chances of two files that contain different data having the same hash value are exceedingly small.

The most common hash algorithm in use is 128-bit MD5.

HexHexadecimal is a base 16 numbering system. It contains the sixteen sequential numbers 0-9 and then uses the letters A-F. In computing, a single hexadecimal number represents the content of 4 bits. It is usually expressed as sets of two hexadecimal numbers, such as “4B”, which gives the content of 8 bits, i.e. 1 byte.INFO2

Windows automatically keeps an index of what files were deleted including the date and time of the deletion. The index is held in a hidden file in the Recycle Bin called INFO2.

(Video) Professional Data Recovery with $300 Data Recovery - Part 1

When the Recycle Bin is emptied, the INFO2 file is deleted.
Recovery and analysis of deleted INFO2 files can provide important information about files that were once located on the computer.

LFN (also see SFN)Long File Name refers to file or folder on a FAT file-system which has a name greater than 8 characters and 3 for the file extension (or one which contains special characters). The storage of the additional file name information makes it necessary for Windows to create an additional LFN directory entry (or entries) to hold the extra information.Link Files (LNK)Link files (.lnk) are Microsoft Windows shortcut files. Link files have their own metadata and can provide valuable information about files stored on the computer.Logical Evidence File

Logical Evidence Files (or Logical images Files) are images of selected files, rather than the traditional image of a volume or physical drive. They are usually created during a preview where an investigator identifies file based evidence worthy of preservation, when an image of the entire volume or device is not warranted.

Common Logical Evidence File formats are L01, created by EnCase ® forensic software ( or AD1 by Access Data’s Forensic Tool Kit ® (

(Video) Top 5 Data Recovery Software Tools - Windows 10 & macOS

Logical file spaceThe actual amount of space occupied by a file on a hard drive. It may differ from the physical file size, because the file may not completely fill the total number of clusters allocated for its storage. The part of the last cluster which is not completely filled is called the file slack.Logical Sector (LS)Lost (file)Files located by “file carving” with Recover My Files are displayed as “Lost_[fileytpe].xxx.Master boot record (MBR, Boot Sector)The very first sector on a hard drive. It contains the startup information for the computer and the partition table, detailing how the computer is organized.Master File Table (MFT)“On an NTFS volume, the MFT is a relational database that consists of rows of file records and columns of file attributes. It contains at least one entry for every file on an NTFS volume, including the MFT itself. The MFT stores the information required to retrieve files from the NTFS partition”. (9))MetadataMetadata is often referred to as “data about data”. Windows metadata includes a files create, last accessed and modified dates, as shown in File List view of Recover My Files. File metadata includes information such as camera make and model in a JPEG, or author name in Microsoft Word.Mount Image Pro (MIP)A computer forensics software tool written and sold by GetData ( which enable the mounting of forensic image files as a drive letter on a Windows computer system.MRUMost Recently Used (MRU) is a term used to describe a list of the most recently opened files by an application. Many Windows applications store MRU lists as a way of allowing fast and consistent access to most recently used files. Most MRU lists are stored in the Windows registry.NTFSThe Windows New Technology File-system (NTFS) superseded FAT.It was released with Windows NT and subsequently Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7. It uses a Maser File Table (MFT) to store the information required to retrieve files from the NTFS partition.PaneAn area of the Recover My Files module. The Recover My Files module is broken down into three panes, Folder Tree, File List view and File Display. A pane can contain multiple different windows, such a Hex view, Text view, Drive view, Console etc.PartitionA part of a hard drive that can have an independent file-system.Physical sector (PS)RAIDRedundant Array of Independent Drives.RAMRandom Access Memory, where programs are loaded and computer code is executed. The content of RAM is lost when the computer is turned off.RAM SlackRAM slack is the data between the end of the logical file and the rest of that sector. For example, a sector is written as a block of 512 bytes, so if the last sector contains only 100 bytes, the remaining 412 bytes is padded with RAM slack. In older Operating Systems, e.g. Windows 95, RAM slack could contain data from RAM unrelated to the content of the file. In more recent Operating Systems, RAM slack is filled with zeros.Recover My FilesData Recovery Software authored and sold by GetData at www.recovermyfiles.comRegistryThe Windows Registry is a hierarchical database that stores configuration settings and options for the Microsoft Windows operating systems. For the computer forensics examiner it can be a wealth of information on all aspects of the computer and its use, including hardware, applications, and user configuration.Root Directory/Folder

A directory is a container used to organize folders and files into a hierarchical structure. The root (also referred as the root folder or root directory) is the first level folder of the hierarchy (It is analogous to the root of a tree, from which the trunk and branches arise). The root folder is the same as click on the drive letter in Windows Explorer, e.g. being located in folder “C:\”.

A directory that is below the root is called a subdirectory. A directory above a subdirectory is called its parent directory. The root is the parent of all directories.

“Directory” was a more common term when DOS use was prolific (The “DIR” command is used in DOS to list the contents of a directory). Directories are now more commonly referred to as “Folders”.

