When you delete a file in Windows (Using)NTFS, it is marked as deleted within the MFT entry for that file. The clusters that were allocated to the fille are now marked as free, within the $BitMap. As long as that those clusteres are not overwritten by new data, there might be a change that you can restore the data from the disk clusters.
Now earlier I have restored to use some third party tool to restore deleted data from my computer or when I’ve been helping others to restore lost data. But luckily! now Microsoft has added this to Windows 10 as a free command line tool/app which can be used to recover that lost data.
This was recently released as is now available for users on Windows 10 with at least version 19041. The tool is in available in Windows Store and can be found here –> https://www.microsoft.com/en-us/store/r/windows-file-recovery/9n26s50ln705
- Recover from HDD, SSD, USB, and memory cards
- Supports NTFS, FAT, exFAT and ReFS file systems
It is important to understand that when you are trying to recover files using this tool that you do not specify that the source and destination are not the same physical partition, the reason being that you can then actually overwrite the disk clusteres where the data is contained and get stuck with corrupt data and being unable to restore the file.
The command line paramters for the tool are quite simple.
If you need to filter based upon certain file types/extensions you can use the /n switch
You can also see different options for the types/extension here –>
Now there are some things to be aware of, especially if you are using this on modern SSD’s which support and have TRIM enabled. As for TRIM feature, in short, when you delete any data from a TRIM-enabled SSD, the drive will clear all the sectors immediately and permanently. TRIM is a new feature for new versions of SSDs, which can speed up data writing via clearing the flash memory cell as soon as you delete any data. TRIM will let the PC operating system to inform the drive about the free data sector when they become available after deletion. In other words, the block where the deleted data was will get erased within the moment of data deletion.
You can verify if TRIM is enabled by running the following command
fsutil behavior query DisableDeleteNotify
If the reply is 0 then it means that TRIM is enabled.