Active @ UNDELETE Users Guide - Active@ Undelete For Windows
Contents
1. Page Options File system lookup Select File System of a partitions to be detected 2 Confirm and scan for deleted partitions Review and confirm the unallocated space scan parameters and click the Scan button to start the scanning process While the process is in progress you can cancel it at any time by clicking Stop at the bottom of the screen 3 Scan detected partitions Review list of detected partitions and select at least one of them to scan for missing files List of Detected Partitions Volumes During Data Storage Device Scan several partitions were detected Confirm selected partitions to search for deleted files Active UNDELETE Wizards Overview 105 Name File System Status Restore Stat Total Size First Sector Total Sectors Serial Number e Local Disk 8 NTFS Bad Can be Re 15 7 MB 163750544 32129 3949 636F P folder test 7 NTFS Poor Overlappe 388 GB 163723769 813049398 7 folder test 6 NTFS Not Bad Overlappe 388 GB 163713061 813060106 V folder test 5 NTFS Good Can be Re 157MB 163718415 32129 3949 636F 7 cleo 2 NTFS Excellent CanbeRe 6 84 GB 149774058 14345981 398D 6D82 7 NEW VOLUME 3 FAT Excellent CanbeRe 293GB 157565520 6152864 6CAE B6FF J MOORE 4 FAT32 Excellent Can be Re 196 MB 163718415 401625 78B8 4FCC Q Detected Drive2. 71 view Name Type Status Fie System Segment OffsetinSectors First Sector Total Sectors Total Size MPhysicabriveD Properties 4 amp PhysicalDrived Fixed Disk Ready Initialized 0 1953525168 932GB Name Value TREMMENS F Primary FAT32 0 2048 2048 221206528 105GB Unsaved No Local Disk M Primary Unknown 0 221208576 221208576 333938688 159 GB 4 General E Local Disk 0 Primary Unknown 0 555147264 555147264 218122240 104 GB Name PhysicalDrived 5 Unallocated Space Unallocated 0 773269504 773260504 1180255631 563 GB Device Key ST1000DM003 9YN162 4 4g Logical Disk ManagerO Virtual LDM 0 488921491 233GB Platform Name PhysicalDrived TREMOW E Primary FAT32 0 0 0 374018048 178GB Product Name ST1000DM003 9YN162 New Volume L Primary NTFS 0 374018048 374018048 1949696 952 MB Product Revision CCAD PORTO Q Primary FAT32 0 375067744 375967744 112953747 539GB Series SORAW 4 amp PhysicalDrivel Fixed Disk Ready Initialize 0 1953525168 932GB Long Rendy Kiiza 4 LDM data partition Data LDM LDM data 0 63 63 1953523057 932 GB m S TREMOW E Dynamic FAT32 63 1985 2048 374018048 178 GB eve See R New Volume L Dynamic NTFS 63 374020033 374020006 1949696 952 MB JE Physical Data Storage Devices x ST1000DM003 9Y TREMMENS F Local Disk M Local Disk 0 E Tre 105 GB Primary FAT32 159 GB Primary Unknown 104 GB Primary Unknown 563 GB Unallocated Fixed
3. Hardware and Disk Organization Understanding of underlying mechanisms of data storage organization and data recovery Here you can get some information about Hard Disk Drives HDD and low level disk organization Hard Disk Drive Basics on page 119 Master Boot Record MBR on page 120 Partition Table on page 122 Hard Disk Drive Basics Understanding of underlying mechanisms of data storage organization and data recovery A hard disk is a sealed unit containing a number of platters in a stack Hard disks may be mounted in a horizontal or a vertical position In this description the hard drive is mounted horizontally Electromagnetic read write heads are positioned above and below each platter As the platters spin the drive heads move in toward the center surface and out toward the edge In this way the drive heads can reach the entire surface of each platter Each disk consists of platters rings on each side of each platter called tracks and sections within each track called sectors A sector is the smallest physical storage unit on a disk almost always 512 bytes in size Figure below illustrates a hard disk with two platters The remainder of this section describes the terms used on the figure Figure 38 Two plated hard disk The cylinder head sector notation scheme described in this section 1s slowly being eliminated All new disks use some kind of translation factor to make their actual hardware layout appear as some
4. Important Due to not supporting meta tag analysis for user defined file types only system attributes available for name patterns Confirm changes Click Apply to preserve intermediate changes or click Save button to save and close dialog Active UNDELETE Tools Overview 89 File attributes and meta tags File organizing rule consist of Folder pattern tags Folder pattern tags are used to define file s grouping in folders by same file system or meta attributes Each following folder pattern depends on previous choice E g if media file pattern selected then all following pattern choices will be relevant to media files General File attributes File Extensions Collects all files with a same file type file extension Associated Application Collects all files assigned to the same default application Created Date Year Full year of date when file was created for example 2014 Modified Date Year Full year of date when file was modified for example 2014 Accessed Date Year Full year of date when file was last accessed for example 2014 E Note Each date attribute can be additionally structured with attributes Month Day Weekday Audio and Video meta attributes Artist Artist name Album Album name Genre Genre literal name Photo and Image meta attributes Date Taken YYYY MM DD Full date when picture was taken for example 2014 05 23 Date Taken YYYY Full year of date when picture
5. Thus the first thing if computer does not boot is to run Disk Viewer and check the first physical sector on HDD whether it looks like valid MBR or not check may be it s filled up with zeros or any other single character check whether error messages like you can see above Invalid partition table are present or not e check whether disk signature OxSS5AA is present or not The simplest way to repair or re create MBR is to run Microsoft s standard utility called FDISK with a parameter MBR like A gt FDISK EXE MBR FDISK is a standard utility included in MS DOS Windows 95 98 ME If you have Windows NT 2000 XP you can boot from start up floppy disks or CD ROM choose repair option during setup and run Recovery Console When you are logged on you can run FIXMBR command to fix MBR Also you can use third party MBR recovery software or if you ve created MBR backup restore it from there Active Partition Recovery has such capabilities What will happen if the first sector is bad unreadable Most likely we ll get the same black screen which we got when trying to boot When you try to read it using Disk Viewer Editor you should get an error message saying that sector is unreadable In this case recovery software is unable to help you to bring HDD back to the working condition i e physical partition recovery is not possible The only thing that can be done is to scan and search for partitions i e perfor
6. All information in the application is organized in tabbed views Four of the main views are Recovery Explorer View on page 8 The main default view of Active UNDELETE In this view you can see all available Data Storage Devices and Logical Drives Assembled RAIDs and opened Disk Images Getting Started with Active UNDELETE 8 Logical Drive Scan Result View on page 9 The Drive Scan Result View displays all files detected after a logical drive scan Physical Device Scan View on page 9 Shows scan results made in context of Data Storage Device Search Results View on page 11 This view is used to display search results after the search in corresponded context Application Log on page 13 This log screen monitors each action taken by the application and displays messages notifications and other service information Welcome View on page 14 Summary view with main tools wizards and recent activity shortcuts File Organizer view on page 12 Utility view used to collect detected files from different sources organize in file groups folder and recover them all at once To browse through each of these views click on each tab in turn You may also open a view from the View menu To close the current view at any time press CTRL F4 To open any closed view select it from the View menu The status bar at the bottom of the workspace shows the current status of the application or status of the activity in progress When Active UNDELET
7. DESCRIPTION MIDI Audio EXTENSION mid BEGIN MID BEGIN Se sSIEEuII VIII MESS SS ua MID BEGIN MThd 0 0 MID SCRIPT next temp read dword size if temp MThd goto valid if temp MTrk goto exit W etlLiLolg size sum size 4 temp read dword size size sum size 4 endian dword temp size sum size temp goto next CA B HEADER XXTENSION cab EGIN CAB BEGIN SCRIPT CAB SCRIPT CAB BEGIN MSCF 0 0 CAB SCRIPT version read word ESCRIPTION Microsoft Compressed Archive CAB 24 if version 103h goto exit folders read word mul folders 8 folders 26 folders sum folders 36 files read word files mul files files sum files temp read dword if temp lt folders temp read dword if temp lt files flags read word flags and flags 28 16 folders 16 goto exit 8 goto exit 30 4 if flags 0 goto skip flags read dword 36 if flags 20 goto skip flags read dword 44 if flags lt temp goto skip size flags temp read dword skip 48 size sum temp size MP HEADER SCRIPTION Bitmap TENSION bmp EGIN BMP BEGIN SCRIPT BMP SCRIPT rm Di Bi BMP BEGIN BM 0 0 BMP SCRIPT Images BMP width read dword 12h if width 0 goto exit height r
8. Found files will be ranemed by file name pattern associated with file type It is recommended to use this option to rename files detected by their signatures Restore Defaults Run Close Cancel Apply Help Figure 34 File Organizer dialog 2 Open File Name Patterns dialog To open File Name Patterns dialog click File Type Patterns button or in case of Rename by File Type option selected click Modify button for a same result 3 Change file name patterns Active UNDELETE Tools Overview 88 Using this dialog you can edit file name patterns for each supported file type Changing file name pattern for group item will assign same pattern for each file type in this group n g Ls x ci E File Type Extension File Name Pattern 4 Q Microsoft Office Documents SMeta Author SMeta Title SCreated YYYYMMDD File Extension Access Databases mdb g PowerPoin i a Excel S Word i Visio De Crystal Reports rpt SMeta Author Meta Ti m Double click here to edit file name pattern for a whole group SCreated YYYYMMDD File Extension E ejeje e Re Pe Pe F Other OLE containers ole SMeta Author SMeta 7 itfe L SCreated YYYYMMDD File Extension 3 Outlook Data Archives st SMeta Authorj SMeta Titie SCrested YYMMDD File Extension 8P PowerPoint 2007 Presentations pptx General File Attributes F Excel 2007 Spreadsheets xlsx General
9. 10 bits Ending Cylinder This field contains the lower 8 bits of the cylinder value Ending cylinder is thus a 10 bit number with a maximum value of 1023 3F 00 00 00 Relative Sector 51 42 06 00 Total Sectors The remainder of this section describes the uses of these fields Definitions of the fields in the Partition Table is the same for primary partitions extended partitions and logical drives in extended partitions Boot Indicator Field The Boot Indicator field indicates whether the volume is the system partition On x 86 based computers only one primary partition on the disk should have this field set This field is used only on x86 based computers On RISC based computers the NVRAM contains the information for finding the files to load On x86 based computers it is possible to have different operating systems and different file systems on different volumes For example a computer could have MS DOS on the first primary partition and Windows 95 UNIX OS 2 or Windows NT on the second You control which primary partition active partition in FDISK to use to start the computer by setting the Boot Indicator field for that partition in the Partition Table Hardware and Disk Architecture 124 System ID Field For primary partitions and logical drives the System ID field describes the file system used to format the volume Windows NT uses this field to determine what file system device drivers to load during startup It al
10. 154 In TexFAT could be 2 Bitmap Allocation tables otherwise there will be only one bitmap The NumberOfFats field in Boot Sectors determines the number of valid Allocation Bitmap directory entries in the root directory and the number of Allocation Bitmaps Up case Table Up case table contains data used for conversion from lower case to upper case characters File Name Directory Entry uses Unicode characters and preserves case when storing file name exFAT itself is case insensitive so it needs to compare file names converted to the upper case during search operations Normally Up case table is located right after Bitmap Allocation table but can be placed anywhere is the cluster heap It has a corresponding primary critical directory entry in the root directory Up case Table is an array of Unicode characters an index of which represents the Unicode characters to be up cased and the value is the target up cased character The Up case Table shall contain at least 128 mandatory Unicode mappings If implementation supports only mandatory 128 characters it may ignore the rest of Up case Table When up casing file names such implementation shall up case only characters from the mandatory 128 characters set and leave other characters intact When comparing file names which are different only by characters in non mandatory set those file names shall be treated as equal Comments 0x0000 0x0001 0x0002 0x0041 A is mapped into itself ident
11. 2 Supported file signatures templates oF ae General Settings Nome FieE a ith gt Microsoft Office Documents Qe gt SJ Formatted Tex files Heit s b Compressed Archives q Import Environment gt y Images and Camera Raw files E gt Music and Videos gt QuickTime Multimedia files gt Miscellaneous Recovery Explorer eg Device Backups 4 m 3 Remove File Signatures maa Custom file signature template Provide template name and brief description for future references Specify file extension of a file type you defining optional To completely define custom file signature template you need to enter Header beginning of the file and Footer end of the file criteria using RegExp syntax Header criteria could be more then one and all of them must be met to consider beginning of the file Footer s criteria could more then one too but at least one of them must be met to consider end of file To define custom file signatures enter Template Name Description and File extension optional Specify file s Header required and E Footer optional search criteria Size Script is useful to determine actual file size Read manual for more detail and samples how to create such script Template Name template1 Template description MIDI Audio File extension mid2 Beginning of File Criteria You may provide several beginning of file header criteria all of them of them mus
12. 24 Select the destination path and additional options for the recovery of files and folders It is recommended that recovery of files and folders be saved to a volume other than the volume from which they were found Recover files to d temp recovered File naming options Use original file names recommended Rename using file name pattern Original File Name ext Rename by associated File Type rules Existing files conflict resolution Options Generate unique file name recommended V Create original folder group structure 7 Recover Named Streams Ask before overwrite V Browse recovery destination folder after recovery completes Overwrite without prompt 7 Create detailed log of recovered files Impact Performance Skip existing files V Use Disk Lock V Ignore Disk Lock Errors Ignore Write Errors V Ignore Read Errors Less Options Restore Defaults Recover Cancel Figure 12 File recovery dialog extended Naming options Use original file names Names of detected files will be preserved only if no file with the same name already exists in the destination directory Rename files AII files will be renamed by their given specified file root name and added enumeration ID File extensions remain intact Existing files conflict resolution Unique file name If a file with the same name exists in the destination folder a file with a unique name will be generated to avoid overw
13. ARC Archives arc e 7z Arcgives 7z Graphics Interchange Format Custom user defined file signature templates Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Active UNDELETE comes with more than fifty predefined internally programmed very fast file signatures to be used to detect particular files MS Office Documents many Image formats ZIP archives MP3 etc See complete list of supported file signatures during disk scan However sometimes advanced users need to detect more specific file formats not being defined in default signatures set Active UNDELETE offers advanced tools to define user s templates for signatures to be analyzed Signatures can be defined using extended definition language RegExp Regular Expressions To create custom file signature 1 Click Tools gt Preferences command to open Preferences dialog 2 Open File Signatures group and use Add button to define new custom file signature or 3 Click Import button to load import custom file signature from script file ini format See Custom Signatures Size Script on page 44 for details E Note You can edit your custom file signature template at any time by selecting your template in list and clicking Edit button or simply double clicking on template s name Using Active UNDELETE Overview 42
14. B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07 B X 00000110 66 58 66 58 1F EB 2D 66 33 D2 66 OF B7 OE 18 00 fXfX f3 f 00000120 66 F7 F1 FE C2 8A CA 66 8B DO 66 C1 EA 10 F7 36 6 00000130 1A 00 86 D6 8A 16 24 00 8A E8 CO E4 06 OA CC B8 ES 00000140 01 02 CD 13 OF 82 19 OO 8C CO 05 20 00 8E CO 66 f 00000150 FF 06 10 OO FF OE OE OO OF 85 6F FF 07 1F 66 61 o fa 00000160 C3 AO F8 O1 E8 O9 OO AO FB O1 E8 03 00 FB EB FE 00000170 B4 O1 8B FO AC 3C OO 74 09 B4 OE BB 07 00 CD 10 LE et 00000180 EB F2 C3 OD OA 41 20 64 69 73 6B 20 72 65 61 64 A disk read 00000190 20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00 error occurred 000001A0 OD OA 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69 NTLDR is missi 000001B0 6E 67 00 OD OA 4E 54 4C 44 52 20 69 73 20 63 6F ng NTLDR is co 000001C0 6D 70 72 65 73 73 65 64 00 OD OA 50 72 65 73 73 mpressed Press 000001D0 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F Ctrl Alt Del to 000001E0 20 72 65 73 74 61 72 74 OD OA OO OO 00 OO OO OO restart 000001F0 00 00 00 OO OO OO OO 00 83 AO B3 C9 00 00 55 AA U The following table describes the fields in the BPB and the extended BPB on NTFS volumes The fields starting at OxOB OxOD 0x15 0x18 Ox1A and Ox1C match those on FAT16 and FAT32 volumes The sample values correspond to the data in this example Table 3 BIOS Pa
15. Customize command in view s toolbar where File Organizer is used Active UNDELETE Tools Overview 87 Using this dialog you can specify folder hierarchy for folder presets Some presets already defined and shown as default none editable Create your own folder prese or edit existing one File naming template can be set individually for each preset using name tags 3 E e c Q File type Patte Folder Presets gt By Created Date aiders by Created Year Month and Day This pattern can not be changed gt amp By Modified Date Organj scan tof sear LinathoandD aic matter can not be changed gt d By Accessed Date Orga Click to modify file renaming patterns by File an not be changed gt By File Extensions Organ Type in File Name Patterns dialog in anytime fed gt I By Applications Organize Tiles tn a TO This pattern can not be changed F Preset for images lt Double click to add pattern s descriptio ion gt 8 Double click to add folder pattern g lt Double click to create new folder preset gt File renaming for pattern Preset for images Click Modify button to open File Name iB Use oridinai f Patterns dialog in case of renaming by File Use original file name Type to change default patterns Use file name pattern File name pattern SMeta Software SMeta Width xSMeta Height File Extension C Dn Adobe 1000x1200 ext Rename by File Type
16. Detect deleted partitions and restore them or recover data from them Create a Disk Image for safe data restoration Perform an Advanced Scan and organize the result using Scan Result View Restore data from damaged RAID system drives Work and recover data form dynamic RAID Manage existing partitions or create new once using Partition Manager tool Edit disk content with the advanced Disk Editor tool Preview files before restoring Supports HDDs larger then 2TB List of supported File Systems NTFS FAT FAT32 exFAT HFS Ext2 Ext3 Ext4 UFS General system requirements Windows 8 Windows 7 Windows 2000 Windows 2003 Windows Server 2008 Windows XP WinPE Administrators privileges required to install and run software Pentium processor or compatible 40 MB available on hard disk 256 MB of RAM or more Internet Explorer 8 or later Google Chrome Mozilla Firefox 1 0 or later Mouse or other pointing device Windows 8 Windows 7 Windows 2000 Windows 2003 Windows Server 2008 Windows XP WinPE Administrators privileges required to install and run software Pentium processor or compatible 30 MB available on hard disk 64 MB of RAM or more Internet Explorer 8 or later Mozilla Firefox 1 0 or later Mouse or other pointing device Getting Started with Active UNDELETE 7 Getting Started with Active UNDELETE Active UNDELETE is designed to explore and browse all data storage devices on your comput
17. FAT or Master File Table NTFS then for the particular deleted entry defining clusters chain to be recovered and then copying contents of these clusters to the newly created file Different file systems maintain their own specific logical data structures however basically each file system Has a list or catalogue of file entries so we can iterate through this list and entries marked as deleted Keeps for each entry a list of data clusters so we can try to find out set of clusters composing the file After finding out the proper file entry and assembling set of clusters composing the file read and copy these clusters to another location Step by Step with examples Disk scan for deleted entries on page 169 Define clusters chain for the deleted entry on page 172 Clusters chain recovery for the deleted entry on page 174 However not every deleted file can be recovered there are some assumptions for sure First we assume that the file entry still exists not overwritten with other data The less the files have been created on the drive where the deleted file was resided the more chances that space for the deleted file entry has not been used for other entries Second we assume that the file entry 1s more or less safe to point to the proper place where file clusters are located In some cases it has been noticed in Windows XP on large FAT32 volumes operating system damages file entries right after deletion so that t
