Pressing ‘Delete’ is easy, like watching your favourite movie. Usually we delete files we no longer need to free up space or to unclutter our computer, simple tasks bordering on the mundane. The nightmare begins when we by accident delete something important, something hiding in the corner under layer upon layer of folders for example.

There are two things we can do in these circumstances;

a) scream our heads off

b) pull our hair, then scream our heads off

This was back in the day when broadband was the best connection around. In the current era you can find simple tools to actually dig up deleted files. For this article I will be discussing a bit on how computer memory works and introduce one related freeware available on the Net.

Computer memory consists of many, many separate blocks into which data can be written. When a programme is installed into a computer or a file is created, that file’s data will be written into these blocks of memory.


 

 

 

It’s a bit like arranging books on a shelf. When you buy a collection, you stack them into the shelf space, one book at a time.

One other thing is also created when you make a file. A ‘pointer’ is created by the computer system so that you can access your file. Think of a pointer like a doorway; without it you cannot enter into your file.

When you delete that file, the blocks of memory holding the file would now look like this;

 

 

 

Exactly the same. The file is still there.

Okay, here’s the deal.

Two important things happen when you delete something. First, the pointer of your file is erased by the computer, so you can no longer access the programme. That’s why icons don’t work, your system can’t find it, and you can’t find it using the search function. Second, the computer labels the memory currently holding that file as ‘can be overwritten’. So when you install something else, it would overwrite your old file.

But if you don’t overwrite these blocks of memory containing your file, you can do things to restore the pointers so that you can access your deleted file again.

There are two ways to do this;

a) use the command prompt (DOS) and type in complex commands to get the pointers back

b) download freeware and let the programme get it back for you

There are numerous computing sites teaching the layman how to perform option (a), of which one may spend hour after hour trying to understand everything. If you do want to try this, please bear in mind that you will be messing with very vital system codes. Any one mistake can be fatal to the wellbeing of your computer.

For option (b), let me introduce you to a friend of mine called ‘Pandora Recovery’ by Pandora Corp.

 

 

 

You can find this software at http://www.pandorarecovery.com/. Pandora takes up about 7.30 MB and works really well in all the times I have used it.

There are three ways you can use Pandora to get back pointers to deleted files. There’s the browse option, the search option, and the surface scan option.

The browse option let’s you view your computer’s files just like Windows Explorer. You use this option when you know the last folder your file was in. You navigate directly to that folder and restore it from there. Take a look at the interface.

 

 

 

Click on the image to get a better look.

There are a few things you might notice from the screenshot.

Deleted files are colour-coded so you can distinguish those that are fine and those that are not. Files written in red have been overwritten to a degree, whether partially or completely. Files written in blue are compressed. Green files mean they were encrypted. Grey files are hidden files, usually meaning system files. Any file written in plain ol’ black is neither overwritten, compressed, encrypted, or hidden.

You may have realised that some folders are marked with a red X. These folders have themselves been deleted and can be recovered. Normal folders that are still in your computer are unmarked.

The icons on top are, from left to right, ‘return to last visited folder’, ‘up one level’, refresh, ‘index selected drive’ (an apparently obsolete command in version 2.0.1), recover, quick view, properties, ‘Show deleted items only’, wizard, and help. Press ‘recover’ to get back selected file(s) or a folder. Alternatively, right-clicking a file will bring up a small menu of options that include ‘recover’, ‘quick view’, and ‘properties’.

A note on quick view. Selecting this option opens a window showing a preview of the selected file. If it is a picture, you will get to see a preview of it to help you determine if the file is worth rescuing. Text can also be previewed.

The Search option is perhaps the mode a user will normally utilise. A user can specific which drive to search, the file name (or leave blank to search by other criteria), file size, and date of creation or the last time a file was modified. It looks like this;

 

 

 

By the way, Pandora also supports wildcards.

The most thorough search mode has to be the third recovery option, the surface scan. In this mode you first apply a set of filters, although you can set it to search your entire disc drive for every single deleted thing that has not been completely obliterated. Searching using this option gives you this kind of view of your files;

 

 


 

That picture on the left is a preview of the file you are viewing. Above it you can see some follow-up options.

To end this article, I will just recover some random file. Pick a number between zero and a googolplex. No, something higher. ‘Infinity’ is technically not a number. Go lower. Okay, that number will do. I’ll recover a Jerry Seinfeld picture, one I didn’t even know had been on my disc drive.

The following menu will pop up when you press ‘recover’, giving you quite a bit of control over how you want your file to come back.

 

 


 

Take a closer look at the ‘Advance’ section of the menu, there at the bottom. You can even recover attributes of the file like ‘archive’, ‘hidden’, and other stuff and at the same time meddle with the data streams. Did I tell you how much I like Pandora?

Basic steps to recover something using Pandora is nothing more than scanning your system, clicking ‘Recover’, then specifying where to recover it and pressing the ‘Recover Now’ button.

With all this said it never mean that you start deleting your files like a mad man , always take care of important data. Less tools you rely on the better it is.



About the author

Dr-Hack

Owner and founder of Hackology Internet Security Portal and BlackAngel. These days teach hacking so others can stay safe. Apart from hacking, a Movie Fanatic.Also run a tech Blog, small projects like encrypted paste etc and various PoC and research articles

  • nice one…

    for formatted (or crashed) disks… GetDataBack for FAT and GetDataBack for NTFS saved my day =)

  • Rabimba

    Well I’ve used stellar,recuva,undelet 🙂
    and all of them work more or less same upto certain extent :d

  • to be honest , i dont belive IN such stuff much - the data you want never gets restored :p … so i take care not to delete anything but if it gets … thats where i make no effort to do anything then .. 🙂

  • Hi, good post. I have been woondering about this issue,so thanks for posting. I’ll definitely be coming back to your site.

  • Raaz

    Stellar is a gud program, just thougt to let evry1 knw.
    Nice work here going.

    Impresd with the fact that fadi is runing his own server at home for past few years.

Pin It on Pinterest

Shares