(Video) *2023 update, no longer recommended* Wondershare RecoverIt Full Review - data recovery software

SectorA sector is a specifically sized unit or storage on a hard drive. A sector on a hard drive usually contains 512 bytes. A group of sectors forms a cluster, which is the lowest level of storage space which can be addressed by an Operating System (e.g. Windows).SFN (see also LFN)Short File Name refers to a file or a folder on a FAT file-system that has a file name that can be stored in the 8.3 file name format (8 name characters with 3 characters for the extension). The name and metadata for a SFN file can be stored within a standard FAT directory entry.SlackSee File Slack, Drive Slack, FAT SlackSteganographySteganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity (Definition from: ClustersUnallocated clusters (also referred to as unallocated space or free space) are the available drive storage space that is not allocated to file storage by a volume. Unallocated clusters can be a valuable source of evidence in a computer forensics examination because they can contain deleted files or remnants of deleted files created by the Operating System and / or computer users.UnicodeUnicode is an international standard for processing and displaying all types of text. Unicode provides a unique number for every character for all languages on all platforms.VolumeA collection of addressable sectors that are used to store data.The sectors give the appearance of being consecutive, but a volume may span more than one partition or drive.Write BlockA hardware device or software program that prevents writing to an examined device. A write block is designed to maintain the ‘forensic integrity’ of an examined device by demonstrating that changes to the content of the device were not possible.


What is 3 2 1 1 0 backup rule? ›

Despite its longevity, the rule can be difficult to apply in today's world. The 3-2-1 rule states that in order to be fully protected, organizations must have three copies of their data on two different types of media, with one copy off site.

Is data recovery always possible? ›

Of course, data recovery isn't always possible. Sometimes the data storage device is corrupt or damaged, making data recovery impossible.

What is data recovery explanation? ›

What is data recovery? Enterprise data recovery is the process of restoring lost, corrupted, accidentally deleted, or otherwise inaccessible data to its server, computer, mobile device, or storage device (or to a new device if the original device no longer works).

What is the 4-3-2 backup rule? ›

Another relatively new option is 4-3-2. In this case, four copies of the data are stored in three locations, but two of these must be off-site. The 4-3-2 strategy means that backups are duplicated and geographically distant from one another to protect against natural disasters.

What is the 4-3-2 backup strategy? ›

4-3-2 Backup Strategy Overview

It's similar to the 3-2-1 strategy but with two more copies. This layered approach makes business data protection strategies more robust and reliable because you have more options when it comes to recovering data.

What are the three major recovery options? ›

Three major types of disaster recovery sites can be used: cold, warm, and hot sites.

What are the 7 tools of recovery? ›

7 Recovery Tools That Can Benefit Everyone Right Now
  • 1) Take it one day at a time, or even one hour at a time. ...
  • 2) Keep calm, and set boundaries that allow you to recharge. ...
  • 3) Find support with your tribe. ...
  • 4) Practice gratitude. ...
  • 5) Learn to be more comfortable with being uncomfortable. ...
  • 6) Create a healthy routine.

What are the 5 stages of recovery model? ›

What Are the Five Stages of Change? The five stages of addiction recovery are precontemplation, contemplation, preparation, action and maintenance. Read on to find out more about the various stages.

When can data not be recovered? ›

Overwritten data

After data has been physically overwritten on a hard disk drive, it is generally assumed that the previous data are no longer possible to recover.

Can wiped data be recovered? ›

Yes. Through the use of data recovery tools, the data that resided on your hard drive can be recovered. However, data recovery isn't always possible, so it will depend on how effectively the data was erased and the physical condition of the drive itself.

What makes data unrecoverable? ›

Once files have been overwritten once, they're only theoretically recoverable. When they've been overwritten more than once, they're gone forever. Deleted data on a solid-state drive – Solid-state drives work differently than HDDs, and when they delete data, they typically destroy it immediately.

How is deleted data recovered? ›

Here are four of the most common deleted file recovery methods.
  1. Check Your Recycle Bin. Find the File. ...
  2. Use the Control Panel. If you can't find the file in the recycling bin, it could still be stored elsewhere on your computer. ...
  3. Use a Data Recovery Software. ...
  4. Hire a Data Recovery Service.
Aug 22, 2022

What is the single most important part of data recovery? ›

Backups are the single most important part of data recovery because they serve as a safety net in case of data loss. A backup is essentially a copy of your data that you can use to restore your system to a previous state.

How is data recovery done? ›

The data recovery process relies on backups to work. Without a backup, you would need to rebuild lost data from scratch, which could take a lot of (avoidable) time and effort. Backup and recovery solutions like Rewind combine backup and recovery functions into a single, user-friendly interface.

What is 321 backup concept? ›

The basic concept of the 3-2-1 backup strategy is that three copies are made of the data to be protected, the copies are stored on two different types of storage media and one copy of the data is sent off site.

What is the 321 data protection rule? ›

The 3-2-1 backup rule refers to a tried-and-tested approach to data retention and storage: Keep at least three (3) copies of data. Store two (2) backup copies on different storage media. Store one (1) backup copy offsite.

What is the 3 1 1 backup rule? ›

Complete Ransomware Protection Starts With 3-2-1-1

It says to keep three copies of your data—one primary and two backups—with two copies stored locally on two formats (network-attached storage, tape, or local drive) and one copy stored offsite in the cloud or secure storage.


1. *2023 update, no longer recommended* Wondershare RecoverIt Full Review - data recovery software
(Mr. Sujano)
2. How to Recover Files from an External Hard Drive: 5 Simple Steps
3. How to Recover Data from a RAW Hard Drive (3 Methods)
4. Data Recovery Software: 7 Things to Pick the Best Tool
5. SSDs and Data Recovery – Is the data really gone? Can data be recovered from SSDs? (Day 13)
(Payam Data Recovery)
6. $2,000,000 Clean Room! - DriveSavers Data Recovery Tour
(Linus Tech Tips)


Top Articles
Latest Posts
Article information

Author: Zonia Mosciski DO

Last Updated: 05/20/2023

Views: 5785

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Zonia Mosciski DO

Birthday: 1996-05-16

Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257

Phone: +2613987384138

Job: Chief Retail Officer

Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing

Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.