18. Formatting a volume with the NTFS file system results in the creation of several system files and the Master File Table MFT which contains information about all the files and folders on the NTFS volume The first information on an NTFS volume is the Partition Boot Sector which starts at sector 0 and can be up to 16 sectors long The first file on an NTFS volume is the Master File Table MFT partion boot Master File Table noun file area sector Figure 40 Layout of NTFS volume after formatting See the next sections for more information about NTFS NTFS Partition Boot Sector on page 131 NTFS Master File Table MFT on page 133 NTFS File Types on page 134 Data Integrity and Recoverability with NTFS on page 138 The NTFS file system includes security features required for file servers and high end personal computers in a corporate environment The NTFS file system also supports data access control and ownership privileges that are important for the integrity of critical data While folders shared on a Windows NT computer are assigned particular permissions NTFS files and folders can have permissions assigned whether they are shared or not NTFS is the only file system on Windows NT that allows you to assign permissions to individual files The NTFS file system has a simple yet very powerful design Basically everything on the volume is a file and everything in a file is an attribute from the data attribu
19. JA 0003EE50 56 25 56 2 00 00 C5 93 56 25 02 00 00 00 00 00 VV o off Wars oo 6 os 2 Deleted file MyFile txt entry long entry and short entry 0003EE60 imis 4D 00 79 00 46 00 59 00 Gc 00 Op 00 BA 65 00 eitis sui cabo la oo OSs 0003EE70 2E 00 74 00 78 00 74 00 00 00 00 00 FF FF FF FF noce YYYY 0003EE80 35 59 46 29 Ac 4 20 20 54 59 54 20 00 C3 D 93 eSI T AO 0003EE90 56 25 56 2E 00 00 ma 93 56 2B OS 00 35 B7 dL 00 WAPWAP ao LO WARS oS So c 4 Existing file Setuplog txt entry the only short entry 0003EEA0 53 45 54 55 50 c ew dy DA 59 527 20 18 C wy 93 SETUPLOGTXT 2 0003EEBO 56 25 56 2B 00 00 03 14 A7 2B 07 00 8D 33 OS 00 Vao o o Gtho o B3 o c 0003EECO 0O 00 00 OO 00 OO 00 OO 00 OO 00 OO HO 00 00 OO asocasocasocasot 0003EEDO 0O 00 00 00 00 00 00 OO 00 OO OO OO HO 00 OO OO MM a UM MM MM This folder contains 3 entries one of them is deleted First entry is an existing folder MyFolder Second one is a deleted file MyFile txt Third one is an existing file Setuplog txt First symbol of the deleted file entry is marked with E5 symbol so Disk Scanner can assume that this entry has been deleted Example of scanning folder on NTFS5 Windows 2000 For our drive we have input parameters Total Sectors 610406 Cluster size 512 bytes One Sector per Cluster e MFT starts from offset 0x4000 non fragmented e MFT record
20. Navigate a Physical Disk Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks To navigate to the disk system records of a physical disk click on the Navigate button in the toolbar Depending on the partition scheme and contents of the physical disk you are editing the Navigate menu will contain different options Navigating basic disks After the Go to Offset and Go to Sector items there is a Partition Table menu item which allows jumping to sector 0 of a physical disk As you jump to the partition table a Master Boot Record template is automatically selected If the disk is not empty the names of the partitions and their system areas will be in sub menus below the Partition Table menu item Navigating dynamic disks For dynamic disks the following system areas are available for direct access LDM Private Header LDM Primary TOC Block LDM Backup TOC Block LDM VMDB Block LDM KLog LDM First VBLK Block After each access point a sector number is specified in the brackets Navigate a Logical Drive Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks To navigate to the disk system records of a logical drive click on the Navigate button in the toolbar Depending on the file system present in a logical drive the navigation menu will have
21. Unused portion of FileName field must be set to 0x0000 Table 18 Invalid File Name Characters Character Code Character Description 0x0000 0x001F Control codes 0x0022 Quotation mark 0x002A Asterisk 0x002F Forward slash 0x003A Colon 0x003C Less than 0x003E Greater than 0x003F Question mark 0x005C Back slash 0x007C Vertical bar exFAT Cluster Heap Understanding of underlying mechanisms of data storage organization and data recovery The cluster heap is a set of clusters which hold data in exFAT It contains Root Directory Files Directories Allocation Bitmap on page 153 Up case Table on page 154 The allocation status of clusters in cluster heap is tracked by Bitmap Allocation Table which itself located inside the cluster heap Allocation Bitmap Allocation Bitmap keeps track of the allocation status of clusters FAT does not serve this purpose as in FAT106 FAT32 file system Allocation Bitmap consists of a number of 8 bit bytes which can be treated as a sequence of bits Each bit in bitmap corresponds to a data cluster If it has a value of 1 the cluster is occupied if 0 the cluster is free The least significant bit of bitmap table refers to the first cluster i e cluster 2 Description Comments Ist byte Clusters 2 9 2nd byte Clusters 10 17 3rd byte Clusters 18 25 Bitmap allocation table resides in cluster heap and referred by Bitmap Directory entry in root directory File Systems
22. all bookmarks at once click Disable all bookmarks in a toolbar or select this command in a context menu Searching in Disk Editor Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks To search text or byte sequence in Disk Editor Click Ctrl F shortcut key or Use Find button in Disk Editor s toolbar then Find dialog will appear Find what ANSI X Use Regular expressions Hex Unicode Find options Search direction Search down Search at offset 0 of 512 bytes block Blocks start is determined by current cursor position Use Ox prefix for hexadeamal values During subsequent search by F3 Ctr F3 the layout of defined blocks is preserved Search data by ANSI Hex or Unicode pattern To speed up the process you can ask to search only at given offset inside used defined blocks Regular expressions and wildcard are even greater expand search capabilities Search direction will specify search direction from current cursor position When using Find All command list of all search entries will appear Use this list to navigate between search result entries 1f any by double clicking on entry line Examples of using regular expressions whd match integers 0 to 99 S match strings without white space b maillletter correspondence b match strings containing mail or letter or correspondence but only match whole wo
23. created during recovery by using the Add button Using Active UNDELETE Overview 28 Select Destinatoin Path to decrypt temporary EFS files and additional options if necessary Decrypt files to d temp decryptedi Files Add temporary recovered files to decrypt x Remove Options Existing files conflict resolution T Delete temporary files after decryption Q9 Generate unique file name recommended V Browse recovery destionation folder after decryption completes Ask before overwrite Create detailed log of decrypted files Impact Performance Overwrite without prompt V Use Disk Lock V Ignore Disk Lock Errors Ignore Write Errors V Ignore Read Errors Skip existing files Restore Defaults Decrypt Figure 14 Decrypt files dialog box Options Delete temporary files All temporary recovered encrypted source files will be deleted after decryption Browse Destination The folder where files will be decrypted will be opened by the default OS files browser Create Detailed Log The log files will contain more detailed information about the forthcoming process Use Disk Lock The source disk will be locked during the file recovery process The disk will be unlocked as soon as the process is completed Ignore Disk Lock Errors With this option on the file recovery process will continue even if locking of the source device fails Ignore Write Errors No error messages will appear and a
24. data CustomDefined All critical primary directory entries are located in root directory except file directory entries Benign primary directory enries are optional If one benign primary entry is not recognized all directory entry set is ignored data points to directory entry set in memory UINT16 EntrySetChecksum const unsigned char data int secondaryCount UINT16 checksum 0 int bytes secondaryCount 1 32 foe ime 2 Of 3x lt lewtesp i ie i amp 3 continue checksum checksum lt lt 15 checksum gt gt 1 data i return checksum exFAT Defined Directory Entries Understanding of underlying mechanisms of data storage organization and data recovery Main exFAT Diectory entries defined in table below Table 10 Defined Directory Entries list EntryType Critical Directory Entry Name 0x81 boolean yes boolean yes 1 Allocation Bitmap 0x82 boolean yes boolean yes 2 Up case Table 0x83 boolean yes boolean yes 3 Volume Label 0x85 boolean yes boolean yes 5 File 0xAO boolean yes boolean no 0 Volume GUID OxAl boolean yes boolean no 1 TexFAT Padding OxA2 boolean yes boolean no 2 Windows CE Access Control Table File Systems 147 EntryType Primary Critical Directory Entry Name 0xCO boolean no boolean yes Stream Extension OxCI boolean no boolean yes File Name Read about Directory entries below Allocation Bitmap D
25. do it before you can virtually restore it back and look for your data in case if it has not been overwritten with new data yet Some advanced recovery tools also have an ability to scan disk surface and try to reconstruct the previously deleted partition information from the pieces of left information i e perform virtual partition recovery However it is not guaranteed that you can recover something Partition Boot Sector is damaged Understanding of underlying mechanisms of data storage organization and data recovery The Partition Boot Sector contains information which the file system uses to access the volume On personal computers the Master Boot Record uses the Partition Boot Sector on the system partition to load the operating system kernel files Partition Boot Sector is the first sector of the Partition For our first NTFS partition we have boot sector IISEKONES CI INE IM O Sick i Seccoir il Offset 0 431 2 89 4 5 7 9o 9 A B C D H F 000000000 EB 5B 90 4E 54 46 53 20 20 20 20 00 02 01 00 00 e NTFS 000000010 00 OO 00 00 00 re 00 00 sF CO F 00 37 00 00 CO S QocSoWoeZoos 000000020 00 00 00 00 a0 00 0 00 37 32 4m 00 00 00 00 00 PE a 6 PINIGEIS TIS 000000030 55 4s OL 00 00 00 00 00 17 19 27 00 00 00 00 00 CERE see Poasa 000000040 02 00 00 00 08 00 00 00 10 EC 46 C4 00 47 C4 OC UN iFA GA 000000050 00 00 00 00 00 00 00 00 00 00 00 00 OO FA 33 CO E es oman erect u3A 000000060 8E DO BC 00 7C FB B8 CO 07 8E D8
26. extdpb root clus The cluster number of the first cluster in the root directory extdpb next free The number of the cluster that was most recently allocated File Systems 167 Partition Types The following are all the valid partition types and their corresponding values for use in the Part FileSystem member of the s partition structure Table 21 Partition Types PART UNKNOWN 00h Unknown PART DOS2 FAT 01h 12 bit FAT PART DOS3 FAT 04h 16 bit FAT Partitions smaller than 32MB PART EXTENDED 05h Extended MS DOS Partition PART _DOS4 FAT 06h 16 bit FAT Partitions larger than or equal to 32MB PART DOS32 0Bh 32 bit FAT Partitions up to 2047GB PART DOS32X 0Ch Same as PART DOS32 0Bh but uses Logical Block Address Int 13h extensions PART DOSXI3 0Eh Same as PART DOS4 FAT 06h but uses Logical Block Address Int 13h extensions PART DOSXI3X 0Fh Same as PART EXTENDED 05h but uses Logical Block Address Int 13h extensions S partition FAT32 Sj Parr eion STRUC Part BOO inc DB amp Part FirstHead DB Pela dE SIE OU DB Pom Tiret ieee DB 2 Part FileSystem DB g Part LastHead DB g Pelet LASICE EIE DB E Part LastTrack DB g Paiste dish sce bolls DD g Part NumSectors DD 8 S Part rion ENDS Part BootInd Specifies whether the partition is bootable or not This value could be set to PART BOOTABLE 80h or PART NON BOOTABLE 00h The first partition designated as PART BOOT
27. the second step in partition recovery is to run Disk Viewer and to make sure that the proper partition exists in the partition table and has been set as active How can recovery software help you in the above mentioned scenarios 1 Discover and suggest you to choose the partition to be active even FDISK does so 2 Discover and suggest you to choose the partition to be active 3 Perform a free disk space scan to look for partition boot sector or remaining of the deleted partition information in order to try to reconstruct Partition Table entry for the deleted partition 4 Perform all disk space scan to look for partition boot sector or remaining of the damaged partition information in order to try to reconstruct Partition Table entry for the damaged partition entry Why partition boot sector is so important Because if recovery software finds it all necessary parameters to reconstruct partition entry in the Partition Table are there see Partition Boot Sector is damaged on page 181 topic for details What would happen if partition entry had been deleted then recreated with other parameters and re formatted In this case instead of the original partition entry we would have a new one and everything would work fine except that later on we could recall that we had some important data on the original partition If you ve created MBR Partition Table Volume Sectors backup for example Active Partition Recovery and Active UNERASER can
28. u array if necessary PORTO Q 53 9 GBD 396452498 Offset sector 396452498 Size sectors 112953747 RAID Options RAID Type RAID 5 left asynchronous Default v Block Size 512 bytes Default v Sectors per Block 4 To create RAID 5 left asynchronous Default select at least three physical devices and provide Block Size The Damaged Devicemay be used instead of physically unaccessible device Page Option Offset Address of selected area on current disk Size sectors Size of selected area on current disk Number of Tracks per Cylinder Number of tracks in each cylinder on all platters making up a hard disk For example if a hard disk has four platters each with 600 tracks then there will be 600 cylinders and each cylinder will consist of 8 tracks assuming that each platter has tracks on both sides Number of Sectors per Track A Sector is the smallest unit that can be accessed on a disk The tracks are concentric circles around the disk and the sectors are segments within each circle This value indicates how many sectors are on each track Stripe Block size The Size of a block in kilobytes used for RAID creation Applicable to RAID 0 and RAID 5 arrays Standard values are 32Kb 64Kb 128Kb 256Kb If you are not sure try all standard sizes consecutively and you will most likely find the proper one Arrange disks in the Virtual Disk Array using the Up and Down butt
29. www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com Data Integrity and Recoverability with NTFS Understanding of underlying mechanisms of data storage organization and data recovery NTFS is a recoverable file system that guarantees the consistency of the volume by using standard transaction logging and recovery techniques In the event of a disk failure NTFS restores consistency by running a recovery procedure that accesses information stored in a log file The NTFS recovery procedure is exact guaranteeing that the volume is restored to a consistent state Transaction logging requires a very small amount of overhead NTFS ensures the integrity of all NTFS volumes by automatically performing disk recovery operations the first time a program accesses an NTFS volume after the computer is restarted following a failure NTFS also uses a technique called cluster remapping to minimize the effects of a bad sector on an NTFS volume File Systems 139 o Important If either the master boot record MBR or boot sector is corrupted you might not be able to access data on the volume Recovering Data with NTFS NTFS views each I O operation that modifies a system file on the NTFS volume as a transaction and manages each one as an integral unit Once started the transaction is either completed or in the event of a disk failure rolled back such as when the NTFS volume i
30. 00 00 00 00 00 00 00 00 00 00 00 00 00 000000040 00 00 00 00 00 00 00 00 00 00 OO 00 OO 00 00 00 000000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000060 8E DO BC 00 wc in 1X9 CO 07 iu D C7 0G 54 00 00 AR Re wg UA HOE 6 Es 6 If we try to boot we ll see Non System Disk or Disk Error After we fail to load from it and from floppy partition becomes not bootable Because a normally functioning system relies on the boot sector to access a volume it is highly recommended that you run disk scanning tools such as Chkdsk regularly as well as back up all of your data files to protect against data loss in case you lose access to the volume Tools like Active Partition Recovery and Active UNERASER allow you to create backup of MBR Partition Table and Volume Boot Sectors so that if for some reason it fails to boot you can always restore your partition information and have an access to files folders on that partition What to do if this sector is damaged If we do have backup of the whole disk or MBR Boot Sectors we can try to restore it from there Ifwe do not have backup in case of NTFS we could try to locate a duplicate of Partition Boot Sector and get information from there fduplicate boot sector is not found only virtual partition recovery might be possible if we can determine critical partition parameters such as Sectors per Cluster etc How can we fix NTFS boot sector using standard Windows NT 2000 XP
31. 0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA What will happen if the first sector has been damaged by virus for example Lets overwrite the first 16 bytes with zeros 000000000 00 00 00 00 00 00 00 00 00 00 00 OO 00 00 00 00 000000010 Bis la 06 50 57 BY BS 0L FS A Ch BE Bi 07 Bil 04 E oo IEEE aOR DE o When we try to boot after hardware testing procedures we see just blank screen without any messages It means the piece of code at the beginning of the MBR could not be executed properly That s why even error messages could not be displayed However if we boot from the floppy we can see FAT partition files on it and we are able to perform standard operations like file copy program execution It happens because in our example only part of the MBR has been damaged which does not allow the system to boot properly However the partition table is safe and we can access our drives when we boot from the operating system installed on the other drive What will happen if sector signature last word 0x55AA has been removed or damaged Lets write zeros to the location of sector signature least Sxexenuones Cyll 0 Sioe Ur Secor il 0000001E0 ai 65 OW wis B7 4A 25 83 57 00 66 6 3S 00 OO OC Ae J No SEEMS 65 Partition Recovery Process 179 0000001F0 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 When we try to boot now we see an error message like Operating System not found
32. 07 00 North Asia Standard Time 160 OxA0 U TC 08 00 North Asia East Standard Time 164 0xA4 JTC 09 00 Tokyo Standard Time 168 0xA8 UTC 10 00 West Pacific Standard Time 172 OxAC UTC 11 00 Central Pacific Standard Time 176 OxBO UTC 12 00 New Zealand Standard Time 180 0xB4 JTC 13 00 Tonga Standard Time 208 0xDO TC 12 00 Dateline Standard Time 212 0xD4 TC 11 00 Samoa Standard Time 216 0xD8 JTC 10 00 Hawaii Standard Time 220 0xDC TC 09 00 Alaska Standard Time 224 OxE0 TC 08 00 Pacific Standard Time 228 OxE4 TC 07 00 Mountain Standard Time 232 OxE8 JTC 06 00 Central Standard Time 236 OxEC TC 05 00 Eastern Standard Time 240 OxFO TC 04 00 Atlantic Standard time 242 OxF2 JTC 03 30 Newfoundland Standard Time 244 OxF4 JTC 03 00 Greenland Standard Time 248 OxF8 UTC 02 00 Mid Atlantic Standard Time 252 0xFC UTC 01 00 Azores Standard Time QadaascdaaulaaaqsXs Volume GUID Directory Entry In following table presented a benign primary directory entry and may not present in a file system Offset i Description Comments 0 0x00 1 EntryType OxAO 1 0x01 1 SecondaryCount Must be 0x00 2 0x02 2 SetChecksum 4 0x04 2 GeneralPrimaryFlags See below Offset 6 0x06 22 0x16 Table 15 Primary Flags Definitions Description VolumeGuid Reserved Description AllocationPossible NoFatChain CustomDefined File Systems 151 Comments All values are v
33. 196 MB FAT32 MOORE 4 Status Excellent Hep Close 4 Review volume scan results Use the File Filter Toolbar on page 40 to narrow down search results By default only deleted Files and Folders are shown To view all files detected on scanned devices click the Reset filter to default button in the toolbar Files List Detected Files and Folders Select desired Files for recovery using check marks File Filter can be used to narrow down files list Accessed Deleted gt E y Lost amp Found gt E SRECYCLE BIN yd 12 05 12131442 D 54550 O bytes 12 05 1213 12 05 12 13 14 43 D 54550 0 bytes 03 03 12 10 41 50 03 03 12 10 41 50 D 54548 0 bytes 24 11 11 03 01 39 d1030139 D 54518 341 MB 25 08 11 19 38 12 2 D Healthy 1 24 MB System 325 MB 17 10 09 20 01 26 Q d 381856 Deleted 0 bytes 11 02 11 03 21 11 6 F 569497 _ Deleted 0 bytes 15 04 11 05 04 18 15 09711 09 04 16 D 1 r Gy 942607 Deleted 0 bytes 10 05 11 05 57 32 10 05 11 05 57 32 D 4462 E copy Healthy 2 56 GB 05 03 09 12 52 35 26 04 11 13 47 05 D 20976 p E island Healthy 1 55 MB 05 03 09 12 50 24 12 05 12 11 57 34 D 18410 F amp y Msite145 tmp Deleted 0 bytes 12 05 12 13 14 43 12 05 12 13 14 43 D 4466 F G MSBddbf tmp Deleted 0 bytes 23 08 11 10 29 02 23 08 11 10 29 02
34. 3 2013 4 January 4 2011 Use Organize Files feature to Sept group and rename files before 4 2012 recovery Select valid location to recover files Recover all files grouped as present to selected location Recovery destination Conflict resolution Errors control Additional A Recover All Recover files to d temp recovered Change Recover all listed files to destination folder Collected 7 files Total space required to recover all selected files 2 80 MB Major D Type Fixed Disk Space available 496 GB 532 670 271 488 bytes Total size 932 GB 1 000 202 042 880 bytes File System NTFS f Enough space on destination disk volume Use Recover All button to recovt Space meter Used 435 GB Left free 496 GB Figure 37 File Organizer view All selected files will be added to File Organizer view excluding duplicates You can repeat commands above and add files from different sources InFile Organizer view you can remove unwanted files by selecting them and then click Remove button in toolbar or click Clear button in toolbar to remove files from File Organizer view Use File Organizer feature to group o rename files before recovery File Organizer is advanced tool designed to group and rename files using their system attributes or meta attributes before actual recovery Click on Organize Files drop down menu and select one of the predefined file organizing rules to group files in a vie
