Windows

What Happens on NTFS File System After Deleting a File?

When you delete a file from the computer, the operation may be simple from your point of view. Either use the shortcut key to delete files directly, or put it in the recycle bin and then empty the recycle bin. But does the deleted file just disappear from the disk? Why can third-party data recovery software recover deleted files? Here’s an in-depth look at what the disk file system does when we delete a file on a Windows computer. Since the depth of the content involved, you are required to have some knowledge of the file system.

As we know, data is stored on disk in the form of binary signals. But computers manage data not directly from binary signals on disk but through the file system. Our data is stored in the file system as a file. There are common file systems such as FAT32 and NTFS. So, when a file is deleted, the computer performs some operations on the file system, including changing the space occupation mark and modifying the file record table. The final result on the computer is that the file disappears.

There are two ways for users to delete files:

1. Directly delete the file (i.e. the deleted file does not go through the recycle bin, or the file is directly cut and pasted into the target directory).

2. Put the deleted files in the recycle bin, and then empty the recycle bin, or delete the files in the recycle bin;

Therefore, we will describe the changes in the file system for two different cases.

1. When deleting files directly

In the case of a file being deleted directly, the changes made by the file system are slightly simpler than removing the file from the recycle bin. But the overall process is similar. So, you can refer directly to my introduction to the second case, which is what the file system does after the file is deleted from the recycle bin.

2. When deleting files from the recycle bin

Before we get into the details of how data is deleted in the recycle bin, we need to look at the recycle bin structure of Windows XP and Windows 7 (which differ only slightly from each other).

Under different operating systems, the NTFS file system manages the recycle bin differently, here only introduces the recycle bin structure of Windows XP and Windows 7 operating systems. After Windows 7, the recycle bin structure is basically the same.

2.1.1 The Structure of Recycle Bin on Windows XP

Under the Windows XP operating system, the recycle bin is a special kind of directory (folder), it is located in the logical disk root directory, named RECYCLER. Its properties are hidden and system. After the user puts the file into the recycle bin for the first time, the RECYCLER subdirectory generates a child directory (folder) beginning with “S-1-5-21”, the subdirectory starting with “S-1-5-21” will automatically create a file called INFO2 whose attributes is hidden. The file recorded the original information of deleted files (that is, drive letter, long path, file name, file number, deletion date/time, etc.) with ASCII code and Unicode code. A subdirectory starting with “S-1-5-21” is also generated a file starting with “D+ disk letter + ordinal.extension “.

2.1.2 The Structure of Recycle Bin on Windows 7

Under the Windows 7 operating system, the management of the recycle bin is basically the same as in Windows XP. In Windows 7, the name of the RECYCLE BIN is $recycle.bin, and the attribute is also system and hidden. Under this folder, there is the folder beginning with “S-1-5-21”. The folder at the beginning of “S-1-5-21” holds the deleted files.

If the user puts the file in the recycle bin, two files will be generated in the folder beginning with “S-1-5-21”. The naming rules of the files are as follows: a file name with “$I+6 random characters”; The other has a file name of “$R+6 random characters” with the same extension. The “6 random characters” in both files are the same.

The contents of the file “$I+6 random characters” store the disk letter, path, and file name of the deleted file; The “$R+6 random characters” file stores the contents of the deleted file, that is, the file named “$R+6 random characters” and the deleted file are the same.

2.2.1 What happens to the disk file system after the file is deleted

For an NTFS file system, deleting a file affects the metafile $MFT corresponding record, B0H attr, recycle bin, index directory, bitmap files, disk space, and so on.

Here’s an example of deleting an image file in the recycle bin:

On Windows 7, I deleted the 13.jpg file in the abcd3 folder on drive H.

Note: 13.jpg files mentioned in this example refer to 13.jpg files in the abcd3 folder on H-disk. 13.jpg file in the NTFS partition has record number 11947. And the 80H attr of record 11947 as shown in the below figure.

word image 28

The size of the 13.jpg file is 266KB (272429 bytes), accounting for 268kB (274,432 bytes); It can be seen from the data list of the 80H attribute ( note: the data list is 21 43 0A 19) that the contents of the 13.jpg file occupy the range of cluster number 6410 ~ 6476, a total of 67 clusters.

1. Impact on record 11947

(1) Before the 13.jpg file is put into the recycle bin, the situation of the 11947 record is shown in the figure below.

image002

(2) After the 13.jpg file was put into the recycle bin, the status of no. 11947 record is shown as the following figure.

image003

(3) After the 13.jpg file was completely deleted from the recycle bin, the meta-file $MFT of record 11947 is shown in the figure below

image004

(4) The changes of the deletion of the 13.jpg file on record 11947 is shown in the table below

OperationNumber of times usedUsage of the file Filename Path
Before 13.jpg is put into the recycle bin 3 In use 13.jpg H:\abc3
After 13.jpg was put into the recycle bin 4 In use $R127DKX.jpg Recycle bin
13.jpg was completely deleted 5 Deleted $R127DKX.jpg Recycle bin

2. Impact on record 15397

The changes on record 15397 is briefly explained below.

