locked
How to get deleted files? RRS feed

  • Question

  • I know that implement using WDK for getting deleted files.

    To get deleted files, is appropriate using WDK?

    If yes, please let me know that how to get deleted files.

    Maybe, it's like gathering deleted files information for recovery files in the file recovery softwares.


    • Edited by andywella Wednesday, January 30, 2013 1:21 PM
    Wednesday, January 30, 2013 1:20 PM

Answers

  • Typically there are two approaches to the undelete problem.  You can actively filter for deletion of files and store them away, or you can try to scavenge the disk for file data.  The scavenge technique has lots of problems in that it is file system specific, that it depends on the system not have overwritten some of the data, etc.   Think about what the goal is, if you want to actively filter and support undeletion then this forum is a good place for help, with NTFSD at http://www.osronline.com/ being the other place for information.   If you want to try to scavenge you are going to have to do a lot of research yourself.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, January 30, 2013 1:50 PM

All replies

  • Typically there are two approaches to the undelete problem.  You can actively filter for deletion of files and store them away, or you can try to scavenge the disk for file data.  The scavenge technique has lots of problems in that it is file system specific, that it depends on the system not have overwritten some of the data, etc.   Think about what the goal is, if you want to actively filter and support undeletion then this forum is a good place for help, with NTFSD at http://www.osronline.com/ being the other place for information.   If you want to try to scavenge you are going to have to do a lot of research yourself.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, January 30, 2013 1:50 PM
  • Hi Donald,

    Actually, gathering deleted files in the file system and it sends to HDD(or SSD) drive for TRIM command.

    So, LBA(logical block address) values of deleted files sends to storage device on the ATA command.

    For it's solution, please guide to me.

    Thank you for your reply.


    • Edited by andywella Thursday, January 31, 2013 2:02 AM
    Thursday, January 31, 2013 1:47 AM