Recovered photos looking “cut off” or “half gray”?

Posted by on Jan 22, 2014 in Blog | 0 comments

Numerous users of DiskDigger have contacted me regarding recovered photos that sometimes appear to be “cut off” somewhere in the middle, with the rest of the photo replaced by a single “color,” or meaningless shapes and colors, like the picture below. What’s the reason for this mysterious phenomenon? The explanation has to do with file fragmentation.

Files stored on your hard drive (or memory card, USB drive, etc.) are organized using a file system, such as FAT or NTFS. These file systems allow for files to be fragmented, meaning that portions of a single file can be scattered across different locations on the drive. For a quick explanation of why files might get fragmented, refer to the figure below.

When your disk is empty, and you start writing files to it, the files will be stored consecutively (“file 1”, “file 2”, “file 3”, etc.), as we might expect. Now, suppose we delete “file 2”, which would leave a “hole” between “file 1” and “file 3.” And now, suppose we write a new file (“file 4”), which happens to be larger than “file 2” was. A portion of “file 4” will be written into the hole left behind by “file 2”, and the rest of the file will be written to the space beyond all the previous files.

In the above figure, “file 4” consists of two fragments. The sizes and locations of the fragments are indexed in the file system structures that appear at the very beginning of the disk.

So, what are the implications of this when a fragmented file is deleted?

As we know, the act of deleting a file doesn’t actually wipe the contents of the file from the disk. Therefore, we can be sure that the actual contents (or fragments) of the file will remain intact, until they’re overwritten by new data, since the deleted file is now treated as empty space, up for grabs.

However, what happens to the file system structures that keep track of the locations and sizes of the fragments? This depends on the file system:

Under the FAT family of file systems, the fragment locations are recorded in the File Allocation Table, which is the namesake of the file system! The bad news is that, when a file is deleted, its File Allocation Table entries are wiped permanently. It’s still possible to locate the beginning of the first fragment of the file, but any additional fragments are considered lost. In DiskDigger terminology, “dig deep” mode (which relies on file system information) will not be able to recover a fragmented file, if the underlying file system was FAT. It will, however, be able to recover the first fragment of a file. And if that file happens to be a .JPG photo, the image will appear to be “cut off” where the fragment ends.

On the other hand, under the NTFS file system, the fragment locations are stored in the Master File Table (MFT) entry associated with the file. When a file is deleted in NTFS, its MFT entry gets marked as “deleted,” but the entry itself is not wiped, so its fragmentation data remains preserved. As long as the MFT entry is not overwritten by a new file, it’s possible to recover the original file in its entirety. In DiskDigger terminology, “dig deep” mode may be able to recover a fragmented file from an NTFS file system, as long as the file’s MFT entry, as well the actual contents, haven’t been overwritten by new data.

And what about “deeper” mode in DiskDigger? Let’s recall that “deeper” mode disregards the file system altogether, and thoroughly scans the entire disk for the presence of files. The problem is that, in the case of .JPG files, DiskDigger can only detect the beginning of the file, since only the beginning has a unique byte signature. So, once again, if the detected .JPG file is fragmented, we’ll only be able to recover the first fragment, since the other fragments don’t have a unique signature.

To summarize, the reason that certain recovered photos may appear “cut off” is that the .JPG file was fragmented, and only the first fragment could be recovered. The only way that DiskDigger can currently recover fragmented files is in “deep” mode, and only if the underlying file system is NTFS. If “deep” mode does not produce the desired results, then the only alternative is to use “deeper” mode, and settle for incomplete or “cut off” images.

It’s also worth mentioning that other data recovery tools similar to DiskDigger have the same limitations. There is ongoing research regarding recovery of fragmented files without referencing the file system, and eventually certain methods of recovering such files may be built into DiskDigger. Stay tuned, as always.

Share this article:

Leave a Reply

Your email address will not be published. Required fields are marked *