(1) Before the 13.jpg file is put into the recycling bin, the record 15397 is unused.

(2) After placing the 13.jpg file into the recycle bin, record 15397 has been occupied by the $i127dkx.jpg file, that is the file system creates a file named $i127dkx.jpg in the recycle bin folder (note: “127DKX” is a random character);

The contents of the 80H attr of record 15397 are H:\abcd3\13.jpg, that is, the location of the file 13.jpg that was deleted in the recycle bin.

(3) After emptying the recycle bin, record 15397 is unused.

3. The changes on the metafile $MFT to record the value of B0H attribute

Since the record number of the 13.jpg file is 11947, the position the 11947 record in the B0H attr of the meta-file $MFT is sector 202746 + offset 0X01D5.

(1) Before placing the 13.jpg file into the recycle bin, the value of sector 202746 + offset 0X01D5 is “FF”, as shown in the figure below, indicating that the status of 11947 record is in use. word image 29

(2) After placing the 13.jpg file in the recycle bin, the value of sector 202746 + offset 0X01D5 is still “FF”, as shown in the figure below

As shown, the record status of 11947 remains in use. word image 30

(3) After the recycle bin is emptied, the value of sector 202746 + offset 001D5 changes from “FF” to “F7”, as shown in the figure below, indicating that the status of 11947 record is not in use. word image 31

(4) Before placing the 13.jpg file into the recycle bin, the value of sector 202747 + offset 0X0184 is “DF”, that is, the status of 15397 record is unused, as shown in the figure. word image 32

(5) After placing the 13.jpg file in the recycle bin, the value of sector 202747 + offset 0X0184 changes from “DF” to “FF”, as shown in the figure word image 33

(6) After the recycle bin is emptied, the value of sector 202747 + offset 0X084 is changed from “FF” to “DF”, as shown in the figure, indicating that the value of bit5 of the byte is 0, indicating that the record no. 15397 is not in use. word image 34

4. Impact on recycle bin

(1) Before placing the 13.jpg file into the recycle bin, only one file was stored in the recycle bin, the file name was desktop.ini, as shown in the figure. word image 35

(2) After the 13.jpg file was put into the recycle bin, two files were added in the recycle bin with the filename respectively $R127DKX. jpg and $I127DKX. The $R127dkx.jpg file comes from 13.jpg (renamed to $R127dkx.jpg) in the abcd3 folder of drive H. $i127dkx.jpg is newly created, and the file record number is 15397, as shown in the figure. word image 36

(3) After empties the recycle bin, files $R127dkx.jpg and $I127dkx.jpg have been deleted from the recycle bin, as shown in the figure. word image 37

5. Impact on the abcd3 folder index directory

(1) Before placing the 13.jpg file into the recycle bin, the 13.jpg file is stored between 12.jpg and 14.jpg, as shown in the figure

image014

(2) After the 13.jpg file is put into the recycle bin, 13.jpg has been removed from the index node, as shown in the figure word image 38

6. The effect of deleting 13.jpg on metafile $Bitmap

The starting sector of the metafile $Bitmap is 20272. You can calculate the starting cluster 6410 of the content of 13.jpg is bit2 of the sector 202713 + offset 0X0121 of the metafile $Bitmap; The ending cluster number 6476 is bit4 of sector 202713 + offset 0X0129 in the metafile $Bitmap.

The number of the clusters starting| ——The Position of the starting cluster number in $Bitmap ——|The number of the clusters ending|—— The position of the clusters ending number in $Bitmap ——|
 |——|Sector numberSector offsetByte |——|Sector numberSector offsetByte
64102027130X0121Bit264762027130X0129Bit4

1) Before deleting the 13.jpg file, the space occupation of the 13.jpg file in $Bitmap meta file is shown in the figure

image016

Therefore, it can be known that the cluster range of 13.jpg file content is 6410~6476, occupying bit7~bit2 the sector + offset 0X0121, sector 202713 + offset 0X0122~0X0128, and bit4~bit0 of sector 202713 + offset 0X0129 in $Bitmap metafile.

; the clusters of the sector 202713 + offset 0X0121~0X019 are shown in table 1.

Sector offset 0X0121 0X0122 0X0123-0X0127 0X0128 0X0129
Value (hexadecimal) FF FF FF (all) FF FF
The range of cluster number 6415〜6408 6423〜6416 6424〜6463 6471〜6464 6479-6472
Usage of clusters See table 2 Used Used Used See table 3
The file occupying the clusters See table 2 13. jpg 13. jpg 13. jpg See table 3

The clusters of the sector 202713 + offset 0X0121 are shown in table 2.

Address|——————Sector 202713 + offset 0X0121————————|
Hexadecimal value|——————FF————————|
Binary digitBit7Bit6Bit5Bit4Bit3Bit2Bit1Bit0
Binary value11111111
Cluster number64156414641364126411641064096408
Usage of clustersUsedUsedUsedUsedUsedUsedUsedUsed
The file occupying the clusters13. jpg13. jpg13. jpg13. jpg13. jpg13. jpg12. jpg12. jpg

The clusters of the sector 202713 + offset 0X0129 are shown in table 3.