35. Block DPB structure DPB Mirroring Description When Enabled bit 0x0080 clear With mirroring enabled whenever a FAT sector is written it will also be written to every other FAT Also a mirrored FAT sector can be read from any FAT A FAT32 drive with multiple FATs will behave the same as FAT16 and FAT12 drives with multiple FATs That is the multiple FATs are backups of each other When Disabled bit 0x0080 set With mirroring disabled only one of the FATs is active The active FAT is the one specified by bits 0 through 3 of the extdpb_ flags member of DPB The other FATs are ignored Disabling mirroring allows better handling of a drive with a bad sector in one of the FATs Ifa bad sector exists access to the damaged FAT can be completely disabled Then a new FAT can be built in one of the inactive FATs and then made accessible by changing the active FAT value in extdpb_flags DPB FAT32 The DPB was extended to include FAT32 information Changes are effective for Windows 95 OEM Service Release 2 and later DPB STRUC dpb drive DB dpb unit DB dpb sector size DW 2 dpb_cluster mask DB 8 dpb cluster shift DB 2 diolo tirst Tar DW 8 Ololo sec Croibhare DB 8 dpb root entries DW 8 Ololo iie SOCcoie DW E dpb max cluster DW EB File Systems 165 lolo scene _ Sale DW 8 dob Seco DW 8 dpb reserved2 DD E dpb media DB B ifdef NOTFAT32 cido Firet ACCSSS DB 8 else dpb reserved DB B endif dpb
36. D 4467 li Deleted 0 bytes 08 03 12 08 54 58 08 03 12 08 54 58 D 4478 F MSI72da5 tmp Deleted 0 bytes 09 03 12 03 02 59 09 03 12 03 02 59 D 4464 gt 7 amp System Volume Information System 28 0 KB 16 12 08 11 18 11 26 03 12 17 51 38 HSD 27 gt 7 amp y Windows NT4 Deleted 345 MB 05 03 12 11 13 27 05 03 12 11 20 23 D 7111 F amp Windows NT4 FAT Deleted 0 bytes 05 03 12 11 20 23 05 03 12 11 20 23 D 4476 F E PartMan exe Deleted 3 82 MB 26 10 10 13 08 44 26 10 10 13 08 44 A 4454 47 of 88958 file s E so file s and 18 folder s Help Select file s to recover and click Next to continue 5 Recover Files _ cose _ Next gt Active UNDELETE Wizards Overview 106 File Recovery Select required options and dick Next to continue P Er Recover files to d temp yecovered mm um Naming options Use original file names recommended Rename files to recovered 4 00001 Existing files conflict resolution 9 Generate unique file name recommended Overwrite without prompt Ask before overwrite D Skip existing files Options Create original folder group structure Recover Named Streams Selected 3 files and folders to recover Naming options Use original file names Names of detected files will be preserved only if no file with that name exists in the destination directory Rename files AII files will b
37. Disk m o i UFFFFFFFFF ST31000524AS iei Ora 1 00 MB Primary LDM me CONES T31000524AS E Major D eiie 332 GB Primary NTFS 1 71 MB Unallocated S Fixed Disk J see OCZ VERTEXS System Reserved 1 Local Disk C R 100 MB Primary NTFS 55 8 GB Primary NTFS 1 90 MB Unallocated F Fixed Disk Gn EE qn nn st D i CU ST3500630AS on exi M2 106 g MR Baid llena ne e ONES EH 259 malaos a Laos ae ilesa ae unallocated emt recep a z To open Partition Manager click Tools gt Partition Managerin main application menu or use shortcut Ctrl M at any time when running Active UNDELETE The main features of Partition Manager are Initialize Disk Physical Device on page 60 Create partition on page 61 Format partition on page 63 Resize a partition or logical drive volume on page 63 Edit boot sectors on page 64 Active UNDELETE Tools Overview 60 Edit partition table on page 65 Create virtual partition on page 55 Initialize Disk Physical Device Physical Disks Initialization To make disk accessible for application it needs to be initialized first by one of the following partition style A Master Boot Record MBR GUID Partition Table Danger Do not initialize disk if you are about to recover lost data from it Use Scan Disk Physical Device on page 29 to retrieve your files fist To initialize physical disk proceed as follows 1 Select disk to initialize In Partiti
38. Figure 23 Create virtual copy dialog Dialog options Caption Text label to mark created virtual partition in Recovery Explorer or in Partition Manager File system Select file one of the supported file systems FAT FAT 32 or NTFS First sector Offset of virtual partition in sectors or in MB Size Size of virtual partition in sectors or in MB 4 Click Create button After command is complete newly created virtual partition will appear in Recovery Explorer ready for applicable actions such as volume scan etc Edit virtual partition Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Virtual partition properties can be changed without affecting actual data on disk 1 Select a virtual partition In Recovery Explorer select a logical drive or a partition 2 Open the Edit Boot Sector Template From the Recovery Explorer toolbar click Edit Partition Right click the selected item and click Modify Partition from the context menu 3 Adjust dialog options In the Edit Boot Sector Template dialog make changes to the Boot Sector Primary and Boot Sector Copy separately or simultaneously See the Edit boot sectors on page 64 dialog for details 4 Click Save to accept changes Virtual RAID Virtual RAID Using Active UNDELETE Overview 58 If you have a corrupted RAID configuration and one or more drives in the array are damaged you can
39. File Attributes Dates p gt 3 Created YYYYMMDD Use Insert button to insert file aed 2007 Docunents x Created YYMMDD name tags at cursor position Open Documents Text odt Created YYYY tl XPS Documents xps Created YY 4 Formatted Text files Created Month T Adobe Acrobat Documents pdf Created MM 1 m ym mee Created DD E 4 Accessed YYYYMMDD File name sample Author Name Track A MA 5 Restore Defaults Save Cancel Apply Help Figure 35 File Name Patterns dialog In File Name Patterns dialog you can change file name pattern for each file type by double clicking on file name pattern field for desired file type or click Edit button in toolbar for same result Click Reset button in toolbar to reset file name pattern for selected file type to defaults or click Restore Defaults to reset all file name patterns to their default values You can edit file name patterns for every file in a group at once by editing group pattern Add User File Type pattern User can add custom file type pattern to existing list by clicking Add button in dialogs toolbar and completed required fields file type either type it in or select from drop down list and providing file name pattern using Insert button to insert file name tags at current cursor position File Type 3gp BGPP Audio Video je File name pattern recovered File Full Name File name sample recovered Original File Name 3gp Figure 36
40. File renaming patterns by File Type ssssssssesseseeeeneenenenennenne nennen ener ener eren enne 86 File attributes andmeta tags HRS tene RS I ER ea Rte EUR TA es 89 Rollback Partition Changes ener enne e iE a enne 91 File Organizer VIew cxisteen tee iste aa ie ditte a RI ee 92 Hardware Diagnostic File eee E E rennen reine se nee nese nette sinere nennen 93 Cr ate virtual HEIDE EEEE 94 Active UNDELETE Wizards Overview ssccsssscccsssssscssscsecssscssssssssseeesees IO File Recovery Wizardsissa ERR NET t UT E A ERE EP E Ee A 96 Recover Deleted Files Wizard ic eene e iride eli ee erue oed 96 Recover Files by Signature Wizard sss nennen nennen enne nnne nnn 98 Recover Files from a Formatted Partition Wizard sese 101 Recover files from a deleted partitions wizard sse 104 File Recovery Expert Wizard edet ee hiver e e ei eet dre Hed 107 Disk Ima ge Wizatds 4 ossi eedem iei dettes catus 107 Create a Disk Image Wizard diese dcdit este i i e EER pa 107 Open a Disk Image Wizard ice ee o pe e e I TR ER SEHE re ones 109 Verify a Disk Image Wizatd ee eee coe Re HE CR T Hr N 110 Pertition Management Wizards eere ener nnne tenente nnne entente 112 Restore a Deleted Partition Wizard sees nne 112 Create a New Partition Wizard rece ete ee Re ee editae cre is ege eo 113 Create a Virtu
41. Files or Folders with Attributes Deleted ReadOnly System Sparse Stream Compressed FA v T Exdude Files or Folders with Attributes ReadOnly System Hidden Directory Temporary MFT Stream Compressed Archive ncrypted Normal Resident SLoaFile Figure 20 File Attributes Criteria To change all settings back to defaults click Restore Defaults 4 Click Search to start searching process To display disk image events and progress details click Details To terminate the searching process click Stop at any time In this case search results may be not accurate or complete After the search is done a Search Results view appears 5 Note You may repeat a search many times and refine the search criteria for better results Note See How to Use Wildcards on page 50 for details how to set search criteria You may use File Filter Toolbar on page 40 to improve search results After search complete Search Results View on page 11 must appear with search results 1f any for provided criteria You can repeat steps form 1 to 4 for desired effect Using Active UNDELETE Overview 40 File Filter Toolbar Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks The File Filter toolbar contains commands that can help you organize files in
42. MS DOS and OS 2 access the file by using the conventional eight plus three file name contained in the folder entry for the file Figure below shows all of the folder entries for the file Thequi 1 fox which has a long name of The quick brown fox The long name is in Unicode so each character in the name uses two bytes in the folder entry The attribute field for the long name entries has the value OxOF The attribute field for the short name is 0x20 2nd long entry ond last 0x42 w n f o oxor 0x00 0x0000 OxFFFF OxFFFF OxFFFF OxXFFFF 0x0000 OxFFFF OxFFFF check 0x0 T h e 4 OxF 0x00 thy k b 0x000 T H E Q U 4 F O0 X Ox0 NT Create Time Create Date 0x0000 Last Access Date Last Modified Last Modified Time Date Short entry at long entry Figure 45 Example of Folder Entries for the long file name Tip For more detailed information see resource kits on Microsoft s web site Attp www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com FAT32 Features Understanding of underlying mechanisms of data storage organization and data recovery The following topics describe the FAT32 file system File System Specifications on page 161 File Systems 161 Boot Sector and Bootstrap Modifications on page 161 FAT Mirroring on page 164 Pa
43. MSDN Attp msdn microsoft com NTFS File Types Understanding of underlying mechanisms of data storage organization and data recovery NTFS File Attributes on page 134 NTFS System Files on page 135 NTFS Multiple Data Streams on page 136 NTFS Compressed Files on page 137 NTFS Encrypted Files Windows 2000 only on page 137 NTFS Sparse Files Windows 2000 only on page 138 NTFS File Attributes The NTFS file system views each file or folder as a set of file attributes Elements such as the file s name its security information and even its data are all file attributes Each attribute is identified by an attribute type code and optionally an attribute name When a file s attributes can fit within the MFT file record they are called resident attributes For example information such as filename and time stamp are always included in the MFT file record When all of the information for a file is too large to fit in the MFT file record some of its attributes are non resident The non resident attributes are allocated one or more clusters of disk space elsewhere in the volume NTFS creates the Attribute List attribute to describe the location of all of the attribute records Next table lists all of the file attributes currently defined by the NTFS file system This list is extensible meaning that other file attributes can be defined in the future Attribute Type Description Standard Information Includes information su
44. Name itioni Total Sectors 4 amp PhysicalDrived Ready Init GPT Basic 932 GB 1953525168 V nallocated Spac 105 GB 221208542 512 Local Disk M 512 Local Disk 0 ea ere ede ae Sry 512 E v Unallocated Space 512 4 amp PhysicalDrive2 Ready Init 3 512 Major D 932 GB 1953519616 512 E 7 Unallocated Space 1 71 MB 3504 512 4 amp PhysicalDrive3 Ready Init MBR Basic 55 9 GB 117231408 512 System Reserved 2 Assigning proper File System filters may save 512 Local Disk C scanning time and narrow down final results 512 7 Unallocated Space sse 512 4 amp PhysicalDrive4 Ready Init MBR Basi 466 GB 976773168 512 Detected partitions File System Lookup V NTFS 7 FAT32 exFAT V FAT gt HFS C Ext2 Ext3 Ext4 Unallocated Space 105 GB Unallocated Page Options File system lookup Select File System of a partitions to be detected 2 Confirm and scan for deleted partitions Review and confirm the unallocated space scan parameters and click the Scan button to start the scanning process While the process is in progress you can cancel it at any time by clicking Stop at the bottom of the screen 3 Review scan results Select the partition to restore from the list of detected partitions and if partition can be restored click the Next button to continue Device Map control marks selected partition with scaled geometry and indicates by green color restorable or by re
45. Partitions A Scan Volumes Logical Drives for deleted Scan Disks for deleted or damaged Ex files and folders and files by their signatures partitions Partition Management 3 a Advanced Recovery Explorer Load Scan Results Disk Image Management Start Recovery Explorer in Advanced Mode Load previously saved Scan Results and open UU Access Physical Devices to detect Deleted or them in separate view irene EIE Damaged partitions and undelete data S m Load Session wee Load previously stored Application Session Version Info V Show this view on startup Close Figure 7 Default welcome view Getting started Contains most general starting points for file recovery and partition restoration Data Recovery Wizards As it stated on this page user can start file recovery wizards designed for different scenarios Partition Management Allows to open Partition Manager or start wizards to create or format partitions Disk Image Management Let to run wizards to create open or verify disk images Advanced Tools Support Version Info Getting Started with Active UNDELETE 15 Advanced tools like open disks in Disk Editor create Virtual RAID or decrypt files Customer support and documentation Contains version history and information about recent updates Using Active UNDELETE Overview 16 Using Active UNDELETE Overview File recovery Recover deleted Files and Folders on page 17 Scan Disk
46. TO RECOVER While saving recovered data onto the same drive where sensitive data was located you can intrude in process of recovering by overwriting FAT records for this and other deleted entries It s better to save data onto another logical removable network or floppy drive Clusters chain recovery for the deleted entry Understanding of underlying mechanisms of data storage organization and data recovery After clusters chain is defined automatically or manually the only task left is to read and save contents of the defined clusters to another place verifying their contents We have a chain of clusters we can calculate each cluster offset from the beginning of the drive using standard formulas After that we copy amount of data equals to the cluster size starting from the calculated offset into the newly created file For the last one we copy not all cluster but reminder from the file size minus number of copied clusters multiplied by cluster size Formulas for calculating cluster offset could vary depending on file system To calculate for example offset of the cluster for FAT we need to know e Boot sector size Number of FAT supported copies e Size of one copy of FAT e Size of main root folder Number of sectors per cluster Number of bytes per sector On the NTFS we have linear space so we can calculate cluster offset simply as cluster number multiplied by cluster size File Recovery Process 175 Example of r
47. These time stamps show when the file was created or last accessed and are used principally by POSIX applications Because all entries in a folder are the same size the attribute byte for each entry in a folder describes what kind of entry it is One bit indicates that the entry is for a sub folder while another bit marks the entry as a volume label Normally only the operating system controls the settings of these bits A FAT file has four attributes bits that can be turned on or off by the user archive file system file hidden file and read only file File names on FAT Volumes Beginning with Windows NT 3 5 files created or renamed on FAT volumes use the attribute bits to support long file names in a way that does not interfere with how MS DOS or OS 2 accesses the volume Whenever a user creates a file with a long file name Windows creates an eight plus three name for the file In addition to this conventional entry Windows creates one or more secondary folder entries for the file one for each 13 characters in the long file name Each of these secondary folder entries stores a corresponding part of the long file name in Unicode Windows sets the volume read only system and hidden file attribute bits of the secondary folder entry to mark it as part of a long file name MS DOS and OS7 generally ignore folder entries with all four of these attribute bits set so these entries are effectively invisible to these operating systems Instead
48. Using Active UNDELETE Overview 36 Scan results are saved with the file extension scaninfo Warning Save a scan results file to a physical drive that is different from the drive that contains the original files Save Scan Results 1 To save the entire Scan Results branch select the branch 2 To save a device node select it under Scan Results 3 Right click the selected node and click Save Scan Result from the context menu The Save Scan Result dialog appears with the default path and a suggested file name 4 To change the file path browse to a different folder Un To change the file name enter a name in the file name field 6 Click Save Load Scan Results 1 To open the Load Scan Results dialog do one of the following From the File menu click Open gt Scan Result Right click the logical drive node and click Load Scan Result from the context menu Ifthere is a Scan Results branch in the Recovery Explorer tree right click the Scan Results branch or right click a Scan Results node and click Load Scan Result from the context menu 2 Browse to the folder that contains the scan result file and select the file 3 Click Open The data from the scan results file appears in a Scan Results node in the Recovery Explorer tree E Note Loading scan results feature is not available in Active UNDELETE Freeware or Standard edition Please visit http www active undelete com to read more about Acti
49. aetas 55 Virtual RAID E 57 Active UNDELETE Tools Overview eee eere eee eee eren ee eere esee en seasons DI Partition Manager Overviews e Re e Te de Ree Bese Ws ed ee eee neice aes 59 Contents 3 Initi lize Disk Physical Device hte bee ER UR TREE ee 60 Creates partition tes sot tete ect bietet bti n bled 61 Change partition attributes atte aee aae E e tec e AE reg WS CA RU Pie ut RE 62 Format partition 453 d eng ete et ier ere ie ep e E ee te tr cetus 63 Resize a partition or logical drive volume eene 63 Edit boot SeCtOE S05 notet stereo ante one estere o ested tates eaten le Res ceteros 64 Edit partition table ties o eee een e e ER 65 Disk EditorL00 1 35 icit ee i tla ee eet oa en tees 66 Open objects 1n Disk Editor rre RENE RN RR EAE I e ORE RTI La 67 Subject Navigation and Information sssssesesesesseeeeeene enne 68 prit EE 70 Using Bookmarks eee teet e eee d e Or tds 71 Searching in Disk Editor 2 RD URSI E 72 Editing with Disk Editor sees nre 73 Disk Image OVvetvlew xi aou e e ete t ttd hibet eite ate eR RR RI RES 78 Create a Disk Tniage 55 Roe Ote en NR EE OUR tails 79 Open Disk Imag eis er RUPEE RETENIR REESE ERR ENTIER 81 File Organizer OVerview siste Ne trt terea tetti el det gestu qe a Pn tI eese bap oet ders 83 Create custom filecorganizing r le ooi reete e e IE aes E to e eoe Te ets 84
50. and only maintains other data as allocated When a program accesses a sparse file the file system yields allocated data as actual data and deallocated data as zeros NTFS includes full sparse file support for both compressed and uncompressed files NTFS handles read operations on sparse files by returning allocated data and sparse data It is possible to read a sparse file as allocated data and a range of data without retrieving the entire data set although NTFS returns the entire data set by default With the sparse file attribute set the file system can deallocate data from anywhere in the file and when an application calls yield the zero data by range instead of storing and returning the actual data File system application programming interfaces APIs allow for the file to be copied or backed as actual bits and sparse stream ranges The net result is efficient file system storage and access Next figure shows how data is stored with and without the sparse file attribute set Without sparse file attribute set Sparse Data zeros Ten Gigabytes Meaningful Data With sparse file attribute set Allocated Y Important Ten Megabytes If you copy or move a sparse file to a FAT or a non Windows 2000 NTFS volume the file is built to its originally specified size If the required space is not available the operation does not complete 6 Tip For more detailed information see resource kits on Microsoft s web site Attp
51. are allocated If contiguous clusters clusters that are next to each other on the disk are not available the data are written elsewhere on the disk and the file is considered to be fragmented Fragmentation is a problem when the file system must search several different locations to find all the pieces of the file you want to read The search causes a delay before the file Is retrieved A larger cluster size reduces the potential for fragmentation but increases the likelihood that clusters will have unused space Using clusters larger than one sector reduces fragmentation and reduces the amount of disk space needed to store the information about the used and unused areas on the disk The stack of platters rotate at a constant speed The drive head while positioned close to the center of the disk reads from a surface that is passing by more slowly than the surface at the outer edges of the disk To compensate for this physical difference tracks near the outside of the disk are less densely populated with data than the tracks near the center of the disk The result of the different data density 1s that the same amount of data can be read over the same period of time from any drive head position The disk space 1s filled with data according to a standard plan One side of one platter contains space reserved for hardware track positioning information and is not available to the operating system Thus a disk assembly containing two platters has th
