[Geeks are Sexy] technology news





Thursday, February 23, 2006

The Theory behind deleted files recovery software: How do undelete your files manually in a FAT file system

hard disk recoveryMost of you are probably comfortable enough around computers to know that even if a file got deleted accidentally, and it’s not in the recycle bin, there are a few ways to get it back. I wrote an article about hard disk recovery a while ago, covering different free solutions to help you get your data back in case of a disaster, but this is something completely different.

To do our little experiment we will need:

  • A freshly formatted floppy disk
  • An hex editor that let you edit the content of a drive or partition (I used tiny hexer for this article. This editor is very small, free and simple to use)

WARNING: If you are not VERY careful, you could be corrupting data on your media by doing this. Only do it on a test disk that has no important data on it. If you really need to recover something important, use a data recovery software.

First, you have to know that files are still on the disk, even after you delete them. The only thing that happens when you erase one is that the pointer to the file gets removed from the drive index, marking the old file location as "Free". The next time you write something on your disk, you may end up overwriting your precious data since the old location is now marked as available. That is why you have to execute this procedure as soon as possible after deleting a file. DO NOT DEFRAGMENT your drive if you need to accomplish this procedure! Doing so would render all data recovery impossible. Why? Because as you probably know, defragmenting the drive puts file fragments back together, moving information from one location to another. If the pointer in the index points to something that isn't there anymore, you will not be able to recover anything.

1- Format your floppy

2- Create a text file named test.txt in notepad and save it on a: (could be any letter)

3- Start your hex editor, and open your a: drive for editing

4- Go to Sector 19 (Sector 19 is where the directory listing is on a floppy disk; it goes up to sector 32). The name of your file should be right there, written both in HEX and alphanumerical values.

5- Switch to your floppy drive and shift-delete test.txt

6- Go back to TinyHex and Refresh sector 19 (go to sector 18, and back to 19). You should now see that the name of your file is still there, but its first letter was replaced by the å character (hex E5). This indicates that the file was deleted. All you have to do now to undelete it is to type back its first letter on top of the å character.

7- Save your modification

8- Open your a: drive, Wow! The file magically reappeared on the floppy!

A floppy disk is composed of 2879 sectors:

0: Boot Track
1-9: First FAT
10-18: Second FAT
19-32: Disk Directory
33-2879: Data Area

For any FAT 12 and 16 volumes, the directory listing is always located right after the second FAT and has a fixed length. Under FAT32, the root directory is treated like a normal directory, and can be relocated and expanded in size. The FAT32 starting cluster is located in the boot sector at offset 2Ch (Most of the time, it points to a location after the second fat anyway).

NTFS:

Recovering data manually from NTFS is a bit more complex because the location of each file is noted in the MFT (Master Fat Table), and that table is unfortunately
not located in a predefined sector such as on FAT volumes. The Master file table is an index that contains every files on the volume. For each file, the MFT keeps records called attributes and each of these attributes store a different type of information.

First, you'll need to locate the exact position of the MFT on your disk. To do that, start your HEX editor and load up the desired partition. You should now be looking at sector 0 (Boot Sector). I'll give you a few hints about how to start your little research, but you'll have to do the rest by yourself.

An NTFS boot sector is divided in 6 parts

0x00: Jump instruction
0x03: OEM ID
0X0B: BPB
0X24: Extended BPB
0X54: Bootstrap code
0X01FE: End of Sector Marker

The BPB portion of the boot sector tells you at which logical clusters the MFT is. The exact position would be at 0x30 with a length of 8 bytes. The result would give you the Logical Cluster Number for the MFT file.

NTFS.com has an EXCELLENT tutorial about how to recover data from an NTFS partition, I suggest that you continue your little experiment over there. There are very little resources on the web about how to recover file manually from an NTFS partition. Your best bet would be at NTFS.com. If you really want to dig deeper in this subject, go and get yourself WinHEX. Winhex is the best hex editor on the market (In my own opinion). You'll be amazed by the functionalities of this wonderful application.

Add to Del.Icio.Us

Other [Geeks Are Sexy] technology articles



0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home