Address|——————Sector 202713 + offset 0X0129————————|
Hexadecimal value|——————FF————————|
Binary digitBit7Bit6Bit5Bit4Bit3Bit2Bit1Bit0
Binary value11111111
cluster number64796478647764766475647464736472
Usage of clustersUsedUsedUsedUsedUsedUsedUsedUsed
The file occupying the clusters14. jpg14. jpg14. jpg13. jpg13. jpg13. jpg13. jpg13. jpg

After deleting the 13.jpg file and emptying the recycle bin, the value of bit7-bit2 at sector 202713 + offset 0X0121 is set from 1 to 0, while the value of bit1- bit0 stays the same; The value of sector 202713 + offset 0X0122~0X0128 bytes is changed from “FF” to “00”, and the bit4-bit0 value in sector 202713 + offset 0X0129 change from 1 to 0, while the bit7-bits value remains the same.

(2) After deleting the 13.jpg file and emptying the recycle bin, the clusters 13.jpg file content occupies in $Bitmap of metafile is shown in the figure.

image017

The clusters in sector 202713 + offset 0X0121~0X0129 are shown in the table:

Sector offset 0X0121 0X0122 0X0123-0X0127 0X0128 0X0129
Value (hexadecimal) 03 00 00 (all) 00 E0
The range of cluster number 6415〜6408 6423〜6416 6424〜6463 6471〜6464 6479-6472
Usage of clusters See table 2 Unused Unused Unused See table 3
The file occupying the clusters See table 2 13. jpg 13. jpg 13. jpg See table 3

The clusters of the sector 202713 + offset 0X0121 are shown in the table;

Address|——————Sector 202713 + offsets 0X0121————————|
Hexadecimal value|——————FF————————|
binary digitBit7Bit6Bit5Bit4Bit3Bit2Bit1Bit0
Binary value00000000
cluster number64156414641364126411641064096408
Usage of clustersUnusedUnusedUnusedUnusedUnusedUnusedUsedUsed
The file occupying the clusters12. jpg12. jpg

The clusters of the sector 20273 + offset 0X0129 are listed in the table

Address|——————Sector 202713 + offset 0X0129————————|
Hexadecimal value|——————E0————————|
binary digitBit7Bit6Bit5Bit4Bit3Bit2Bit1Bit0
Binary value11100000
cluster number64796478647764766475647464736472
Usage of clustersUsedUsedUsedUnusedUnusedUnusedUnusedUnused
The file occupying the clusters14. jpg14. jpg14. jpg

7. The impact of removing 13.jpg on disk space

The impact of deleting 13.jpg files on disk space is shown in the table (note: disk space in this table is counted by using WinHex and it may be different when you are using other tools.)

Disk space Before placing 13.jpg into the recycle bin After emptying the recycle bin Changes on the disk space
Used disk space 96591872 bytes 96317440 bytes Decreases 274432 bytes ( that is 67 clusters)
Free disk space 214831104 bytes 215105536 bytes Increases 274432bytes ( that is 67 clusters)
Total disk space 311422976 bytes 311422976 bytes No changes

8. Effect of deletion of 13.jpg on index directory

The record number of the abcd3 folder is 11942, and the data list of its 80H attr is “21 01 A1 19”.

In the abcd3 folder, 35 file names are stored, all of which are stored in 1 index node, whose number of the index node is 0. From the data list of the 80H attribute of 11942 record, it can be known that the LCN corresponding to the index node is 6561

(1) Before placing 13.jpg into the recycle bin, the B-tree structure of the abcd3 folder is shown in the figure.

word image 39

(2) After placing 13.jpg into the recycle bin and emptying and recycling, the B-tree structure of the abcd3 folder is shown in the figure.

word image 40

The above shows the impact of deleting a file on the file system’s meta-files, index directories, and attribute values. At first glance, you might think that these processes are very complex. But all of this is done automatically by the program, and we don’t even notice it at first glance.

How can data recovery software recover deleted files?

From the above introduction, we have seen what the file system does when a file is deleted. But you’ll also notice that the file content is not deleted, but the mark of the file space is changed. And the data recovery software is just through the identification of the file system and file characteristics for data recovery.

Conclusion

As you can see from the above introduction, the file system is very complex. Deleting, creating, or moving a file can trigger a very complex set of actions. This is very different from what we see on a computer when a file is deleted with a click or two. This is also a convenience brought by modern operating systems. We do not need to understand the underlying rules of data management but can do all the file management work with the mouse and keyboard.

Editorial Team
The editorial team of PCTransor is a team of experts in the various technical fields. We help people solve their computer problems. Our area of expertise includes Windows tips, Mac solutions, and application tricks.

Leave a reply

Your email address will not be published. Required fields are marked *

You may also like

More in Windows