I accidently deleted a bunch of files without recycle bin on... It's not terribly important that I get them back, but I'd like to :) So anyways, I downloaded a bunch of undelete utilities and they're like "Hey, your files are fine, and we'll undelete them if you pay us $30"

So I figure I'll just write an undelete utility.

However, I don't really know where to start... :P

If anyone has any ideas, I'd be glad to hear em

Thanks
--Chorus
Posted on 2002-08-26 17:13:52 by chorus
Hi chorus,

This is a topic I've thought about a couple times just never researched into it, so all I can give is a few ideas. I could be wrong, but files are not really removed from the hard drive when they are deleted. The FAT entries are just modified to show that no file exists or takes up that space, probably to speed up file deletion. Then when a new file is copied or created, windows just finds it a suitable place on the hard drive, overwriting previously deleted files and marks the sector in the FAT.

So, in this case you might be able to create a program to analyize the FAT and then dump the sectors in question. However, because files can span over multiple sectors, parts of the original file may be missing such as the start, middle, end or some of each making the file useless.

So the first thing I'd do is get some docs on File systems. This might be a lot of work as you have FAT16, FAT32, NTFS etc.
After you know how the file systems are laid out, you'll of course need to process them looking for "empty" areas of the drive. And because these "empty" spaces might not be empty but just marked as free in the FAT, you'll have to patch them together like a puzzel as these are the files you'll want to dump.

It's sounds like an interesting thing to try out! And I'm sure a handle full of challenges!
James:alright:
Posted on 2002-08-26 18:26:27 by JamesE
Actually wrote one a long time ago. When a file gets deleted, it leaves the entry in the directory table, and just writes over the first byte with a special character - think it was some greek symbol. The entry will contain where the first sector is. Unfortunately, it clears the entries in the fat table. So you would need to reconstruct these entries if it spans multiple sectors - and most files would, except for really small files. If the file was contiguos, and not fragmented, then this is no problem, just allocate however many sectors it used. When fragmented, you need to guess...

And off course, you need to enter in the first letter of the program.

This is how it worked in the old days for FAT-systems anyway. I dont even know if its possible to access the sectors of a hardrive anymore... Norton utilities still does it so it must be possible.
Posted on 2002-08-27 20:29:15 by mega
As far as I know, FAT format is open and completely discovered. With partitions such as NTFS, it becomes harder because MS holds its specifications closed and (as I was told), NT provides special API for accessing the partition directly which is used by defragmenters, integrity checkers, and file recovery utilities.
Posted on 2002-08-27 22:11:43 by comrade
Under FAT 12 the del command would change the first byte of the filename to 0xE5. That is why the DOS undelete command asks you for the first character.

If you create a new file, it will take up the first available FAT entry for that directory.

Under Win32, file recovery is not as possible as under DOS since new files and data can be written at anytime.
So even though the FAT entry could still exist, the data it points to could be overwritten. This is synonymous to broken hard links under the Linux FS.

FAT-x is well known. NTFS is propriatary FS that is partially (a h4(k w/ bugs) supported under Linux.
Posted on 2002-08-28 02:32:09 by eet_1024