Quick-formatting a disk does not physically erase information stored on the disk, allowing a data recovery tool to recover everything down to the last file. Wrong! The Quick Format command destroys enough information to make the recovery complicated, while making the result unguaranteed. In this technical article we’ll try to shed light on what happens when you format a disk using the Quick Format command; what can be recovered, and what can’t, and why.
Quick Format in Windows
Let’s have a look at what happens when you quick-format a disk in different versions of Windows. Let’s start with Windows 7 as the most popular operating system by the time of this writing.
The majority of hard drives used in desktop and laptop computers running a reasonably modern version of Windows is formatted with NTFS. Starting with Windows XP, it is no longer possible to install Windows onto a disk bearing a different file system (e.g. FAT), so NTFS is pretty much a given when it comes to hard drives.
The NTFS has a unique and very logical approach to organizing information. In this file system, *everything* is a file. As a result, NTFS keeps information about user files such as pictures and documents in a special system file named $MFT. This file contains records identifying other files on the disk and containing pointers containing physical addresses of all clusters on the disk that are occupied by a given file. In order to recover the files, a data recovery tool will normally attempt to recover and analyze the $MFT. The rest is easy: the tool will parse that file and discover all other files on the disk based on the records contained in $MFT.
What happens when Windows quick-formats the disk? While no information is deliberately erased, the system creates an empty $MFT file of a certain size. The new $MFT has a size of 32 KB in Windows XP, 64 KB in Windows Vista, and 256 KB in Windows 7. Each MFT record is exactly 1 KB long, so a 32 KB MFT can contain information about no more than 32 files.
When you start placing files on that newly formatted disk, Windows automatically adjusts the size of the MFT so that it can fit information about each and every file and folder being created. As a result, $MFT gets fragmented pretty quickly. In fact, a typical system may have $MFT files that consist of 3 to 10 fragments stored in random spots on the disk.
When you quick-format the disk, Windows creates an empty $MFT file in a fixed location. Obviously, the new $MFT overwrites the beginning of the old file with the same name. As a result, the first records in the old $MFT are lost (overwritten). Considering the small size of the empty $MFT, the number of files that become unrecoverable is relatively small. Besides, the first 27 records point to system files that aren’t that important for the purpose of data recovery. As a result, even less files are unrecoverable.
Considering the size of an empty $MFT file created by the different versions of Windows, we end up with the following number of unrecoverable files:
- Windows XP: the new $MFT is 32 KB long. 27 records point to system files, which means that (32-27)=5 files are unrecoverable.
- Windows Vista: the new $MFT is 64 KB long, which means that 37 files become unrecoverable.
- Windows 7: the new $MFT is 256 KB long, so 229 files are unrecoverable.
There is one more thing that’s often (if not always) overlooked by non-professionals. If you take an NTFS disk that was quick-formatted in Windows XP (with a 32 KB $MFT) and connect it to a Windows 7 PC, the system will instantly, automatically and without further warning increase the size of the $MFT to Windows 7-default size of 256 KB, making the first 229 files unrecoverable. This is one of the reasons a professional data recovery lab will always connect the disk via a hardware write blocking device. The alternative to a hardware write blocker is connecting the disk as a physical device, without allowing Windows to mount the volumes.
Let’s have a look at the following table showing how many files become unrecoverable after quick-formatting the disk in different versions of Windows. The numbers in each cell represent a number of files that are non-recoverable with a given combination of factors.
Recovering data in Windows XP
Alternative File Recovery Techniques
As you can see, traditional data recovery techniques that rely solely on the file system (the original $MFT file) may be unable to recover some of the files originally stored on the NTFS disk. However, there are alternative techniques allowing to successfully recover missing files even if they no longer appear in the file system.
RS Partition Recovery employs an innovative recovery algorithm based on content-aware analysis. Content-aware analysis performs full disk analysis based on signatures, looking for files that can be identified with persistent signatures. This type of analysis is sometimes called “File Carving”. For most popular types of files such as office documents, most image and video formats, databases, emails etc. the identifying signatures are already included.
This type of analysis has its share of limitations, too. Signature search works great when looking for files stored in a single continuous chunk. If a file is fragmented across the disk, signature search does not work all that great. According to a recent research, the fragmentation rate of user-created important files such as email messages, pictures, videos or office documents is relatively high. For example, some 16% of JPEG files, 17% of Word documents and 22% of AVI videos were found to be fragmented. Email databases are among the most highly fragmented files, having a 58% chance of being fragmented.
Don’t let this discourage you from using content-aware analysis. The actual chance of a fragmented file being among the first two-hundred-something records is extremely low, as these files are typically stored first on the hard drive and rarely modified. And even if you do end up with a corrupted or incomplete file such as a Word document, you can always use RS File Repair (https://recoverhdd.com/file-repair) to fix the corrupted document.
Frequently Asked Questions
Yes, you can.
One of the reasons may be damage to the file structure of the flash drive.
RS Photo Recovery can recover photos from a damaged memory card.
- Connect the memory card to the computer. The card must be determined.
- Launch RS Photo Recovery and start analysis.
Yes, it is possible. RS Photo Recovery can recover photos from a damaged memory card.
- Connect the memory stick to your computer. The card must be detected.
- Launch RS Photo Recovery software and start the analysis.
This greatly depends on the capacity of your hard drive and your computer's performance. Basically, most of hard disk recovery operations can be performed in about 3-12 hours HDD 1TB in normal conditions.
If the file does not open, it means that the file was damaged or corrupted before recovery.
Use "Preview" to evaluate the quality of the recovered file.
When you try to access the drive, you get the message "Drive is not accessible" or "You need to format the partition drive"
Your disk structure is corrupted.
In most cases, the data may still remain available. Just run the data recovery software and scan the desired partition to get it back.
Please use free versions of programs with which you can analyze the storage and view the files available for recovery.
You can save them after purchasing the program - you won't need to scan it again.
Yes. To work, mount disks in the same way as connecting disk images. Menu: Tools - Mount Disk.