52. at the same time or this option is off Scan Volume dialog will appear and let you to change scan options Show system events Using Active UNDELETE Overview 53 Show Hide system events in application log Save log file to disk Enable Disable saving log entries to the file Use Default log path to specify log file Se Select Physical Disks to auto create Partition Backup File bpi each time when Partitions Layout has J been changed That includes Delete Create Modify Attributes or Format Partition Using these back up files you may restore Device Partitioning using Rollback Partition Changes Tool Name SerialName Size Last Modified y APhysicalDrive0 ST31000524AS 932 GB 0 amp PhysicalDrivel ST3500630AS 466 GB 19 Dec 12 16 33 47 10 amp PhysicalDrive2 OCZ VERTEX3 55 9 GB 0 amp WAPhysicalDrive3 ST31000524AS 932 GB 0 Backup Location scts DevelopmentlActive Undelete 8 Binaries backups disk_ST31000524AS_6VPFYGMJ bkp Device Backups Options Backup location Define individually Physical Device disk backup file location See Rollback Partition Changes on page 91 for details a Supported file signatures templates Name File Extension Algorithm ip Add 4 Formatted Tex files E h Adobe Acrobat Documents pdf Adobe Acrobat amp cat Rich Text Format Files rtf Text Document Sj Import XML Files xml Text Document HTML Files htm Text Document gt Compressed Ar
53. attributes of a file are written to the allocated space in the MFT Small files and directories typically 1500 bytes or smaller such as the file illustrated in next figure can entirely be contained within the master file table record File Systems 134 Standard ies Securily information y descriptor name Data or index Figure 42 MFT Record for a Small File or Directory This design makes file access very fast Consider for example the FAT file system which uses a file allocation table to list the names and addresses of each file FAT directory entries contain an index into the file allocation table When you want to view a file FAT first reads the file allocation table and assures that it exists Then FAT retrieves the file by searching the chain of allocation units assigned to the file With NTFS as soon as you look up the file it s there for you to use Directory records are housed within the master file table just like file records Instead of data directories contain index information Small directory records reside entirely within the MFT structure Large directories are organized into B trees having records with pointers to external clusters containing directory entries that could not be contained within the MFT structure Tip For more detailed information see resource kits on Microsoft s web site Attp www microsoft com windows reskits webresources default asp or Microsoft Developers Network
54. be met as end of file condition Maximum file size bytes 6535 Using Active UNDELETE Overview 44 By using simple script to calculate end of file See Custom Signatures Size Script on page 44 for reference Template Name template i Template description MIDI 3 Or use script to File extension mid2 calculate file size Beginning of File Criteria fee mmm Use RegExp conditions to detect end of file Use script to detect end of file Create script to determine file size using simple command and condition operators See Help for script reference next i temp read dword size if temp MThd goto valid if temp MTrk goto exit valid size temp size sum size 4 read dword size sum size 4 temp endian dword temp size sum size temp goto next Defined custom file signatures templates are stored in INI files in user s selected locations and will be loaded at every consequent application starts You can also import such custom signature template files created by other users by clicking Import button and specifying full path to custom file signatures template file in opened dialog See Custom Signatures Size Script on page 44 for details gB Note Also you can specify Custom File signature template from Volume logical Drive Scan dialog or Disk Scan dialog by clicking Add button near file signatures list oO Important Regular Expressions can be used while defining
55. both implement this approach g Note If your computer has two operating systems and you choose to start in Windows 95 98 or ME these operating systems cannot see partitions that are formatted for NTFS This is normal operation for these operating systems To view NTFS partitions you must be in a Windows NT 2000 XP environment Other Partition Recovery Topics These topics related to the recovery of partitions apply to any file system Partition Recovery Process 177 Damaged MBR on page 177 Partition is deleted or Partition Table is damaged on page 179 Partition Boot Sector is damaged on page 181 Missing or Corrupted System Files on page 184 For these topics the following disk layout will be used Z Disk Administrator i OF x Partition Tools View Options Help E IE Disk 0 C H D E NTFS FAT FAT NTFS Free Spac 4605 MB 2502 MB 298 MB 102 MB 102 MB 1500 MB X E Primary partition Li Logical drive Free space in extended partition 1600 MB The figure shows a system with two primary partitions C NTFS and H FAT and one extended partition having two logical drives D FAT and E NTFS Damaged MBR Understanding of underlying mechanisms of data storage organization and data recovery The Master Boot Record MBR will be created when you create the first partition on the hard disk It is very important data structure on the disk The Master Boot Record contains the Partition Table for the
56. click in the Value or Copy Value column to start editing the field make sure that Allow Edit Content is enabled Some of the fields are edited according to the mask and will not allow to enter invalid values For example you cannot enter the number bigger than 65535 when editing a 2 byte field or invalid date when editing a date To exit the editing of the field with saving the result of edit press Enter or click to another field To exit editing without saving the result and revert to original value press Esc Some of the templates fields depend on other fields When a template is selected an initial parsing occurs If some of the fields contain invalid values the further parsing of the record might be not possible and parsing will be stopped at this point resulting in incomplete record As an example lets take an MFT record The record header is always parsed but if it contains invalid fields or update sequence attributes will not be parsed The same is true when parsing an attribute if an error occurs the further parse is canceled and no subsequent attributes are added to the record Furthermore the whole set of fields for the template might depend on some field values For example FAT Directory Entry template will show a Short File Name Entry fields or Long File Name depending on the value of the flags Hyperlinks in templates Many templates contain hyperlinks allowing navigate easily to important data points For example MFT re
57. combine the healthy drives together with the damaged drives in a virtual disk array If the damaged drives are inaccessible you can substitute a dummy drive as a replacement Active UNDELETE simulates the RAID assembly and you can scan this virtual array as a logical device Active UNDELETE Tools Overview 59 Active UNDELETE Tools Overview Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Main Active UNDELETE tools are Partition Manager Overview on page 59 Disk Editor Tool on page 66 Disk Image Overview on page 78 Partition Manager Overview Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Partition Manager is advanced Active UNDELETE tool that allows you to perform disk partitioning tasks such as creating partitions and volumes formatting them and assigning drive letters Initialize raw disk edit partition tables and more Most of these changes to disk partitioning are recorded in dedicated backup files thus at any time these changes could be rollback at certain point See Rollback Partition Changes on page 91 for more information ey Create New Partition ex Create Virtual Partition Open in Hex Editor amp j Partition Table B Rollback Partition Changes c Kill Disk
58. different access points FAT and FAT32 drives Boot Sector Boot Sector Copy FAT32 only FATI FAT2 Root Directory NTFS drives Boot Sector Boot Sector Copy MFT S MFT Mirror e Arbitrary MFT record HFS drives Volume Header Volume Header Copy Ext2 Ext3 drives e Superblock Active UNDELETE Tools Overview 70 Some of the access points when used automatically select a corresponding template For example if a boot sector access point is selected a boot sector template is applied to the boot sector offset Data Inspector Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks The Data Inspector is a small tool view window that provides the service of inspecting or interpreting data currently selected in the edit pane The Data Inspector lets you view the type of data you have selected This may help you interpret data as displayed in Disk Editor Name 8 bit binary ANSI character Unicode character 8 bit signed 8 bit unsigned 16 bit signed 16 bit unsigned 32 bit signed 32 bit unsigned 64 bit signed 64 bit unsigned DOS time Windows time UNIX time Value 00100110 amp 38 38 806 806 806 806 281 474 976 711 462 281 474 976 711 462 1601 11 22 18 44 57 1970 01 01 00 13 26 To open the Data Inspector from the Disk Editor toolbar
59. disk and a small amount of executable code for the boot start The location 1s always the first sector on the disk The first 446 Ox BE bytes are MBR itself the next 64 bytes are the Partition Table the last two bytes in the sector are a signature word for the sector and are always 0x55AA For our disk layout we have MBR BDayeslcall Sectors Cyl 0 Side 0 Sector i 000000000 33 CO feum DO Be 00 We ms 50 07 50 im C B iP ou 000000010 BE due 06 50 57 BO mS OL T3 MA CB Bin mu 07 BL 04 PW a oHE BES 000000020 38 2 C 09 75 15 83 CO 10 m2 m5 CD 18 Ga 14 Gu Sp oils 22 sO s 5 000000030 ma 63 CG 10 49 7A 16 Se 2C VA ine Ba 10 O7 4 122 leS CTO sal 000000040 SC 00 74 rA BB 07 00 B4 0m CD 10 BB F2 4G 25 LEECO E 000000050 96 8A 46 04 B4 06 3C 0I SU pee cg E qe 000000060 sm O4 75 25 40 C6 49 25 06 75 24 BE AA 55 50 B4 AutQ F u lie VC SUAE LH AC EE 7a il Ba OB SC OC 74 OS IEA 2 OAN 4L CD 13 Se 72 1 Sil E 55 WA 75 10 Be Cl Ol 74 INTL SE 5 ET DD OB GA BO Si 56 24 Cy OG AL OG B5 im Se 6G 04 BE oS WS 2 ota m SOUS Qu 00 BE OL 02 B De 33 CY 93 BF 05 7P OS Gs dim 022 U03E y N 0000000A0 25 03 4m 02 CD 15 72 29 BE 46 07 GI SE PE 7D 55 oN o Loi Eh P a AA 74 5A 83 EF 05 7F DA 85 F6 75 83 BE 27 07 EB 2TA opos L9 2 V ci 0000000C0 BA O8 Dil 52 99 03 46 O8 IS 56 OA BS 12 00 SA T
60. drive is 32 Kb our file size is 112 435 bytes i e 3clusters 32Kb 96Kb plus a little bit more we assumed that this file was not fragmented i e all clusters were located consequently We need 4 clusters we found 4 free consecutive clusters so this assumption sounds reasonable although in real life it may be not true g Note There are a lot of cases where the file s data can not be successfully recovered because clusters chain can not be defined Most of them occur when you write another data files folders on the same drive where deleted file located You ll see these warnings while recovering data using for example Active UNDELETE Example of defining clusters chain on NTFS When recovering on NTFS part of DATA attribute called Data Runs give us location about file clusters In most cases DATA attribute is stored inside MFT record so if we found MFT record for the deleted file most likely we ll be able to determine cluster s chain File Recovery Process 174 In example below DATA attribute is marked with a green color Data Runs inside marked as Bold ONE 3E SE 0 1l 2 3 4 G 7 e 9 A B C D m F 00012580 2m 00 70 00 70 00 74 00 60 OO 00 00 48 00 00 00 pe H 00012590 Ci 00 00 00 00 00 04 00 00 00 00 OO 00 00 00 MOO o5ooocoocooncocas 000125A0 6D 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 liloaoooooo Goacoote 000125B0 00 DC 00 00 00 00 00 00 00 DC 00 00 00 00 00 00 olo ooo 5oo o sococ 000125C0 00 DC 00 00 00 0
61. e D II id Seve Scan Results T toad Scan Results eere eec gll Resume Scan Qro P LL L Fl View Group by Incomplete scan can be resumed from last scanning position alotoffiles I M2 106 H lont W 6 72 GB Unallocated 60 5 GB Primary NTFS 1 95 GB Logica 6 84 GB Unallocated 15 4 GB Primar Name Status Partitions 4 PhysicalDrived scans 4 amp Disk Scan at 10 06 12 12 47 31 4 0 Completed 4 0 Local Disk 5 Bad G mi 2 Good mi E Not Bad mi 4 Poor em Disk Scan at 10 06 12 12 48 45 0 0 Incomplete 0 0 To resume a terminated scan 1 Select a device scan result under the Scan Results branch 2 To resume the scan do one of the following From the toolbar click the Resume Scan button Right click the selected device scan and click Resume Scan from the context menu Completed Device Scan A completed device scan cannot be resumed E Scan tal Save Scan Results ay Load Scan Results S Recover Checked p Resume Scan Fl View Group by alotoffiles I on ex G M2 106 H 60 5 GB Primary NTFS 259 MB Logic 1 98 GB Unallc 1 95 GB Logica 6 84 GB Unallocz 6 72 GB Unallocated Name 4 PhysicalDrived scans isk Scan at 10 06 12 12 47 31 4 0 Completed 4 Local Disk 5 Bad m 2 Good mi G Not Bad m 4 Poor amp amp Disk Scan at
62. example a FAT primary partition or logical drive that is a member of a volume set or a stripe set has a System ID value of 0x86 An NTFS primary partition or logical drive has a System ID value of 0x87 This bit indicates that Windows NT needs to use the HKEY LOCAL MACHINENSSYSTEM DISK Registry subkey to determine how the members of the volume set or stripe set relate to each other Volumes that have the high bit set can only be accessed by Windows NT When a primary partition or logical drive that is a member of a volume set or a stripe set has failed due to write errors or cannot be accessed the second most significant bit is set The System ID byte is set to C6 in the case of a FAT volume or C7 in the case of an NTFS volume 5 Note If you start up MS DOS it can only access primary partitions or logical drives that have a value of 0x01 0x04 0x05 or 0x06 for the System ID However you should be able to delete volumes that have the other values If you use a MS DOS based low level disk editor you can read and write any sector including ones that are in NTFS volumes Hardware and Disk Architecture 125 On Windows NT Server mirror sets and stripe sets with parity also require the use of the Registry subkey HKEY LOCAL MACHINESSYSTEM DISK to determine how to access the disks Starting and Ending Head Sector and Cylinder Fields On x86 based computers the Starting and Ending Head Cylinder and Sector fields on the start up disk ar
63. fewer than four partitions the remaining fields are all zeros 80 01 000001C0 01 00 06 OF 7F 96 3F 00 00 00 51 42 06 00 0000 D2 JQB 000001D0 41 97 07 OF FF 2C 90 42 06 00 AO 3E 06 00 00 00 Al B 00000180 CL 2D 05 Or 77 02 30 61 0C 00 a0 91 01 00 00 00 5 0 een 00000170 C1 93 01 OF FF A6 DO 12 OE 00 CO 4E 00 00 55 AA N U The following table describes each entry in the Partition Table The sample values correspond to the information for partition 1 Table 1 Partition Table Fields Byte Offset Field Length Sample Value Meaning 00 BYTE 0x80 Boot Indicator Indicates whether the partition 1s the system partition Legal Hardware and Disk Architecture 123 Byte Offset Field Length Sample Value Meaning values are 00 Do not use for booting 80 System partition Starting Head Starting Sector Only bits 0 5 are used Bits 6 7 are the upper two bits for the Starting Cylinder field 10 bits Starting Cylinder This field contains the lower 8 bits of the cylinder value Starting cylinder is thus a 10 bit number with a maximum value of 1023 System ID This byte defines the volume type In Windows NT it also indicates that a partition is part of a volume that requires the use of the HKEY LOCAL MACHINE SYSTEM DISK Registry subkey Ending Head Ending Sector Only bits 0 5 are used Bits 6 7 are the upper two bits for the Ending Cylinder field
64. for details about folder organization Tip For more detailed information see resource kits on Microsoft s web site Attp www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com FAT Folder Structure Understanding of underlying mechanisms of data storage organization and data recovery Folders have set of 32 byte Folder Entries for each file and sub folder contained in the folder see example figure below The Folder Entry includes the following information Name eight plus three characters Attribute byte 8 bits worth of information described later in this section Create time 24 bits Create date 16 bits File Systems 160 Last access date 16 bits Last modified time 16 bits Last modified date 16 bits Starting cluster number in the file allocation table 16 bits File size 32 bits There is no organization to the FAT folder structure and files are given the first available location on the volume The starting cluster number is the address of the first cluster used by the file Each cluster contains a pointer to the next cluster in the file or an indication 0xFFFF that this cluster is the end of the file See File Allocation Table for details The information in the folder is used by all operating systems that support the FAT file system In addition Windows NT can store additional time stamps in a FAT folder entry
65. i return checksum File Systems 144 File Allocation Table FAT File Allocation Table FAT may contain 1 or 2 FATs as defined in NumberOfFats field ActiveFat field in VolumeFlags in the Main Boot Sector determines which FAT is active The first cluster is cluster 2 as in FAT32 Each FatEntry represents one cluster In exFAT FAT is not used for tracking an allocation an Allocation Bitmap is used for this purpose FAT is only used for keeping chains of clusters of fragmented files If a file is not fragmented FAT table does not need to be updated A Stream Extensions Directory Entry should be consulted to determine if the FAT chain is valid or not If FAT chain is not valid it does not need to be zeroed Offset i Description Comments 0 0x00 FatEntry 0 Media type should be OxFFFFFFF8 4 0x04 FatEntry 1 Must be OXFFFFFFFF 8 0x08 FatEntry 2 First cluster ClusterCount 1 4 4 FatEntry ClusterCount 1 Last cluster ClusterCount 2 4 Remainder of sector ExcessSpace Valid values of FAT entries 0x00000002 ClusterCount 1 max OxFFFFFFF6 next cluster in the chain OxFFFFFFF7 bad cluster OxFFFFFFF8 media descriptor OxFFFFFFFF end of file EOF mark Value 0x00000000 does not mean the cluster is free it is an undefined value The second FAT table presents only in TexFAT is located immediately after the first one and has the same size exFAT Directory Structure Understandi
66. in view s toolbar or by command Resume Scan in item context menu If detected partition is selected its relative position and scanned size is also displayed on Device View Control indicating 1s this partition is recoverable or not Open in Hex Editor ay Load Scan Results Sg Resume Scan ez Create Virtual Partition Partition Filter E Remove from Scan Result ex 63 M2 106 H3 i9 MB Loy 1 98 GB Una 1 95 GB Logi 6 84 GB Unallocated Name File S Status Partitions Files ge V BOOT98SE 22 FAT Excellent 1 Scan e canis reis complete 1 penance selected range cellent Incomplete 0 Excellent Completed 46 Ej VISKUI 2 Excellent Excellent DISK_03 37 FAT Excellent Excellent DRDOS 7 FAT Excellent Excellent DRDOS 33 FAT Excellent Excellent Local Disk 15 FAT Bad Excellent Local Disk 21 FAT Excellent Excellent Local Disk 32 FAT Bad Excellent Local Disk 45 FAT Excellent Excellent Local Disk 51 FAT Bad Bad Local Disk 54 NTFS Bad Excellent Local Disk 55 NTFS Bad Bad M2106 10 FAT32 Excellent Excellent NO NAME 11 FAT Excellent Figure 3 Complete Physical Device Scan Working with detected partitions Use partition filter to narrow down scan result ff backup 3 2 GB Primary NTFS Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped part
67. information which is written to the disk at the factory during disk assembly It is not available to the operating system The disk controller uses this information to fine tune the head locations when the heads move to another location on the disk When a side contains the track position information that side cannot be used for data Thus a disk assembly containing two platters has three sides that are available for data Sectors and Clusters Each track is divided into sections called sectors A sector is the smallest physical storage unit on the disk The data size of a sector is always a power of two and is almost always 512 bytes Each track has the same number of sectors which means that the sectors are packed much closer together on tracks near the center of the disk Next figure shows sectors on a track You can see that sectors closer to the spindle are closer together than those on the outside edge of the disk The disk controller uses the sector identification information stored in the area immediately before the data in the sector to determine where the sector itself begins Figure 39 Clusters and sectors As a file is written to the disk the file system allocates the appropriate number of clusters to store the file s data For example if each cluster is 512 bytes and the file is 800 bytes two clusters are allocated for the file Later if you update the file to for example twice its size 1600 bytes another two clusters
68. information from formatted hard disks You may open a Disk Image to browse for files and folders or to scan for deleted files and folders 1 To open the Open Disk Image dialog do one of the following From the Disk Images tab in Command Bar choose Open Disk Image command From the main toolbar click File gt Open gt Open Disk Image From Welcome View click Open Disk Image button in Default Actions group 2 Open disk image using Configuration file K To open Disk Image dick Browse to select Dist Image Configuration DIM file created by Active UNDELETE or select any other third pary Disk Image files such Virtua PCor WMware Click Compose button to manualy assemble Disk Image from chunks Disk Image mes Compose Cancel Hep Use Browse button to locate DIM Disk Image Configuration file Once it selected file ill be opened and presented with detailed preview of Disk Image information Active UNDELETE Tools Overview 82 To open Disk Image click Browse to select Dist Image Configuration DIM file created by Active UNDELETE or select any other third pary Disk Image files such Virtua PCor WMware i assemble Disk from chunks User Gendiv Dist Click Compose button to manualy Image from Disk Image D Temp di drive_F_3990 6245 dim P Image Label Caption Display Name Disk Image Name Value Description Date Created 04 05 2012 16 50 26 Creation Time 00 00 47 Image Type LSoft Disk Ima
69. is a refusal of the machine to perform a bootstrap startup For the machine to be able to start properly the following conditions must apply Master Boot Record MBR exists and is safe Partition Table exists and contains at least one active partition If the above is in place executable code in the MBR selects an active partition and passes control there so it can start loading the standard files COMMAND COM NTLDR depending on the file system type on that partition If these files are missing or corrupted it will be impossible for the OS to boot if you have ever seen the famous NTLDR is missing error you understand the situation When using Active UNDELETE the recovery software accesses the damaged drive at a low level bypassing the standard system boot process this is the same as if you instructed the computer to boot from another hard drive Once the computer is running in this recovery environment it will help you to see all other files and directories on the drive and allow you to copy data to a safe place on another drive Partition Visibility A more serious situation exists if your computer will start and cannot see a drive partition or physical drive see Note below For the partition or physical drive to be visible to the Operating System the following conditions must apply e Partition Drive can be found via Partition Table Partition Drive boot sector is safe If the above conditions are true the O
