Recovering _rased _iles
Undelete protects you against accidentally expunged files
- By John Breeden II
- Oct 03, 2008
HERE'S THE SITUATION: Before heading home for the weekend, you rush through your network storage drive looking to delete a file called RodsReport that you've already presented. In your haste, you accidentally delete Report2009, which happens to be a huge file justifying your agency's budget requests for the year, something your bosses have been working on for months.
In the past, this might prompt you to start working on two other R-files: r'sum' and resignation.
We know that files that are deleted are not permanently gone, at least not right away. Computers save time and processing power by simply deleting the first letter of a file and flagging the operating system that the area previously held by the file is ready to be overwritten. So Report2009 is still in place, it's just hidden and sitting there under the name _eport2009.
A lot of programs have come out in recent years with the ability to scan drives to find and recover accidentally erased files. The GCN Lab even reviewed one that was designed specifically for forensic investigators to recover deleted images from digital cameras. For the most part, all these programs work well under ideal conditions. However, a file's protection from being overwritten once deleted is tenuous. The busier the system, the greater the chance that something bad will happen.
You could compare a deleted file to lying down in the road. Out in the country somewhere, it might be hours or, in some cases, days before a car comes by and runs you over. You, or your deleted file, have plenty of time to be rescued. But try that same thing on a busy freeway, which is like a hectic government network drive, and it could be only a couple of minutes or even seconds before you get squished. To protect files on busy networks, you need a system.
Undelete 2009 is more like a backup parachute than an ambulance. It saves everything that is deleted, keeping it safe for as long as the disk space holds out, which means you almost always have plenty of time to recover files. In a lot of ways it's like a clean-sweep program in that it records all activity on a system from the time it is installed, except instead of making sure everything is deleted, Undelete makes sure that nothing you want to keep is destroyed.
Once installed, the entire Windows Recycle Bin process is replaced by the Undelete Recovery Bin. Files that are deleted move into a safe area, where they sit for as long as there is space to store them. Any files can be recovered painlessly from the bin. We did some tests on a stand-alone computer and found that Undelete 2009 also works when files are not specifically put into the bin. Basically any file that is deleted by any method ' except for one we describe below ' are saved for later recovery.
The recovery process is easy to use. The best method is to use Windows Explorer. From there, you can see which deleted files are protected and simply right click on them to bring them back.
Although the stand-alone version works well, the real strength for government is the network version. The main program runs on any Windows 2000, 2003 or 2008 server operating system.
For $500, you get the licenses for as many as 10 desktop clients. You can also pick up more licenses for $20 each, with a minimum purchase of 20 in your group. In our testing, client systems running Undelete connected automatically with the main server, which controls all the delete processes.
The network version has more control options, which is good for maintaining security. You can, for example, see who deleted a file and control who can recover them. You can also set up exceptions to the undelete process so that common files with no real value can skip the save process and be erased normally, which keeps your storage open. Also, you can control how long files are protected in the undelete cache. For example, you can have a deleted file stay in place for seven days and be erased after that.
What do you do if you have a network that is protected by the Undelete system and have a file that needs to be destroyed? What if it's a file that you never want recovered? Thankfully, Diskeeper has included a program called SecureDelete 2.0 as part of the standard installation. If you need to permanently remove a file, you can erase it using the SecureDelete program, which will not only remove it, but also overwrite the file using random ones and zeros, which is compliant with Defense Department and National Security Agency standards for permanent deletion.
We erased a file using SecureDelete and then tried to recover it using familiar file-recovery products and were unsuccessful.
And because SecureDelete bypasses the entire Undelete system, it can't be recovered that way either. As a bonus, Secure- Delete can wipe all free space on a network drive or client computer to eliminate any file fragments, something that should probably be done from time to time on government networks.
The Undelete system is a good way to make sure users don't accidentally destroy something important. In a worst-case scenario, it can also protect you from deliberate internal sabotage, saving files for at least a couple of days. It does require a large amount of storage to work properly, so you might want to invest in a small storage server or external network drive.Diskeeper, 800-829-6469, www.undelete.com
John Breeden II is a freelance technology writer for GCN.