locked
How to recover deleted files? RRS feed

  • Question

  • Does anybody knows how programs that recover deleted files are made?
    Wednesday, July 2, 2014 10:09 AM

Answers

  • Yes with low level program languages like intel assembler, C or used in that way C++. 

    C# and Visual Basic are no tools for that.


    Success
    Cor

    Wednesday, July 2, 2014 10:59 AM
  • To start, you need to read the Master File Table ($MFT), find the record for the file in question and determine if all or any of its cluster chain has been re-used by another file. If it is clear, mark the $MFT record as active and write it back. How to determine if any part was overwritten, I don't know. How to mark it as active is easy (set bit 0 at offset 0x16 in the record buffer). How to write it back is not so easy , Windows 7 and higher locks the boot drive for sure and possibly other drives. Huge job, quite complex. It probably can be done in VB NET but certainly would not be the first choice. Or the 2nd, etc.

    Wednesday, July 2, 2014 8:23 PM

All replies

  • Yes with low level program languages like intel assembler, C or used in that way C++. 

    C# and Visual Basic are no tools for that.


    Success
    Cor

    Wednesday, July 2, 2014 10:59 AM
  • Your question has nothing to do with visual basic. You should use a search engine to try to get information on that.

    eassos.com blog

    Simple explantion from blog is below.

    "How does data recovery software work?

    When you delete a file from computer, it is put into Recycle Bin by operating system, so that it can be restored at any time. But do you know where the deleted file is going when the Recycle Bin is emptied orthe file is deleted by keys Shift and Delete? To make out this, we need to know the way operating system stores files.

    A file on computer disk is not stored in a series of continuous space, but it is stored in several blocks (clusters) scattered in different places. Vividly, we can compare hard disk to a building with numerous rooms that are numbered by figure. Say a file takes 5 rooms which may be from 501 to 505 or just five random rooms like 501, 217, 988, 331 and 658. These rooms are called data area. So, to manage files, operating system need to know the information about file size and location, i.e. how many rooms and which room it takes. Let’s call the information “system area”.  Simply, a file consists of data area and system area. When operating system deletes a file, it only modifies the system area instead of the data area. Operating system marks the data area “free”, in order that new files can be saved there. Therefore, deleted files can be recovered before they are overwritten by new files."


    La vida loca

    Wednesday, July 2, 2014 5:58 PM
  • To start, you need to read the Master File Table ($MFT), find the record for the file in question and determine if all or any of its cluster chain has been re-used by another file. If it is clear, mark the $MFT record as active and write it back. How to determine if any part was overwritten, I don't know. How to mark it as active is easy (set bit 0 at offset 0x16 in the record buffer). How to write it back is not so easy , Windows 7 and higher locks the boot drive for sure and possibly other drives. Huge job, quite complex. It probably can be done in VB NET but certainly would not be the first choice. Or the 2nd, etc.

    Wednesday, July 2, 2014 8:23 PM
  • To start, you need to read the Master File Table ($MFT), find the record for the file in question and determine if all or any of its cluster chain has been re-used by another file. If it is clear, mark the $MFT record as active and write it back. How to determine if any part was overwritten, I don't know. How to mark it as active is easy (set bit 0 at offset 0x16 in the record buffer). How to write it back is not so easy , Windows 7 and higher locks the boot drive for sure and possibly other drives. Huge job, quite complex. It probably can be done in VB NET but certainly would not be the first choice. Or the 2nd, etc.


    Renee probably would know how to do that as she's been working with the MFT alot lately I think.

    La vida loca

    Wednesday, July 2, 2014 8:26 PM
  • I have been working on the MFT with Renee for quite a while. I think we have solved reading it but that's only a small part of recovering deleted files.

    Thursday, July 3, 2014 1:56 AM
  • Whatever you two, or more, are doing it's over my head from the various code I've seen her post for questions about things regarding whatever you're doing with the MFT.

    La vida loca

    Thursday, July 3, 2014 3:40 AM