70. of the backup boot sector This member is set to OFFFFh if there is no backup boot sector Otherwise this value must be non zero and less than the reserved sector count A BF BPB Reserved Reserved member BIGFATBOOTFSINFO FAT32 Contains information about the file system on a FAT32 volume This structure is implemented in Windows OEM Service Release 2 and later BIGFATBOOTFSINFO STRUC ISIE S Line Sale DD E IES IME sree Clus Cnt DD E JONES JDWr Mert fres Clus DD g Jour Sar reswa DD 2 IUE 2 File Systems 164 BIGFATBOOTFSINFO ENDS bfFSInf Sig The signature of the file system information sector The value in this member is FSINFOSIG 0x61417272L bfFSInf free clus cnt The count of free clusters on the drive Set to 1 when the count is unknown bfFSInf next free clus The cluster number of the cluster that was most recently allocated bfFSInf resvd Reserved member FAT Mirroring On all FAT drives there may be multiple copies of the FAT If an error occurs reading the primary copy the file system will attempt to read from the backup copies On FAT16 and FATI2 drives the first FAT is always the primary copy and any modifications will automatically be written to all copies However on FAT32 drives FAT mirroring can be disabled and a FAT other than the first one can be the primary or active copy of the FAT Mirroring is enabled by clearing bit 0x0080 in the extdpb flags member of a FAT32 Drive Parameter
71. options Use sliders to specify partition boundaries offset and size Mouse click on partition box will select virtual partition boundaries Using Active UNDELETE Overview 56 ea To create virtual partition on selected disk provide partition boundaries and select file system PhysicalDrive4 976773168 sectors _ _ _ _ Local Disk S data H Media Tutori FileTut BACK 46 8 GB Prima 31 5 GB Unall 15 4 GB Prima 11 8 Gil 15 2 GI 43 9 GI 900 ME ace 347064395 663202873 Caption Display Name Virtual Drive File System NTFS v First Sector 347064395 Size MB 154364 7 Calculate in Sectors Virtual Partition will be created on PhysicalDrive4 starting from 347064395 sector with size 151 GB 316138478 sectors with NTFS file system Virtual partition will be shown in Recovery Explorer with name Virtual Drive Cancel Help Figure 22 Create virtual partition dialog Dialog options Caption Text label to mark created virtual partition in Recovery Explorer or in Partition Manager File system Select file one of the supported file systems FAT FAT 32 or NTFS First sector Offset of virtual partition in sectors or in MB Size Size of virtual partition in sectors or in MB 4 Click Create button After command is complete newly created virtual partition will appear in Recovery Explorer ready for applicabl
72. sections Bytes 0x00 0x0A are the jump instruction and the OEM ID shown in bold print Bytes 0x0B 0x53 are the BPB and the extended BPB The remaining code is the bootstrap code and the end of sector marker shown in bold print Physical Sector 00000000 EB 52 OO RONTESEMPIC ce 00000010 00 00 00000020 00 00 QU soosasos Uooosso 00000030 04 00 00 Cui Side i 90 4E 54 46 53 20 00 00 00 F8 00 00 00 00 80 00 80 00 ees 20 20 20 00 02 08 SP 00 ELE 4A F5 VF 00 00 3E 00 00 00 SAT wz 07 00 00 00 File Systems 132 00000040 F6 00 00 00 01 OO OO OO 14 A5 1B 74 C9 1B 74 Al oot 1c E 00000050 00 00 00 00 FA 33 CO 8E DO BC OO 7C FB B8 CO 07 ti E 00000060 8E D8 E8 16 OO B8 OO OD 8E CO 33 DB C6 06 OE OOM ares S Ue 00000070 10 E8 53 OO 68 00 OD 68 6A 02 CB 8A 16 24 00 B4 S h hj 00000080 08 CD 13 73 05 B9 FF FF 8A F1 66 OF B6 C6 40 66577 Sc E RE 00000090 OF B6 D1 80 E2 3F F7 E2 86 CD CO ED 06 41 66 Co S QU e Af 000000A0 B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A f f A U 000000B0 16 24 00 CD 13 72 OF 81 FB 55 AA 75 09 F6 C1 O1 r UU oun 000000C0 74 04 FE O6 14 OO C3 66 60 1E O6 66 A1 10 OO 66 t E f f 000000D0 03 06 1C 00 66 3B 06 20 00 OF 82 3A 00 1E 66 6A j 000000E0 00 66 50 06 53 66 68 10 00 O1 OO 80 3E 14 00 00 fP Sfh es 000000F0 OF 85 OC OO E8 B3 FF 80 3E 14 00 00 OF 84 61 OO DET a 00000100
73. size 1024 bytes e MFT Size 1968 records Thus we can iterate through all 1968 MFT records starting from the absolute offset 0x4000 on the volume looking for the deleted entries We are interested in MFT entry 57 having offset 0x4000 57 1024 74752 0x12400 because it contains our recently deleted file My Presentation ppt Below MFT record number 57 is displayed Oe Seie 0 1 2 3 4 5 F 3S9 9 A B CQ D iral nj File Recovery Process 171 00012410 47 00 02 00 30 00 00 00 00012420 00 00 00 00 00 00 00 00 00012430 10 00 00 00 60 00 00 00 00012440 48 00 00 00 18 00 00 00 00012450 00 30 2B D8 48 E9 CO 01 00012460 20 53 DD A3 18 F1 C1 01 00012470 00 00 00 00 00 00 00 00 00012480 00 00 00 00 00 00 00 00 00012490 30 00 00 00 78 00 00 00 000124A0 5A 00 00 00 18 00 01 00 000124B0 20 53 DD A3 18 F1 C1 01 000124CO 20 53 DD A3 18 F1 C1 01 000124D0 00 00 00 00 00 00 00 00 000124E0 20 00 00 00 00 00 00 00 000124F0 52 00 45 00 53 00 7E 00 00012500 54 00 69 00 6F 00 6E 00 00012510 00 00 00 00 00 00 02 00 00012520 05 00 00 00 00 00 05 00 00012530 20 53 DD A3 18 F1 C1 01 00012540 20 53 DD A3 18 F1 C1 01 00012550 00 00 00 00 00 00 00 00 00012560 13 01 4D 00 79 00 20 00 M y 2S 00012570 65 00 6E 00 74 00 61 00 00012580 2E 00 70 00 70 00 74 00 P P Ce Hn 00012590 01 00 00 00 00 00 04 00 000125B0 00 DC 00 00 00 00 00 00 UREE UP 000125CO 00 DC 00 00 00 00 00 00 000125D0 ip ipi ipm wm 92 79 4 i 000125E0 00 00 00 00
74. specific Date Formats Audio amp Video file tags Year Full year of release for example 2014 Album Name of an album Title Composition s title Artist Full year for example 2014 Track Number of track Genre Literal transcription of genre code Photo amp Image file tags Make Active UNDELETE Tools Overview 91 Camera manufacturer name for example Nikon or Canon Model Camera model name for example Canon EOS M Software Application name that was used to process export image file Date Taken Full date when image was taken See below for specific Date Formats Width Horizontal dimension of an image Height Vertical dimension of an image Office documents Author Document s author name Title Document s Title if any Created Date Date when document was created See below for specific Date Formats Saved Date Date when document was last saved See below for specific Date Formats Date Formats Each date tag can be presented in any of following date format tags YYYY MM DD Full date for example 2014 05 23 YYYY Full year for example 2014 YY Short year for example 14 MM Month short form for example 11 for November Month Month literal form for example November DD Day of a month for example 23 Rollback Partition Changes Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted da
75. to fill the selection Patterns are used in a loop until the whole selection is filled For example if you need to fill a selection with 0 bytes just enter 00 into the Hex values edit field If you want fill it with an ERASED pattern enter it as a text and it will be repeated as many times as necessary to fill the block Use Template Editing Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks You can edit system records like boot sectors MBR MFT etc by using a template tool window Template window is a small dockable window normally located to the left from main Disk Editor editing area If it is not visible you can turn it on by selecting toolbar menu View gt Templates Active UNDELETE Tools Overview 75 Temas LLL Oore 1 NTFS Boot Sector j 0 000 o 00 000000000 52 000000010 00 ane vnctruction Sopy alue 000000020 00 OEM ED IES 000000030 00 4 BIOS Parameter Block 000000040 00 Bytes per sector 512 000000050 00 Sectors per cluster 000000060 D8 Reserved sectors 000000070 E8 always zero 000000080 cr unused Mila deana 000000090 BC Chs ustHAn AL umned 0000000A0 cs AfuBbET Sectors per track 0000000B0 24 Number of heads 0000000c0 04 Hidden sectors aay BUA 0000000D0 0 Eee suus ese 0000000E0 66 P Sth E Total sectors 32354909 32 354 909 0000000F0 85 a eles eee SMFT cluster numb
76. tools On NTFS copy of boot sector is stored at the middle or at the end of the Volume You can boot from start up floppy disks or CD ROM choose repair option during setup and run Recovery Console When you are logged on you can run FIXBOOT command to try to fix boot sector How can recovery software help you in this situation It can backup MBR Partition Table and Boot Sectors and restore them in case of damage tcan try to find out duplicate boot sector on the drive and re create the original one or perform virtual data recovery based on found partition parameters Partition Recovery Process 184 Some advanced techniques allow assuming drive parameters even if duplicate boot sector is not found i e perform virtual partition recovery and give the user virtual access to the data on the drive to be able to copy them to the safer location Missing or Corrupted System Files Understanding of underlying mechanisms of data storage organization and data recovery For Operating System to boot properly system files required to be safe In case of Windows 95 98 ME these files are msdos sys config sys autoexec bat system ini system dat user dat etc In case of Windows NT 2000 XP these files are NTLDR ntdetect com boot ini located at the root folder of the bootable volume Registry files 1 e SAM SECURITY SYSTEMand SOFTWARE etc If these files have been deleted corrupted damaged by virus Windows will be u
77. y MSI 2da5 tmp Deleted 0 bytes 09 03 12 03 02 59 09 03 12 03 02 59 D 4464 gt 7 amp System Volume Information System 28 0 KB 16 12 08 11 18 11 26 03 12 17 51 38 HSD 27 gt F amp y Windows NT4 Deleted 345 MB 05 03 12 11 13 27 05 03 12 11 20 23 D 7777 F amp y Windows NT4 FAT Deleted 0 bytes 05 03 12 11 20 23 05 03 12 11 20 23 D 4476 F 17 PartMan exe Deleted 3 82 MB 26 10 10 13 08 44 26 10 10 13 08 44 A 4454 gt 47 of 88958 file s E so file s and 18 folder s Help Next gt Close Select file s to recover and click Next to continue 5 Recover Files Active UNDELETE Wizards Overview 100 File Recovery Select required options and dick Next to continue P Er Recover files to d temp yecovered mm um Naming options Use original file names recommended Rename files to recovered 4 00001 Existing files conflict resolution 9 Generate unique file name recommended Overwrite without prompt Ask before overwrite D Skip existing files Options Create original folder group structure Recover Named Streams Selected 3 files and folders to recover Naming options Use original file names Names of detected files will be preserved only if no file with that name exists in the destination directory Rename files AII files will be renamed by their given specified file root name and added enumeration I
78. 0 00 00 00 00 00 OO 00 00 OO 00 000000F0 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00000100 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00000110 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00000120 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 C0000303 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 90 DOC COMA 00 00 000 00 00 00 00 00 00 00 00 00 00 00 00 00 000001503 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000170 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00000160 00 OO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000190 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 Hardware and Disk Architecture 122 000001A0 00 00 00 00 00 00 00 00 00000000 00 00 00 00 000001B0 00 00 00 0 O0 00 9 OO RD 4 2 14 00 00 BO Oi Vosges dd ou s OF 7F 96 3F 00 00 00 51 42 06 00 0000 02 9B COOWOLDOs 4d G7 OF OF ms 2c 90 47 06 00 AO Sg OG 00 00 OC WORN Ch Om SE ME EE SE SU EM 9S a mo SC GL GO 98 G8 mn iM e OW Bir AG DO 3 2 0m 00 CO 4a 00 OO 55 vA T Important Viruses Can Infect the Master Boot Record Many destructive viruses damage the Master Boot Record and make it impossible to start the computer from the hard disk Because the code in the Master Boot Record executes before any operating system is started no operating system can detect or recover from corruption of the Master Boot Record You can us
79. 0 00 00 31 6E EB C4 04 00 00 00 SU er lneA 00012500 ER EF EF WR 62 79 47 11 00 00 00 09 00 00 00 00 yyyy vG Data Runs need to be decrypted First byte 0x31 shows how many bytes are allocated for the length of the run 0x1 in our case and for the first cluster offset 0x3 in our case Next we take one byte 0x6E that points to the length of the run Next we pick up 3 bytes pointing to the start cluster offset OXEBC404 Changing bytes order we get first cluster of the file 312555 equals 0x04C4EB Starting from this cluster we need to pick up 110 clusters equals Ox6E Next byte 0x00 tells us that no more data runs exist Our file is not fragmented so we have the only one data run Lets check isn t there enough information about the file data Cluster size is 512 bytes We have 110 clusters 110 512 56320 bytes Our file size was defined as 56320 bytes so we have enough information now to recover the file clusters p Important 1 DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING YOUR IMPORTANT DATA THAT YOU HAVE JUST DELETED ACCIDENTALLY Even data recovery software installation could spoil your sensitive data If the data is really important to you and you do not have another logical drive to install software to take whole hard drive out of the computer and plug into another computer where data recovery software has been already installed 2 DO NOT TRY TO SAVE ONTO THE SAME DRIVE DATA THAT YOU FOUND AND TRYING
80. 00 00 00 00 000125F0 00 00 00 00 00 00 00 00 00012600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FILE GOES T ee HonI SY nA 04 OHeA A nA SY nA ses sce QOL NE A VAP ETE eee es Ore qu M Y P ROES a PP TOE NOE ca OR Ce lotes Ens SY nA SY nA SY nA enta toi on MFT Record has pre defined structure It has a set of attributes defining any file of folder parameters MFT Record begins with standard File Record Header first bold section offset 0x00 FILE identifier 4 bytes Offset to update sequence 2 bytes Size of update sequence 2 bytes LogFile Sequence Number LSN 8 bytes Sequence Number 2 bytes Reference Count 2 bytes Offset to Update Sequence Array 2 bytes Flags 2 bytes Real size of the FILE record 4 bytes Allocated size of the FILE record 4 bytes File reference to the base FILE record 8 bytes Next Attribute Id 2 bytes File Recovery Process 172 The most important information for us in this block is a file state deleted or in use If Flags in red color field has bit 1 set it means that file is in use In our example it is zero i e file is deleted Starting from 0x48 we have Standard Information Attribute second bold section File Creation Time 8 bytes File Last Modification Time 8 bytes File Last Modification Time for File Record 8 bytes File Access Time for File Record 8 bytes D
81. 005 The first highlighted group describes that first 0x0061 characters 0x0000 0x0060 have identity mappings The next character after it 0x0061 maps to 0x0041 etc until the next compressed group is encountered Remember The first highlighted in bold group describes that first 0x0061 characters 0x0000 0x0060 have identity mappings The next character after it 0x0061 maps to 0x0041 etc until the next compressed group is encountered File System FAT Understanding of underlying mechanisms of data storage organization and data recovery The FAT file system is a simple file system originally designed for small disks and simple folder structures The FAT file system is named for its method of organization the File Allocation Table which resides at the beginning of the volume To protect the volume two copies of the table are kept in case one becomes damaged In addition the file allocation tables and the root folder must be stored in a fixed location so that the files needed to start the system can be correctly located A volume formatted with the FAT file system is allocated in clusters The default cluster size is determined by the size of the volume For the FAT file system the cluster number must fit in 16 bits and must be a power of two Other folders and all files Figure 43 FAT file system volume organization See the next sections for more information about FAT FAT Partition Boot Sector on page 156
82. 02 19 02 12 11 10 02 HSD S xtend amp tensions and Associated G DAEMON Tools Lite Healthy 25 8 MB 12 04 12 09 41 04 12 04 12 09 41 07 D F amp DAEMO F amp Program Files Healthy 0 bytes 19 02 12 21 16 29 12 04 12 10 58 30 D F d Progra 5 F dj Projects Graphics Healthy 15 GB 19 02 12 23 52 31 19 02 12 23 58 46 D E G Projects Graphics 61240 Figure 1 File grouping in Volume Scan Result To make scan results easier to read you may do the following To sort the list by a column in ascending order click the column header To sort the list by the same column in descending order click the column header a second time To show a list that is reduced in size by a filter select one of the preset options in the File Filter toolbar To add an item to the Recovery Toolbox select the check box next to the item File Filter Toolbar can be used to narrow down scan results For more information see File Filter Toolbar on page 40 Advanced File Search can be used to enhance simple File Filtering with more searching criteria such as File Attributes File Size etc See Search for deleted Files and Folders on page 37 for details Tip Itis recommended to save scan results for later use When you have found all files you looking for proceed to Recover files and folders on page 23 Physical Device Scan View Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information fr
83. 1 95 C 6 84 GB Unallocated 15 4 GB P 372 GB Primary NTFS 2 49 MB 3 Array boundaries Data Storage l For each device an exact boundaries can be m selected if necessary Clicking on partition will d P 456390658 343454721 amp PhysicalDrived Ready Initiali Disk 466 GB 0 976773168 4 Lo 10 Local Disk y 138 GB Logical 4 RAID Type and Block 6390658 Si 99845379 ize Select RAID type and block size as required Offset sector 456390658 Size sectors 343454721 RAID Options RAID Type Mirror RAID 1 Cdi Block Size 512 bytes Default v Sectors per Block 1 YA To create Mirror RAID 1 select two Data Storage devices Figure 13 Create virtual RAID Assembly dialog To assemble virtual RAID follow the steps 1 Select source disks To add disks to virtual RAID Assembly Double click a disk in the Available disks list to move it to the Selected disks list e Use check marks to add disk to the Selected disks list To remove disks from Selected disks list Double click a disk in the Selected disks list Click a disk in the Selected disks list To remove it click Remove Define disks order optional To change the order of a disk in the Selected disks list select it and click Move Up or Move Down Adjust disks boundaries optional For each selected disks offset and size can be de
84. 10 06 12 12 48 45 0 0 Incomplete 0 Filter detected partitions by certainty Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks After you complete a scan detected partitions are listed in order of their certainty status based on attributes and validation level To make a long list of partitions easier to read remove partitions with a status of Bad and lower using a filter To filter detected partitions 1 In the Physical Device Scan View on page 9 select a scan result node with detected partitions 2 Open the Filter Detected Partition dialog Using Active UNDELETE Overview 35 From the toolbar click Partition Filter Right click the partition and click Partition Filter from the context menu 3 Set filter values in General or Advanced tabs and click Filter to apply selected filter criteria Filter Detected Partitions E ns V Filter by Partition File System V NTFS v FAT32 V exFAT V FAT V HFS V Ext2 Ext3 Ext4 7 Filter by Partition Status V 8 Excellent V 5 Acceptable V 2 Bad V 7 Very Good v 4 Not Bad V 1 Very Bad v 6 Good v 3 Poor 7 Filter by Partition Size Enter size range MB m Co General Options Filter by Partition File System Select the file system that will remain in the filtered partition list Filter by Status Select the partition integrity s
85. 2 File Attributes File Systems 149 Description Comments CreateTimezoneOffset Offset from UTC in 15 min increments LastModifiedTimezoneOffsetOffset from UTC in 15 min increments LastAccessedTimezoneOffsetOffset from UTC in 15 min increments Reserved2 Attribute Comments ReadOnly Hidden System Reservedl Directory Archive Reserved2 Table 13 Timestamp Format Description Comments Seconds as number of 2 0 29 29 represents 58 second intervals seconds Minutes 0 59 Hour 0 23 Day 1 31 Month 1 12 Year as offset from 1980 0 represents 1980 Timestamp format records seconds as 2 seconds intervals so 10ms increments are used to increase precision from 2 seconds to 10 milliseconds The valid values are from 0 to 199 in 10ms intervals which are added to correspondent timestamp Timestamp is recorded in local time Time zone offset is expressed in 15 minutes increments Table 14 Time Zone Offset Tablet Time Zone Comments TimezoneOffset field TZ Offset 128 0x80 UTC 132 0x84 UTC 01 00 136 0x88 UTC 02 00 140 0x8C UTC 03 00 Greenwich Standard Time Central Europe Time Eastern Europe Standard Time Moscow Standard Time File Systems 150 TimezoneOffset field TZ Offset Time Zone Comments 144 0x90 UTC 04 00 Arabian Standard Time 148 0x94 UTC 05 00 West Asia Standard Time 152 0x98 TC 06 00 Central Asia Standard Time U 156 0x9C UTC
86. 4 Complete Click Finish to close the Wizard A new storage device and one or several drives 1f detected will appear in the list of devices and drives in the Recovery Explorer You can work with an opened Disk Image the same way as you work with a regular storage device or logical drive i e scan device for deleted damaged partitions scan drives and search for files recover copy files and folders to another safe location etc Verify a Disk Image Wizard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Disk image validation insures that a data storage disk image or a logical drive disk image is consistent internally and can be opened We advise you to use this wizard to validate disk images created by third party applications To start the Verify Disk Image wizard Run the Verify Disk Image menu command from the Tools menu or click the Validate Disk Image button on the disk 1mage tab in the command bar on the left side Active UNDELETE Wizards Overview 111 When the Restore Partition wizard starts for the first time the first screen describes the process Clear the Show this page next time check box to avoid seeing this screen the next time you run this wizard 1 Open Disk Image configuration file A Disk Image configuration File is a file used to store all information about a created Disk Image including disk geometry a
87. 4 FAT Deleted 0 bytes 05 03 12 11 20 23 05 03 12 11 20 23 D 4476 F 17 PartMan exe Deleted 3 82 MB 26 10 10 13 08 44 26 10 10 13 08 44 A 4454 gt 47 of 88958 file s E so file s and 18 folder s Help Next gt Close Select file s to recover and click Next to continue 5 Recover Files Active UNDELETE Wizards Overview 103 File Recovery Select required options and dick Next to continue P Er Recover files to d temp yecovered mm um Naming options Use original file names recommended Rename files to recovered 4 00001 Existing files conflict resolution 9 Generate unique file name recommended Overwrite without prompt Ask before overwrite D Skip existing files Options Create original folder group structure Recover Named Streams Selected 3 files and folders to recover Naming options Use original file names Names of detected files will be preserved only if no file with that name exists in the destination directory Rename files AII files will be renamed by their given specified file root name and added enumeration ID The file s extension remains intact Existing files conflict resolution Unique file name If a file with the same name exists in the destination folder files with a unique name will be generated to avoid overwriting Ask before overwrite If a file with a certain name al
88. 478 7 dy MSI 2da5 tmp Deleted 0 bytes 09 03 1203 02 59 09 03 12 03 02 59 D 4464 gt 7 amp System Volume Information System 28 0 KB 16 12 08 11 18 11 26 03 12 17 51 38 HSD 27 gt 7 amp y Windows NT4 Deleted 345 MB 05 03 12 11 13 27 05 03 12 11 20 23 D 7711 F amp Windows NT4 FAT Deleted 0 bytes 05 03 12 11 20 23 05 03 12 11 20 23 D 4476 r7 feo PartMan exe Deleted 3 82 MB 26 10 10 13 08 44 26 10 10 13 08 44 A 4454 J gt 47 of 88958 file s E so file s and 18 folder s reb Next gt dese Recover files to d temp yecovered Naming options 9 Use original file names recommended Rename files to ES recovered 00001 Generate unique file name recommended C Overwrite without prompt Ask before overwrite Skip existing files Options E Create original folder group structure E Recover Named Streams Selected 3 files and folders to recover Naming options Use original file names Names of detected files will be preserved only if no file with that name exists in the destination directory Rename files Active UNDELETE Wizards Overview 98 All files will be renamed by their given specified file root name and added enumeration ID The file s extension remains intact Existing files conflict resolution Unique file name If a file with the same name exists in the destination folder files with a unique name will be generate
89. 5 6 MB 4 amp 3 2014 By Created Date 85 6 MB 4 Jan v By Modified Date 75 5 MB gt amp 2 By Accessed Date 75 5 MB 4 May By File Extensions 10 1 MB qo By Applications 4 3 21 29 2 KB ips Preset for images Healthy 21 7 KB 21 May 14 12 24 13 21 May 14 12 24 37 pz Healthy 7 50 KB 21 May 14 12 24 13 21 May 14 12 24 37 a Febi Customize Figure 32 File Organizer menu Files in presented view can be organized by applying grouping and renaming rule There are several predefined rules ready to use By Created Date By Modified Date By Accessed Date ByFile Extensions By Associated Application File organizing rule can be applied for all files presented in current view or for specific file folder or file group To apply file organizing rule for all files in a view use toolbar drop down button Organize Files and to apply rule for a folder or a file group use context menu command Organize Customize file organizing rules In addition to predefined file organizing rules user can define custom file grouping and renaming rules and use them in a same manner as predefined To create or edit custom file organizing rule select Organize Files gt Customize command in view s toolbar where File Organizer is used for more detail read Create custom file organizing rule on page 84 Renaming files Files in file organizing rule can be also renamed optional by file name pattern applicable for every processing
90. 7227520 Calculate in sectors Virtual disk will be created using disk PhysicalDrive2 starting from 0 sector with size 117227520 sectors and sector size 4096 bytes Virtual disk will be shown in Recovery Explorer with name My virtual disk Create Cancel Figure 21 Create virtual disk dialog Dialog Options Caption Using Active UNDELETE Overview 55 Assign text label for virtual disk to recognize in Recovery Explorer Optional Sector size Sector size in bytes By default original physical disk sector size is used First and last sector Select virtual disk boundaries by default entire original physical disk is used 3 Click Create to complete Tip You can create any number of virtual disks and they are saved in application session for later use Virtual disk should appear in Recovery Explorer in group of Virtual Devices and Arrays Virtual partitions Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Unlike Create virtual disk on page 54 a virtual logical partition emulates a real logical drive or partition using a assigned geometry values If you have a logical drive that is recognized by Windows and you cannot access the data in that drive you may be able to gain access to your data by creating a virtual partition copy and change its attributes to gain an access Active UNDELETE allows you followin
91. 8 25 00 c2 01 EB c3 72 00 20 20 20 74 73 73 61 20 4c 64 68 66 F1 1A 40 00 00 00 EB EB FE 1D 72 29 69 74 6B 6F 2E 79 6E 73 44 2E 00 03 FE 00 3B B1 B2 29 8A 03 AC 00 6F 00 73 68 65 6F OD 73 64 79 52 OD OD 06 c2 88 06 06 80 06 07 BE 3c 41 72 41 20 65 72 20 0A 74 20 73 20 0A 68 1C 88 16 5B D2 CD 5B 5A 39 00 20 20 20 6D 20 6E 64 00 65 72 74 69 00 66 00 16 25 00 E6 13 00 59 01 74 64 6F 6B 69 64 65 69 33 6D 65 65 73 00 02 66 5A 00 76 0A 58 76 5B E8 09 69 63 65 73 69 6C 73 00 20 73 6D 20 00 CB 33 00 A3 03 36 72 OB 58 09 B4 73 63 72 73 73 20 63 49 64 74 2E 63 00 50 D2 66 58 Al 5A 2A C1 c3 00 OE 6B 75 6E 69 6B 66 6F 6E 69 61 OD 6F 55 53 66 8B 00 5B 00 01 EO BE BE BB 20 72 65 6E 2E 69 6E 73 73 72 0A 6D Partition Recovery Process 182 ZA QR f 6 To crtone fAe 6 Ss oc SPA P s Io
92. ABLE is the boot partition All others are not Setting multiple partitions to PART BOOTABLE will result in boot errors Part FirstHead The first head of this partition This is a 0 based number representing the offset from the beginning of the disk The partition includes this head Part FirstSector The first sector of this partition This 1s a 1 based 6 bit number representing the offset from the beginning of the disk The partition includes this sector Bits 0 through 5 specify the 6 bit value bits 6 and 7 are used with the Part FirstTrack member Part FirstTrack File Systems 168 The first track of this partition This 1s an inclusive 0 based 10 bit number that represents the offset from the beginning of the disk The high 2 bits of this value are specified by bits 6 and 7 of the Part FirstSector member PartFileSystem Specifies the file system for the partition Table 22 Acceptable values PART UNKNOWN 00h Unknown PART DOS2 FAT 01h 12 bit FAT PART DOS3 FAT 04h 16 bit FAT Partition smaller than 32MB PART EXTENDED 05h Extended MS DOS Partition PART DOS4 FAT 06h 16 bit FAT Partition larger than or equal to 32MB PART DOS32 0Bh 32 bit FAT Partition up to 2047GB PART DOS32X 0Ch Same as PART DOS32 0Bh but uses Logical Block Address Int 13h extensions PART DOSXI3 0Eh Same as PART DOSA FAT 06h but uses Logical Block Address Int 13h extensions PART DOSXI3X O0Fh Same as PART EXTENDED 05h but us
93. Active UNDELETE Users Guide Contents 2 Contents Legal SCACOemntu oio reete base UTER iu e dn eoe dM eR TO otseano pea b e bn RES EURE LENIN NAT RE UR CHI NIAE TEN Active UNDELETE OV rvIOW o ise tasto nde aeo nod goE voie Rasa on eu baa oe aros aeuo ceras axsus a O Getting Started with Active UNDEDLGET E eee ee esee eerte ee eee enn ee eeenes 7 Active UNDELETE Views And Windows eene 7 Recovery Explorer View eese edet petentem tp ern der nd ere eee eren tee ete eS 8 Logical Drive Scan Result View en RR ERA REPRE dC 9 Physical Device Scan View eene enne eene nennen nnne nennen nnne enirn inneren enne 9 Search Results View uai detta pira pred ATO ec crine cree Rete Peer ee ceo Dm mies 11 File Organizet VIeW 5 on eese sem eee en e OO ge quenti qe at arn e e tds 12 Application 206 3 5 2 der DEED E DERE RULES RR EAR E e i E RR ege 13 Welcome VAG EET 14 Using Active UNDELETE Overview sccsscsocsssccssccsccsccccsscscssssssesesees 16 Recover deleted Files and Folders ecce eee edet eie ite rede e Res 17 Scan a volume logical drive for deleted files sse 18 Scan for files by their signatures iced e ER RE edet ene e Itn 21 Recover files and folders resno e tette eti heen ERR REN eR tte ea ees 23 Virtual RAID Assembly eedem rete Ee REED ER CEA E ae 25 Decryptsrecovered files iet ida ode EU aie eto B E OE e 27 Restore Partitionen onean ee He e
94. C7 06 54 00 00 Z u A ZOC T 000000070 00 C7 06 56 00 00 00 C7 06 5B 00 10 00 B8 00 OD aaa 6 alSa 000000080 8E CO TUe h hf EPS 000000090 51 52 Ito T f309f 0000000A0 OF B7 A Z f 0000000B0 DO 66 X 0000000CO Al 18 0000000D0 00 50 t 0 62 0000000E0 8B CA r Xr 0000000F0 06 54 v Aa 000000100 05 8C ZAeS ZY XA 000000110 59 01 slo cf 000000120 AD 01 este 000000130 07 00 disk 000000140 72 65 occur 000000150 72 65 kerne 000000160 6c 20 missin 000000170 67 20 disk 000000180 OD OA fi 000000190 6C 65 discon 0000001A0 74 69 tiguous 3 Ins 0000001B0 65 72 systemdis 0000001CO 6B 65 restar 0000001D0 74 OD system 0000001E0 00 17 com 0000001F0 70 72 pressed U 2B 06 OE C1 00 B4 86 00 c2 EB E8 CD 61 64 66 66 00 20 67 74 74 0A 00 65 DB 66 18 EA 2A 02 E9 83 03 08 03 10 64 2E 69 72 25 69 75 20 74 74 5C 73 E8 Al 00 10 06 8B 8A 16 DO BE 00 EB 20 OD 6C 6F 00 73 6F 61 65 68 4E 73 07 54 66 F7 5A 16 36 56 8E E3 FB F2 65 0A 65 6D 41 20 75 20 20 65 54 65 The printout is formatted in three sections Bytes 0x00 0x0A are the jump instruction and the OEM ID shown in bold print 00 00 F7 36 00 5
95. D The file s extension remains intact Existing files conflict resolution Unique file name If a file with the same name exists in the destination folder files with a unique name will be generated to avoid overwriting Ask before overwrite If a file with a certain name already exists in the destination folder the application will ask the user what action to take Overwrite without prompt All files will be overwritten in the event they already exist in the destination folder Skip existing files If file with the same name exists in the destination folder the recovery of a new file will be skipped Additional Options Create Folder Structures When this option is selected files will be recovered with their original folder structures e g the original folder hierarchy as it was on the source storage device In case the files were organized in groups by date file extensions or an associated application then such groupings will be created by the folder structure in the location where the files will be recovered to Recover Name Streams With this option on files will be recovered with their original named streams Verify default recovery options and click Next to continue 6 Confirm Recovery Active UNDELETE Wizards Overview 101 Review recovery options destination path etc and click Recover to start recovering files 7 Complete wizard Click to close the Wizard After the recovery wizard has completed you can open the desti
96. E SER on oWoSo oce 0000000D0 DS 4E J4 be 33 CO CD 13 EE BS 00 00 00 00 00 OU Partition Recovery Process 178 0000000E0 56 33 TO 56 56 52 50 0 53 Sil IB V3oVVRP SQ V o 0000000F0 50 52 BS 00 42 GA 56 24 CD 13 SA 59 SD 64 i10 72 PR BSVSI ZX olo ie 000000100 OA 40 75 O13 42 80 Cy 02 WA hy wes Sa C3 us 74 49 mper o AetI 10 00 56 8B 1944 IE 000000110 em 76 Gi GC 69 64 20 70 Gi 72 74 69 74 9 GF GE nvalid partition 000000120 20 74 6 62 6G 65 00 45 72 72 OF 72 20 GC GF Gil table Error loa 000000130 64 69 Gh G7 20 G9 70 65 72 Gl 74 69 Ga GT 20 73 ding operating S 000000140 VS WS TA 65 GD OO 4D GS Ws 7S G9 Gh GY 20 oe WC ystem Missing op 000000150 6S 72 Gl 34 9 Gm 7 20 TS 79 T3 TA GS GD 00 OC erating system 000000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000180 00 00 00 SE KC 1 ELER WLO Ea a ss 000000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000001A0 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 S7 eB E5 C3 00 00 00 00 00 00 is 0000001B0 00 00 00 00 00 00 00 OO AG 34 iw BA 00 00 SO OL 5oon25occ pistes So 0000001C0 Ol 00 97 Ba wis Sum Su 00 00 00 40 32 dim OM OO OC P Bo o ol BZN os 6 c 0000001D0 Ai Si 06 win yis 64 7r 92 4m Q0 AS 50 09 00 OO 00 A 20d02N P 0000001E0 An 5 m iia ium 4A 25 83 57 00 66 Gil S5 00 00 OC Ae J WEES aao
97. E is idle and ready to perform an operation the status displays Ready To toggle the status bar click View gt Status Bar 5 Note When you run Active UNDELETE the application gathers information about disks and partitions available to the system During this preliminary operation the status bar displays Initializing and application prevents most other operations from starting Application Log View shows detailed information about the initialization stage To modify the information displayed in columns in a table list right click any column header and select or clear columns from context menu Recovery Explorer View Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks The main view in Active UNDELETE is Recovery Explorer View The view tab label displays My Computer This is the default view that you see after the application starts It displays the hierarchical structure of all devices and drives Virtual RAIDs and opened Disk Image Scan Results appear here if you scan a device To collapse or expand an item in this tree click the arrow sign next to the item name Recovery Explorer shows its content in to modes Expert Device View default At this mode all available Data Storage Devices with hierarchy of partitions and Logical Drives are present Use this mode for advanced features such as Advanc
98. ETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks In this wizard unallocated spaces on data storage devices are scanned for deleted partitions After partitions are detected they should be scanned for files and folders 1 Scan unallocated space Select unallocated area by placing check marks in the data storage devices tree and click Next to continue Name Partitioning Total Size Total Sectors 4 amp PhysicalDrived Ready Init GPT Basic 932 GB 1953525168 512 Vv nallocated Space 105 GB 221208542 512 333938688 512 218122240 512 180255631 512 Local Disk M Local Disk 0 v Unallocated Space More then one unallocated area can be selected at the time n 4 amp PhysicalDrive2 Ready Init MBR E 9 1953525168 512 Major D 932GB 1953519616 512 B Unallocated Space 1 71 MB 3504 512 4 amp PhysicalDrive3 Ready Init MBR Basic 55 9 GB 117231408 512 System Reserved 2 Assigning proper File System filters may save 512 Local Disk C scanning time and narrow down final results 512 7 Unallocated Space 5st 512 4 amp PhysicalDrive4 Ready Init MBR Basi 466 GB 976773168 512 Detected partitions File System Lookup V NTFS V FAT32 V exFAT V FAT HFS Ext2 Ext3 Ext4 Unallocated Space 105 GB Unallocated
99. FAT File Allocation Table on page 159 FAT Root Folder on page 159 FAT Folder Structure on page 159 FAT32 Features on page 160 Main differences between FAT12 FAT16 FAT32 e FATI2 file system contains 1 5 bytes per cluster within the file allocation table FATI6 file system contains 2 bytes per cluster within the file allocation table FAT22 file system includes 4 bytes per cluster within the file allocation table File Systems 156 FAT Partition Boot Sector Understanding of underlying mechanisms of data storage organization and data recovery The Partition Boot Sector contains information that the file system uses to access the volume On x86 based computers the Master Boot Record use the Partition Boot Sector on the system partition to load the operating system kernel files Next table describes the fields in the Partition Boot Sector for a volume formatted with the FAT file system Table 19 System ID field description Byte Offset in hex Field Length Sample Value Meaning 3 bytes EB 3C 90 Jump instruction 8 bytes MSDOSS 0 OEM Name in text 25 bytes BIOS Parameter Block 26 bytes Extended BIOS Parameter Block 448 bytes Bootstrap code 2 bytes End of sector marker Table 20 BIOS Parameter Block and Extended BIOS Parameter Block Fields Byte Offset Field Length Sample Value Meaning 0x0B WORD 0x0002 Bytes per Sector The size of a hardware sector For most disks in use in the United States the val
100. File Signature Templates to be used to detect files during low level disk scan by customized file signatures See Custom user defined file signature templates on page 41 for details Disassembled RAID array can be virtually recreated by Active UNDELETE and some of the files located on these array can be recovered You partition is gone Accidentally deleted by user or by malicious software it is still chance it can be restored if not overwritten yet Scan hard disk for deleted partition and use Restore command to get your partition back We recommend you to restore your important data first Using Active UNDELETE Overview 17 Partition Manager Overview on page 59 By using small Partition Manager module in Act ive UNDELETE you can execute basic partition manipulation such as creation formatting and delete It can be useful during partition recovery operations Disk Images Disk Image Overview on page 78 We advice to create Disk Image of a drive you work with before any actual recovery or partition restoration It may prevent loosing data in accidental writing of cumulative hardware malfunction Advanced Tools Edit boot sectors on page 64 For advanced operations you can manipulate partition table and boot sector attributes by using template dialogs Disk Editor Tool on page 66 Advanced and integrated in Active UNDELETE environment disk editor read and write data on low level Rollback Parti
101. Heap 2 SectorsPerClusterShift ClusterHeapOffset VolumeLength Excess Space ClusterCount ClusterHeapOffset 2 SectorsPerClusterShift ClusterCount 2 SectorsPerClusterShift Navigate to detailed volume specification using following links Boot Sector on page 141 Extended Boot Sector on page 142 OEM Parameters on page 142 Boot Checksum on page 143 File Allocation Table FAT on page 144 Boot Sector Offset i Description Comments 0 0x00 3 JumpBoot OxEB7690 3 0x03 8 FileSystemName EXFAT 11 0x0B 53 MustBeZero 64 0x40 8 PartitionOffset In sectors if 0 shall be ignored 72 0x48 8 VolumeLength Size of exFAT volume in sectors 80 0x50 4 FatOffset In sectors 84 0x54 4 FatLength In sectors May exceed the required space in order to align the second FAT 88 0x58 4 ClusterHeapOffset In sectors 92 0x5C 4 ClusterCount 2 32 11 is the maximum number of clusters could be described 96 0x60 4 RootDirectoryCluster 100 0x64 4 VolumeSerialNumber 104 0x68 2 FileSystemRevision as MAJOR minor major revision 1s high byte minor is low byte currently 01 00 106 0x6A 2 VolumeFlags see below 108 0x6C 1 BytesPerSectorShift Power of 2 Minimum 9 512 bytes per sector maximum 12 4096 bytes per sector File Systems 142 Offset i Description Comments 109 0x6D SectorsPerCluster Shift Power of 2 Minimum 0 1 sector per cluster maximum 25 BytesPerSectorSh
102. High The high word of the FAT32 total sectors value A BF BPB BigSectorsPerFat The number of sectors per FAT on the FAT32 drive A BF BPB BigSectorsPerFatHi The high word of the FAT32 sectors per FAT value A BF BPBExtFlags Flags describing the drive Bit 8 of this value indicates whether or not information written to the active FAT will be written to all copies of the FAT The low 4 bits of this value contain the 0 based FAT number of the Active FAT but are only meaningful if bit 8 is set This member can contain a combination of the following values BGBPB F ActiveFATMsk 000Fh Mask for low four bits BGBPB F NoFATMirror 0080h Mask indicating FAT mirroring state If set FAT mirroring is disabled If clear FAT mirroring is enabled Bits 4 6 and 8 15 are reserved A BF BPB FS Version The file system version number of the FAT32 drive The high byte represents the major version and the low byte represents the minor version A BF BPB RootDirStrtClus The cluster number of the first cluster in the FAT32 drive s root directory A BF BPB RootDirStrtClusHi The high word of the FAT32 starting cluster number A BF BPB FSInfoSec The sector number of the file system information sector The file system info sector contains a BIGFATBOOTFSINFO structure This member is set to OFFFFh if there is no FSINFO sector Otherwise this value must be non zero and less than the reserved sector count A BF BPB BkUpBootSec The sector number
103. M 159 GB 333938688 512 Local Disk 0 104 GB 218122240 512 E 7 Unallocated Space 563GB 1180255631 512 4 amp PhysicalDrive2 nitialized MBR Basic 932GB 1953525168 512 Major D 932 GB 1953519616 512 7 Unallocated Space Only one unallocated space can B 3504 512 4 y PhysicalDrive3 Ready Initia RATIS NER LA 117231408 512 System Reserved 1 204800 512 Local Disk C B 117020672 512 E Unallocated Space 1 90 MB 3888 512 4 amp WPhysicalDrive4 Ready Initialized MBR Basic 466 GB 976773168 512 E amp i Unallocated Space 6 72 GB 14100344 512 di 4 m 1 Unallocated Space 563 GB Unallocated Select partition geometry attributes PhysicalDriveO 1953525168 sectors f Local Disk M Local Disk 105 GB Una 159 GB Primar 104 GB Prim 773269504 Partition Geometry Maximum Partition size 563 GB Offset sector 773269504 Size MB 211902 E Measure in Sectors Use sliders set partition boundaries New Logical Drive will be created in Primary Partition starting from 773269504 sector with size 207 GB 433977156 sectors Page Options Offset First sector of created partition It can be set exact by numerical value entered in text box or by moving left slider in Device Map control Size Partition size can be set in megabytes or in sectors depending on state of Measure in Sectors check box Measure in sectors Set this option on to us
104. OS File Permissions 4 bytes 0x20 in our case Archive Attribute Following standard attribute header we have File Name Attribute belonging to DOS name space short file names third bold section offset 0x A8 and again following standard attribute header we have File Name Attribute belonging to Win32 name space long file names third bold section offset 0x120 File Reference to the Parent Directory 8 bytes File Modification Times 32 bytes e Allocated Size of the File 8 bytes Real Size of the File 8 bytes Flags 8 bytes Length of File Name 1 byte File Name Space 1 byte File Name Length of File Name 2 bytes In our case from this section we can extract file name My Presentation ppt File Creation and Modification times and Parent Directory Record number Starting from offset 0x188 there is a non resident Data attribute green section Attribute Type 4 bytes e g 0x80 Length including header 4 bytes e Non resident flag 1 byte Name length 1 byte e Offset to the Name 2 bytes Flags 2 bytes Attribute Id 2 bytes Starting VCN 8 bytes Last VCN 8 bytes Offset to the Data Runs 2 bytes Compression Unit Size 2 bytes Padding 4 bytes e Allocated size of the attribute 8 bytes Real size of the attribute 8 bytes e nitialized data size of the stream 8 bytes Data Runs In this section we are interested in Compression Unit size zero i
105. Physical Device on page 29 Scan for files by their signatures on page 21 Virtual RAID Assembly on page 25 Partition Management Restore detected partition on page 31 This is one of the essential features of Active UNDLETE To recover accidentally deleted files simply scan the drive where they were deleted then browse scan results in familiar Windows explorer like browser search and filter results select required files and recover them to safe location You can preview scan results first to confirm that the detected files are exactly the once you need g Note For DEMO version recovered file size is limited to 64kb In some cases you seek files from drives are not existing anymore those partitions either deleted or overwritten by new one It is still chance to recover some files in such condition You have to located deleted partitions first and scan them as they are existing partitions and recover all detected files you need Active UNDELETE can find files by their unique format specification signature even if file can not be found in Partition File Table For now we can recognise various file formats Microsoft Office Documents e Formatted Text files Compressed Archives Images and Camera Raw files Music and Videos QuickTime Multimedia files See Supported File Signatures on page 40 for complete list of default file signatures User can create custom user defined
106. S can read the partition or physical drive parameters and display the drive in the list of the available drives If the file system is damaged Root FAT area on FAT12 FAT16 FAT32 or system MFT records on NTFS the drive s content might not be displayed and we might see errors like MFT is corrupted or Drive is invalid If this is the case it is less likely that you will be able to restore your data Do not despair as there may be some tricks or tips to display some of the residual entries that are still safe allowing you to recover your data to another location Partition recovery describes two things 1 Physical partition recovery The goal is to identify the problem and write information to the proper place on the hard drive so that the partition becomes visible to the OS again This can be done using manual Disk Editors along with proper guidelines or using recovery software designed specifically for this purpose Active Partition Recovery software implements this approach 2 Virtual partition recovery The goal is to determine the critical parameters of the deleted damaged overwritten partition and render it open to scanning in order to display its content This approach can be applied in some cases when physical partition recovery is not possible for example partition boot sector is dead and is commonly used by recovery software This process is almost impossible to implement it manually Active UNDELETE Active UNERASER software
107. X M2 106 H Ready Friday 25 February 2011 18 04 56 RA 1 95 GB 3 backup J Ready Friday 16 October 2009 21 22 33 372 GB 7 alotoffiles E Ready Friday 06 March 2009 09 43 54 60 5 GB 7 gt on ex G Ready Wednesday 28 January 2009 10 35 43 259 MB F gt lont W Ready Tuesday 16 December 2008 07 18 10 154 GB 2 Select File Signatures to detect Scan selected Logical Drives for deleted files and folders Scan can be stopped at any time Active UNDELETE Wizards Overview 102 Konica Minolta Raw Images mrw Fuji FinePix Raw Images raf TIFF Images tif Sony Alpha Raw Images arw Canon CR2 Raw Images cr2 b amp Microsoft Office Documents gt 7 amp Formatted Text files 3 4 7 amp Compressed Archives 7 ZIP Archives zip 4 ii amp Images and Camera Raw files E 7 Bitmap Images bmp V Canon CRWRawImages crw 7 Icon Files ico V JPEG Images jpg E 7 7 E 3 B Note Number of File Signatures impacts the scanning time 3 Confirm and Scan Review scan options and initiate scan process by clicking Scan button The scan can be stopped at any time 4 Review volume scan results Use the File Filter Toolbar on page 40 to narrow down search results By default only deleted Files and Folders are shown To view all files detected on scanned devices click the Reset filter to default button in the toolbar Files Lis
108. XTENSION html BEGIN HTML BEGIN FOOTER HTML FOOTER MAX SIZE 655360 AMO GIN lt oeml 0 S12 eese 1024 HTML FOOTER Ii 2 PRIMITIVE JPG EGIN BEGIN TEST JPG ROUP Images and Camera RAW files ESCRIPTION Primitive JPG files FOOTER FOOTER TEST JPG EXTENSION test jpg MAX SIZE 322122547 GJ G3 ra BEGIN TEST JPG Meses De wee e 1 FOOTER TEST JPG xFF xD9 DJV HEADER DESCRIPTION DjVu Document F XTENSION djvu BEGIN DJV BEGIN SCRIPT DJV SCRIPT DJV BEGIN AT amp TFORM 0 0 DJV_SCRIPT size read dword 8 size endian dword size size sum size 12 OBW HEADER iXTENSION qbw DESCRIPTION QuickBooks Document B EGIN QBW BEGIN SCRIPT QBW SCRIPT QBW BEGIN MAUI 96 96 QBW SCRIPT data read dword 36 temp read dword 52 if temp lt data goto exit size sum temp 1 size shl size 10 CHM HEADER DESCRIPTION Microsoft CHM Help EXTENSION chm BEGIN CHM BEGIN SCRIPT CHM SCRIPT CHM BEGIN ITSF 0 0 CHM SCRIPT version read dword 4 if version 0 goto exit header read dword 8 if header lt 1Ch goto exit temp read qword header if temp 1FEh goto exit temp sum header 8 size
109. a list Filter by 5a a x By default the results of a scan contain all files and folders Use commands in the File Filter toolbar to make a large list of files smaller and easier to read You may use the File Filter toolbar in the following views e Recovery Explorer View Document View Search Result Views The filtered result may be applicable over an entire list for example in Search Result View of within a selected folder for example in Recovery Explorer view and Document View Using File Filter Toolbar To display an unfiltered list click Show All Files and Folders To display only existing files and folders click Show only existing Files and Folders To display only deleted files and folders click Show only deleted Files and Folders To further reduce the size of a list enter a pattern in File Filter field and press ENTER The list displays only those files that match the pattern Supported File Signatures List of supported File Signatures by file types Microsoft Office Documents Formatted Text files QuickTime Multimedia files e Access Databases mdb e Adobe Acrobat Documents pdf QuickTime multimedia 3G2 Files 3g2 PowerPoint Presentations ppt Rich Text Format Files rtf QuickTime multimedia 3GP Files 3gp Excel Spreadsheets xls XML Files xml QuickTime multimedia CDC Files cdc Word Documents doc HTMI Files htm QuickTime multimedia DCF Files d
110. acters if you are looking for a file that you know what it starts with and you cannot remember the rest of the file name The example locates all files of any file type that begin with docum including documents txt document 01 doc and documentum doc docum doc To narrow the search to a specific type of file include the file extension The example locates all files that begin with docum and have the file name extension doc such as document 01 doc and documentum doc Question mark Use the question mark as a substitute for a single character in a file name In the example you will locate the file docs doc or doc1 doc but not documents doc Number sign 7 doc_ doc Use the number sign also known as the pound or hash sign as a substitute for a single number in a name In the example you will locate the file doc_012 doc or doc_211 doc but not doc_ABS doc Using Active UNDELETE Overview 51 Application Preferences Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks You can change many of the settings that affect the application s behavior in the Preferences dialog To open the Preferences dialog do one of the following From the Tools menu select Preferences Inthe Application Command bar select Support tab click Preferences See description of each tabbed preferences page below eo General options fo
111. address of the first cluster used by the file Each cluster contains a pointer to the next cluster in the file or an indication OxFFFF that this cluster is the end of the file These links and end of file indicators are shown below pe TxT o002 tes TT 0007 o 1 2 3 4 5 6 NE 8 0009 0004 FFFF FEFF FFFF fl Y y Figure 44 Example of File Allocation Table This illustration shows three files The file Filel txt is a file that is large enough to use three clusters The second file File2 txt is a fragmented file that also requires three clusters A small file File3 txt fits completely in one cluster In each case the folder entry see folder entry for details points to the first cluster of the file v Tip For more detailed information see resource kits on Microsoft s web site ttp www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com FAT Root Folder Understanding of underlying mechanisms of data storage organization and data recovery The root folder contains an entry for each file and folder on the root The only difference between the root folder and other folders is that the root folder is on a specified location on the disk and has a fixed size 512 entries for a hard disk number of entries on a floppy disk depends on the size of the disk See FAT Folder Structure on page 159 topic
112. al RAID Array Wizard sees eene nennen neret inneren enne 115 Data Recovery Concept Overview ee eeee eee e eese ee eene ee een esses eeseseesssees LIS Hardware and Disk Architecture eee eee eese eee eee ee eese esssseeesssseeeesssseeess LID Hardware and Disk Orgamization ccccceccesseesesesecseceseeseceseesecesceseceseeseeeseseeeaeeseecaeeseecsecsaeceecsseneeseneserseseeereees 119 Hard Disk Drive Basics zi st ERE evt e a UE ees 119 Master Boot Record MBR cescssscessessceseessceseeseeeseeenecseesaecaeenaecseceaecaeseseeaeseseeaeseaeseeseseeneeeaeeeseenees 120 Partition Tables oa RR RI REN HORE ed 122 Disk Arrays RAID Sy s tte petitum tis ped itt dpt pis ente editus 126 Logical Disk Manager LDM Overview esses eene enne enne rennen nennen nennen nnn nennen 128 Contents 4 File SV SEEMING i dus dI HE eei Ut eI sk utiassauustuvuctarssnasobaabecvaaesedtassestesnastncaiere LOU Windows NT File System NTES nieder die etti ee eee idee Erie ede e v RO Ee 130 NTFS Partition Boot Sector coto tree te SERRE e ee coe s ta ees 131 NTES Master File Table MET Ree echt e hee ee i ee Re He Eie s 133 NTES Eile Types sd esses ao bed n eI eU UO HE IBI dE 134 Data Integrity and Recoverability with NTFS essent 138 Extended File System exE AT t ter ee ERR en etatem diee ai sedes eite 139 Vol me LayoUut iode aset eee 140 exFAT Dire
113. alculated as 112 435 bytes 3 32768 bytes Example of recovery clusters chain on NTFS In our example we just need to pick up 110 clusters starting from the cluster 312555 Cluster size is 512 byte so the offset of the first cluster would be 512 312555 160028160 0x0989D600 Offset DE rS p su S e 9 A C D E i 0989D600 DO Cr 1L BO AL BL IA mi 00 00 00 00 00 00 00 00 CONNECT TT 0989D610 OO 00 00 00 00 00 00 OO Bh OO OS OO ma TE OF WM issoanncc 25 o clOWo 0989D620 O06 00 OO 00 OO 00 00 OF 00 OO OO OO Ui QU OO UU s5ocssoossoccsos 0989D630 69 00 00 00 00 00 00 00 00 10 00 00 os 00 00 00 A A des ks 0989D640 01 00 00 00 FE FF FF FF 00 00 00 00 6A 00 00 00 ONY N 6 6 6 0 Joo 6 0989D650 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FE YYYYYYYYYYYYYYYY Here is our data What s left to do is just reading from this point 110 clusters 56320 bytes and then copy them to another location Data recovery is complete now Important DO NOT SAVE ONTO THE SAME DRIVE DATA THAT YOU FOUND AND TRYING TO RECOVER process of recovering by overwriting FAT records for this and other deleted entries It s better to save data onto another logical removable network or floppy drive Partition Recovery Process 176 Partition Recovery Process Understanding of underlying mechanisms of data storage organization and data recovery System Boot Process In some cases the first indication of a problem with hard drive data
114. alid except null GUID 100000000 0000 0000 000010000000000 Comments Must be 0 Must be 0 TexFAT Padding Directory Entry 0 0x00 1 0x01 Remember Description EntryType Reserved Comments exFAT 1 00 does not define TexFAT Padding directory entry TexFAT Padding directory entries are only valid in the first cluster of directory and occupy every directory entry of the cluster The implementations should not move TexFAT Padding directory entries Windows CE Access Control Table Directory Entry Offset 0 0x00 1 0x01 Remember exFAT 1 00 does not define Windows CE Access Control Table Directory Entry Stream Extension Directory Entry Description EntryType Reserved Description Comments Comments Offset 0 0x00 1 1 0x01 1 2 0x02 1 3 0x03 1 4 0x04 2 6 0x06 2 EntryType GeneralSecondaryFlags see below Reserved NameLength NameHash Reserved2 0xCO Length of Unicode name contained in subsequent File Name directory entries Hash of up cased file name File Systems 152 Offset i Description Comments 8 0x08 ValidDataLength Must be between 0 and DataLength 16 0x10 Reserved3 20 0x14 FirstCluster 24 0x18 DataLength For directories maximum 256 MB Description Comments AllocationPossible Must be 1 NoFatChain CustomDefined Stream Extension directory entry must immediately follow the File directory entry in the
115. all unallocated space Assign Drive Letter P Make restored partition Active Offset Size Measure in Sectors Figure 16 Restore partition dialog Dialog Options Assign Drive Letter To assign a drive letter to the recovered partition select a letter from the drop down list Make restored partition Active To set this partition as active check the Make restored partition Active check box Create Extended Partition Before a partition is restored unallocated space can be set as an extended partition by checking the Create Extended Partition check box Using Scan Results Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Using Active UNDELETE Overview 33 After you have completed a device scan a Scan Results branch appears in the Recovery Explorer tree Detected partitions are listed in order of their certainty of recovery a Scan Results qf QUANTUM FIREBALL EX10 2A 82h Scan Results Device Scan 06 11 2007 12 20 39 PM Ql Device Scan 06 11 2007 12 25 46 PM 5ts 0 0 Excellent ts 1 Excellent 5ts 2 2 Excellent e ts 3 3 Excellent e ts 4 4 Excellent rew Volume K Excellent L FAT_32 M Poor There are 12 attributes that define a partition In some cases the application cannot be certain that the found item actually is a partition The rating in the order of certainty dep
116. allocation In this list you have to specify all these files which make ups the image To Add a Disk Image chunk to the list click the Add New button and use browse for a file dialog to select a file To Remove a Disk Image chunk select this chunk in the list and click the Remove button To modify the order of Disk Image chunks select any chunk you wish to relocate and use the Up and Down buttons to move a selected chunk in the chunk stack Image Type Select image type you about to open Usually it assigned automatically depending on Disk Image chunks added Raw Disk Image Raw fragment of a disk LSoft Disk Image Disk Image created by any LSoft Technology product e Virtual PC Disk Images from Virtual PC software VMWare Image Disk Images from VMWare software Media Type Select appropriate media type Usually it assign automatically Use Fixed Disk by default Bytes per Sector Enter sector size in bytes Sectors per Track Enter track size in sectors Tracks per Cylinder Enter cylinder size in tracks Save DIM File as In case of manual composition of Disk Image properties you may save final configuration file for later use 4 Confirm and open disk image Click OK to open Disk Image A disk image node appears in Recovery Explorer D Important Use Open a Disk Image Wizard on page 109 for the same purpose File Organizer Overview Active UNDELETE is an advanced data recovery tool designed to recover data lost or dele
117. an paste it into a different place by moving the cursor to the position where you want the data to be copied Use the command Edit gt Paste or press Ctrl V If you copied a text into the clipboard in a text editor it will be pasted into the Disk Editor as text Otherwise the data will be copied as binaries Active UNDELETE Tools Overview 74 Filling a selection 45 44 20 44 45 4C 45 54 45 44 20 44 45 4C 45 54 ED DELETED DELET fa BE BH SS HS BE Ea RN Bu S 2H Z3 25 He Hu 53 EnESEDEPEDIUEDEM ID 45 44 29 ESNMELETED DELET 45 44 ETED DELET 45 44 ETED DELET 45 44 2 I ETED DELET 45 44 2 1 299 1 609 total 311 bytes ETED DELET 45 44 ETED DELET 45 44 dj et DELETED ETED DELET Overwrite selected data in the following range 45 44 ATED DELET fees 45 44 2 Hex values Enter pattern hex values ETED DELET 45 44 TED DELET D a5 44 45 44 45 44 ETED DELET 45 44 20 44 45 3C 45 54 45 44 20 44 45 4C 45 54 ED DELETED DELET 45 44 20 44 45 4c 45 54 45 44 20 44 45 4C 45 54 ED DELETED DELET 45 44 20 44 45 4C 45 54 45 44 20 44 45 4C 45 54 ED DELETED DELET X You can fill a selection with an arbitrary text or binary data Make a selection first then right click Edit gt Fill block The Fill Block dialog allows entering either text or hex value patterns which will be used
118. annot be mirrored Striped A dynamic volume that stores data in stripes on two or more physical disks Data in a striped volume is Hardware and Disk Architecture 129 allocated alternately and evenly in stripes across the disks Striped volumes offer the best performance of all the volumes that are available in Windows but they do not provide fault tolerance If a disk in a striped volume fails the data in the entire volume is lost You can create striped volumes only on dynamic disks Striped volumes cannot be mirrored or extended Mirrored A fault tolerant volume that duplicates data on two physical disks A mirrored volume provides data redundancy by using two identical volumes which are called mirrors to duplicate the information contained on the volume A mirror is always located on a different disk If one of the physical disks fails the data on the failed disk becomes unavailable but the system continues to operate in the mirror on the remaining disk You can create mirrored volumes only on dynamic disks on computers running the Windows 2000 Server or Windows Server 2003 families of operating systems You cannot extend mirrored volumes RAID 5 A fault tolerant volume with data and parity striped intermittently across three or more physical disks Parity is a calculated value that is used to reconstruct data after a failure If a portion of a physical disk fails Windows recreates the data that was on the failed portion f
119. ated in different locations using the same pattern for example to compare a boot record with its copy In case of Copy template its location is set separately from a main record using the same pattern If the main template and its copy are intersecting the copy template data will be shown in template window but not highlighted in the main edit area Setting template position In order to set a template position or change an existing one move the cursor to desired location and use Edit menu command Set Template position or Set Template Copy Position for its copy Navigating to a system area which has an attached template using Navigate menu also changes template position In order to facilitate the movement between records located in sequence use arrow buttons located in the template window toolbar next to the templates list For example if you are editing or viewing an MFT record you can easily move to the next or previous record using those buttons Another way to set a template position is to enter new offset directly into template offset edit field in the template window toolbar One of those fields are used for entering an offset of the main record and another is for its copy The format of offset used in offset field is lt sector gt lt sector offset You don t need to specify sector offset if you want to move to the beginning of the sector For example you can simply enter 100 to go to sector 100 and template offset will be shown a
120. be read at the same time Write performance is the same as for single disk storage RAID 1 provides the best performance and the best fault tolerance in a multi user system This type uses striping across disks with some disks storing error checking and correcting ECC information It has no advantage over RAID 3 This type uses striping and dedicates one drive to storing parity information The embedded error checking ECC information is used to detect errors Data recovery is accomplished by calculating the exclusive OR XOR of the information recorded on the other drives Since an I O operation addresses all drives at the same time RAID 3 cannot overlap I O For this reason RAID 3 is best for single user systems with long record applications This type uses large stripes which means you can read records from any single drive This allows you to take advantage of overlapped I O for read operations Since all write operations have to update the parity drive no I O overlapping is possible RAID 4 offers no advantage over RAID 5 This type includes a rotating parity array thus addressing the write limitation in RAID 4 Thus all read and write operations can be overlapped RAID 5 stores parity information but not redundant data but parity information can be used to reconstruct data RAID 5 requires at least three and usually five disks for the array It s best for multi user systems in which performance is not critical or whi
121. boot again we ll see an error message like Non System Disk or Disk Error 3 What will happen if partition entry has been deleted If it has been deleted next two partitions will move one line up in the partition table Poysicel Sxeguors Cyl 0 Sice O Sector 1 0000001B0 SHO ONO cT e 0000001C0 Ai Si 06 iin yi 64 y 92 4m OO AG 50 OF 00 00 00 A 0d02N P 0000001D0 A G5 Om im iis 4A 25 85 57 Q0 66 G1 S9 OO 00 00 Ae J Woie ono 0000001E0 00 00 00 00 00 00 00 00 00 OO OO OO OO OO 00 00 0000001F0 00 00 00 00 00 00 00 00 000000 00 00 00 55 AA If we try to boot now the previous second FAT partition becomes the first and the loader will try to boot from it And if it s not a system partition we ll get the same error messages 4 What will happen if partition entry has been damaged Let s write zeros to the location of the first partition entry PiavisiGel Secures Cyl 0y Sick 0 Secuor il 0000001B0 HOM AOC S eure E RE Ss 0000001C0 00 00 00 00 00 00 00 00 00 00 OO OO 00 OO 00 00 0000001D0 41 3F 06 FE 7F 64 7F 32 4E 00 A6 50 09 00 00 00 A U0dU2N P 0000001E0 41 55 p mE Bm 4m 25 83 57 00 66 OX 38 00 00 00 Ae J WEIT 0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AZ Partition Recovery Process 181 If we try to boot now the MBR loader will try to read and interpret zeros or other garbage as partition parameters and we ll get an error message like Missing Operating System Thus
122. c key technology to protect files and ensure that only the owner of a file can access it Users of EFS are issued a digital certificate with a public key and a private key pair EFS uses the key set for the user who is logged on to the local computer where the private key is stored Users work with encrypted files and folders just as they do with any other files and folders Encryption is transparent to the user who encrypted the file the system automatically decrypts the file or folder when the user accesses When the file is saved encryption is reapplied However intruders who try to access the encrypted files or folders receive an Access denied message if they try to open copy move or rename the encrypted file or folder File Systems 138 To encrypt or decrypt a folder or file set the encryption attribute for folders and files just as you set any other attribute If you encrypt a folder all files and subfolders created in the encrypted folder are automatically encrypted It is recommended that you encrypt at the folder level NTFS Sparse Files Windows 2000 only A sparse file has an attribute that causes the I O subsystem to allocate only meaningful nonzero data Nonzero data is allocated on disk and non meaningful data large strings of data composed of zeros is not When a sparse file is read allocated data is returned as it was stored non allocated data is returned by default as zeros NTFS deallocates sparse data streams
123. can right click in the hex editor and select a command from a context menu The bookmark position is shown with a light blue box and also added to the list of bookmarks in the Bookmarks window To remove a bookmark press Ctrl F2 while having the cursor over the position of that bookmark You can also remove a bookmark from the Bookmarks window by selecting a bookmark button in a toolbar and clicking delete The delete function may also be selected from a context menu Going to a bookmark If you have defined bookmarks pressing F2 will move your current position to the next enabled bookmark in the list Active UNDELETE Tools Overview 72 You can also right click a bookmark and select the Next bookmark command from a context menu Another option is to double click a bookmark name in the Bookmarks window Editing bookmarks Bookmarks are named automatically when they are placed You can rename a bookmark in the Bookmarks window to give it some meaningful name To do so make a single mouse click on the bookmark name and edit it Press Enter to accept your changes or Esc to cancel editing and revert to the original name You can also rename a bookmark by right clicking on it and selecting the Rename command from a context menu Sometimes instead of deleting a bookmark it is useful to temporarily disable it A disabled bookmark will not be counted when moving to the next bookmark Uncheck a bookmark in the Bookmarks window to disable it To disable
124. cf Visio Documents vsd Fiction Book fb2 e QuickTime multimedia JP2 Files jp2 e Crystal Reports rpt Images and Camera Raw files QuickTime multimedia JPA Files jpa Outlook Data Archives pst e QuickTime multimedia JPM Files jpm e PowerPoint 2007 Presentations pptx Bitmap Images bmp e QuickTime multimedia JPX Files jpx Excel 2007 Spreadsheets xlsx Canon CRW Raw Images crw QuickTime multimedia M4A Files Word 2007 Documents docx Canon CR2 Raw Images cr2 m4a Open Documents Text odt Icon Files ico QuickTime multimedia M4B Files XPS Documents xps JPEG Images Papel m4b Other OLE containers ole Portable Network Graphics png QuickTime multimedia M4P Files Konica Minolta Raw Images m4p Music and Videos mrw e QuickTime multimedia M4V Files MIDI Files mid Fuji FinePix Raw Images raf m4v MP3 Files mp3 TIFF Images tif QuickTime multimedia MAF Files MPEG Files mpeg Sony Alpha Raw Images arw maf Red Digital Cinema Camera r3d Adobe Digital Negative dng e QuickTime multimedia MOV Files AVI Files avi Nikon Raw Images nef mov Using Active UNDELETE Overview 41 e WAV Files wav Olympus Raw Images orf e QuickTime multimedia MP4 Files ANI Files ani Pentax Raw Images pef mp4 MPG Files mpg Leica Raw Images raw QuickTime multimed
125. ch as timestamp and link count Attribute List Lists the location of all attribute records that do not fit in the MFT record File Name A repeatable attribute for both long and short file names The long name of the file can be up to 255 Unicode characters The short name is the 8 3 case insensitive name for the file Additional names or hard links required by POSIX can be included as additional file name attributes Security Descriptor Describes who owns the file and who can access it Attribute Type File Systems 135 Description Data Object ID Logged Tool Stream Reparse Point Index Root Index Allocation Bitmap Volume Information Volume Name NTFS System Files Contains file data NTFS allows multiple data attributes per file Each file typically has one unnamed data attribute A file can also have one or more named data attributes each using a particular syntax A volume unique file identifier Used by the distributed link tracking service Not all files have object identifiers Similar to a data stream but operations are logged to the NTFS log file just like NTFS metadata changes This is used by EFS Used for volume mount points They are also used by Installable File System IFS filter drivers to mark certain files as special to that driver sed to implement folders and other indexes U Used to implement folders and other indexes Used to implement folders and other indexes Used
126. ch do few write operations Hardware and Disk Architecture 128 Left Asynchronous Logical Disk Manager LDM Overview Understanding of underlying mechanisms of data storage organization and data recovery Dynamic disks provide features that basic disks do not such as the ability to create volumes that span multiple disks spanned and striped volumes and the ability to create fault tolerant volumes mirrored and RAID 5 volumes All volumes on dynamic disks are known as dynamic volumes There are five types of dynamic volumes Simple A dynamic volume made up of disk space from a single dynamic disk A simple volume can consist of a single region on a disk or multiple regions of the same disk that are linked together If the simple volume is not a system volume or boot volume you can extend it within the same disk or onto additional disks If you extend a simple volume across multiple disks it becomes a spanned volume You can create simple volumes only on dynamic disks Simple volumes are not fault tolerant but you can mirror them to create mirrored volumes on computers running the Windows 2000 Server or Windows Server 2003 families of operating systems Spanned A dynamic volume consisting of disk space on more than one physical disk You can increase the size of a spanned volume by extending it onto additional dynamic disks You can create spanned volumes only on dynamic disks Spanned volumes are not fault tolerant and c
127. chives Q Images and Camera Raw files gt 1 Music and Videos E QuickTime Multimedia files gt E Miscellaneous E User Defined Signature Types m File Signatures Options File signatures list Review available supported file signatures User defined file signatures if any are shown in separate group Add file signature Click Add button to add user define file signature See Custom user defined file signature templates on page 41 Edit file signature Click Edit button when custom file signature is selected or double click custom file signature node to open edit dialog Import Custom file signatures Using Active UNDELETE Overview 54 Click Import button to import custom file signatures define in third party configuration file Virtual storages Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Active UNDELETE allows you to create virtual entities for better access virtual disks and virtual partitions to emulate the real once without affecting data on physical devices Thus user can emulate actual physical disk by assigning different values of disk geometry properties and read data from device with different sequence and interpretation Besides direct emulation of physical disk or partition volume user can use disks or part of them and Disk Images to create Virtual RAIDS em
128. choose View gt Data Inspector To copy an interpreted data from Data Inspector as a text Active UNDELETE Tools Overview 71 1 Right click anywhere in the Data Inspector window 2 Select Copy To switch between Jittle endian and big endian representation 1 Right click anywhere in the Data Inspector window 2 Select Big Endian The Data Inspector window is dockable and its location can be changed by clicking on the window title and dragging it to the new location If the Data Inspector window is sharing its space with other tool views you can change its relative position by left clicking and dragging the window tab You can close the window by clicking on the X button in the top right corner of the window and reopen it again using the View menu in the Disk Editor Toolbar Using Bookmarks Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Bookmarks allow you to save the current cursor location and quickly return to it later on You may also give a name to a bookmark to make orientation easier Bookmarks are shown in the tool window called Bookmarks If the Bookmarks window is closed you can open it using the menu View gt Bookmarks cO AR Bookmark Offset f Block A 2 683 645 746 v MFT Mirror 8 282 853 376 Placing and removing a bookmark Press Ctrl F2 in order add a bookmark Alternatively you
129. computer running Windows NT cannot see more than 2 GB If you try to use a FAT volume larger than 2 GB when running MS DOS or Windows 95 or access it from a Macintosh computer you might get a message that there are 0 bytes available The same limit applies to OS 2 system and boot partitions The maximum size of a FAT volume on a specific computer depends on the disk geometry and the maximum values that can fit in the fields described in this section The next table shows the typical size of a FAT volume when translation is enabled and when it is disabled The number of cylinders in both situations is 1024 Translation mode Number of heads Sectors per track Maximum size for system or boot partition g Note RISC based computers do not have a limit on the size of the system or boot partitions If a primary partition or logical drive extends beyond cylinder 1023 all of these fields will contain the maximum values Relative Sectors and Number of Sectors Fields For primary partitions the Relative Sectors field represents the offset from the beginning of the disk to the beginning of the partition counting by sectors The Number of Sectors field represents the total number of sectors in the partition For a description of these fields in extended partitions see the section Logical Drives and Extended Partitions Windows NT uses these fields to access all partitions When you format a partition when running Windows NT it puts data into the S
130. consists of one or many files which contains actual image data A Disk Image can be cut into several files chunks during creation for better space allocation In this list you have to specify all these files which make ups the image To Add a Disk Image chunk to the list click the Add New button and use browse for a file dialog to select a file To Remove a Disk Image chunk select this chunk in the list and click the Remove button To modify the order of Disk Image chunks select any chunk you wish to relocate and use the Up and Down buttons to move a selected chunk in the chunk stack Image Type Select image type you about to open Usually it assigned automatically depending on Disk Image chunks added Active UNDELETE Wizards Overview 112 Raw Disk Image Raw fragment of a disk LSoft Disk Image Disk Image created by any LSoft Technology product e Virtual PC Disk Images from Virtual PC software VMWare Image Disk Images from VMWare software Media Type Select appropriate media type Usually it assign automatically Use Fixed Disk by default Bytes per Sector Enter sector size in bytes Sectors per Track Enter track size in sectors Tracks per Cylinder Enter cylinder size in tracks Save DIM File as In case of manual composition of Disk Image properties you may save final configuration file for later use Click Next to continue 3 Confirmation Verify and confirm parameters for the disk image to be
131. cords contain links to first cluster in data runs and MBR provides links to partitions f Active Disk Editor 3 File View Window Help C3 saa o Forward Edt GOP Find Qe gt e Offset 0 1 NTFS MFT File Record 4j J 16 000 0 000 000000000000 EB 52 000000000016 00 00 C Mmm Offset Value 000000000032 00 00 Padding 292 00 00 00 00 dSuusonatonas oo oad Allocated size 296 822 607 872 Real size uod aaa Pe Uo f Initialized size 312 822 607 872 000000000080 00 00 4 SDATA 320 000000000096 1F 1E 4 Data run 320 000000000112 54 46 5 Size 320 0x33 000000000128 55 aa 7 Cluster count 321 51 264 000000000144 18 68 First cluster 324 786 432 000000000160 9F 83 CUM 000000000176 OF 00 c Size 327 0x43 Cluster count 328 51 223 000000000132 66 FP First cluster 331 12 340 201 000000000208 4B 00 2 Data run 335 amp 000000000224 66 81 F Data run 342 000000000240 68 07 E Data run 348 000000000256 55 1 Attribute B0 360 d 000000000272 28 Disk Image Overview Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Active UNDELETE Tools Overview 79 Definition Disk Image is a copy of your logical drive or physical device that is stored in one file This can be useful when you want to backup the contents of the whole drive and restore it or work wit
132. ctory Structure eee enne nnne ennt enne ener nnne 144 exFAT Defined Directory Entries eene nennen trennen nennen nennen nenne 146 exEAT Cluster Heaps uec coe Han edu tee eoa t ad ce E e ee Ee RU 153 Fil System EAT osten n eee e ev Re aee ie eei 155 BAT P rtition BOot Sector ore ER alt e eiue e OR OE US 156 FAT File Allocation Table eie ertet e OE Rede RE e WT i 159 PAT Root Eolder 5 sat a LR RESI DE ene t PERLE d etie tree dese Su t etie ot 159 BAT Fold tr Str ctute i 20 aree te p er tei br e He E t etes 159 EAT32 Featutess2u emer bote eda iua E 160 Igi M cunvou dud am LOD Dusk scan for deleted entries a2 dome REM IRURE APER 169 Define clusters chain for the deleted entry nennen 172 Clusters chain recovery for the deleted entry eene eee 174 Partition Recovery Process scoscssssssiessiscpdcsseotasescdaussesonetasssossasasseusesedepenssensatestncan 176 Damaged MBR 2 20264 euet ee eR tuin oie i sites 177 Partition is deleted or Partition Table is damaged sse nennen 179 Partition Boot Sector is damaged sse ener enne enne nnne nennen nennen 181 Missing or Corrupted System Files eee epe retirer eee Reo E eeu ceo A E 184 Legal Statement 5 Legal Statement Copyright 2013 LSOFT TECHNOLOGIES INC All rights reserved No part of this documentation may be reproduced in any form or by any means or used to make any derivative work such as translation transformat
133. cupies the first 446 bytes of the sector The disk signature FD 4E F2 14 is at the end of the Master Boot Record code The second part is the Partition Table on page 122 PinveSical Sectors Cyl 0 Side 0 Sector d 00000000 00 55 CO BE DO BC OO 7 88 A 50 07 50 17 PB ine Son oes EB OO COCO S5 00 06 BI 00 QL 52 A5 MA 1D 06 00 00 BE Ba 07 GOOOOOWOZOs es W4 SO CS eO 80 BC WO 7a Ie Ss CoG iO we oot Sos oSoUlououc 00000030 Ces 75 i CD is 9 T4 feel ae 02 9S Imm 35 CO LO lm olo o 060 lys 6 0 6 0 6o 00000040 CB 74 1A 80 3C 00 74 FA BE 8B 06 AC 3C 00 74 OB Eea p EC Ss lbs OOOOOOSOS SS TE CO ELO SES Ola CID 10 CO EHE STO MEUS SEIEN ee OS NOUO NTC qu OOOOWOSOsS Be 00 7C Bs Ol 02 57 CD Z3 SF 7S QC 33 CU CD 13 sellosolios So3esc 00000070 Ais 75 TD Bi AS 06 ma D3 Ba C2 06 Be ra 7D ME COSS TO QUisocsooceccocoo Jos OOOOWOSOS 55 WA 75 C7 GE I BA OO FE 00 00 49 Gm 76 Gl GC I allo aaso Eea OO OOOO DOM GA Z0 7O GL 72 M o9 M 609 OH Gm 20 74 GI 62 id partition tab CC00O00A0 GC 65 00 45 72 72 OF 72 20 GC GF Ol G4 G9 Gm O7 le Error loading 000000B0 20 Gs 70 6S 72 O1 74 9 Gk 67 20 73 79 79 T4 GS Operating syste DOOOWOCOsS GD 00 4D 9 73 73 O9 om 67 20 GF 70 Gh 72 Gi 74 m Missing operat OOOO CODON CO Em o7 20 73 79 73 m 65 GD 00 00 B0 LS M I5 ing SWISS 6 olia s 00000050 00 00 00 00 00 0
134. d disk range can be set individually Tip Click on disk partition or unallocated space to select entire partition or unallocated space to disk range for RAID assembly Specify RAID type block size and sectors per block if necessary In stripe block size text box specify the stripe block size in kilobytes Stripe and RAID 5 arrays only For RAIDS select a proper parity layout from drop down list box See Disk Arrays RAID s on page 126 for parity layout reference Click Create The Processing dialog appears 5 Note To display creation events and progress details click Details 5 Note To terminate the creation process click Stop at any time Results may be not accurate or complete If a virtual disk array is created successfully a new node appears in Recovery Explorer tree If a virtual disk array is not created or if it is created with errors return to 1 and try again with different disks or with a different disk order and RAID options Active UNDELETE Wizards Overview 96 Active UNDELETE Wizards Overview Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data Various wizards will help you perform recovery task fast and easy Active UNDELETE Wizards are sets of step by step guided tools that help you to accomplish different recovery and disk management tasks Wizards can be started at any time from Main application s menu Wizards Fro
135. d if its not m E Local Disk M 159 GB Primary Ui Local Disk 0 104 GB Primary 563 GB Unallocated Detected Drive 105 GB FAT32 TREMMENS 2 Status Excellent Click Next to proceed with restoration of selected partition 4 Confirm Partition Recovery Review and confirm the partition recovery and click the Restore button to restore the selected partition If the action is successful the restored partition will appear in the data storage device area of the Recovery Explorer Create a New Partition Wizard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Active UNDELETE Wizards Overview 114 This wizard guides you through simple steps to help you to create a new partition on a data storage device When the Restore Partition wizard starts for the first time the first screen describes the process Clear the Show this page next time check box to avoid seeing this screen the next time you run this wizard 1 2 Select Unallocated Space Select the unallocated space where the new partition must be created and click the Next button to continue Name Status Partitioning Total size Total Sectors Bytes Sector 4 amp PhysicalDrived Ready Initialized GPT Basic 932GB 1953525168 512 7 Unallocated Space 105 GB 221208542 512 Local Disk
136. d in the Physical Disks list to be processed simultaneously At least one selection must be made to begin disk image creation Disk Control Use markers that indicates the first and last sectors on this control to specify an area to image Destination Provide location of Disk Image configuration file To browse to the path click the ellipsis button All Disk Image chunk files will be created in the same folder with DIM file Description Enter a brief description about this disk image for future reference Optional Replace existing disk image files If this option is set all chunk files will be replaced with a new once if their file names are the same Ignore R W Errors Ignore Read and Write errors during the disk image creation Lock Disk Source disk will be locked until Disk Image creation is complete or aborted Ignore Disk Lock Errors Any errors related to disk lock will be ignored Compression Choose one of the following None Raw Data No compression is applied sectors are stored in raw format Fast Sectors are compressed before storing to the file using a fast compression algorithm Medium Sectors are compressed before storing to the file using a slow but more effective compression algorithm High High level of compression Highest Highest possible compression level ill be used Store Disk Image in chunks Select this check box to save the Disk Image as a series of files with a specified size Choo
137. d partition Evaluate the scan results Use scan result view and Filter detected partitions by certainty on page 34 to examine detected partitions before restoration Restore detected partition on page 31 Restore deleted partition at previous location Scan Disk Physical Device Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks A physical device is an installed hard disk Flash card external USB disk or any device that holds data You may scan a device two ways Scan for Deleted Partitions on page 29 Scan unallocated space on disk to detect deleted or damaged partition Scan for files by their signatures on page 21 Besides detecting partitions Device Scan can detect files by their unique file signature To let files by signature to be detected select Detect files by their signatures options when performing Scan Disk Physical Device on page 29 5 Note Scanning time directly correlated with number of file signatures selected Scan for Deleted Partitions Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Detected partition can be scanned as any other Logical Drive for Files and Folder You can scan detected partition to verify partition content before partition restoration or to be able to recover copy files to safe location if partition wa
138. d to avoid overwriting Ask before overwrite If a file with a certain name already exists in the destination folder the application will ask the user what action to take Overwrite without prompt All files will be overwritten in the event they already exist in the destination folder Skip existing files If file with the same name exists in the destination folder the recovery of a new file will be skipped Additional Options Create Folder Structures When this option is selected files will be recovered with their original folder structures e g the original folder hierarchy as it was on the source storage device In case the files were organized in groups by date file extensions or an associated application then such groupings will be created by the folder structure in the location where the files will be recovered to Recover Name Streams With this option on files will be recovered with their original named streams Verify default recovery options and click Next to continue Confirm Recovery Review recovery options destination path etc and click Recover to start recovering files Complete wizard Click to close the Wizard After the recovery wizard has completed you can open the destination folder to which the files were recovered Use the default OS File Explorer or repeat the wizard again to scan another logical drive 5 Note All scan results will remain available after the wizard closes Recover Files by Signature W
139. e DTGadget32 dll 299 KB AI 11 04 12 05 53 10 DADAEMON Tools Lite DTGadget64 dll 360 KB AI 11 04 12 05 53 10 D DAEMON Tools Lite Engine dll 3 57 MB AI 11 04 12 05 53 20 D DAEMON Tools Lite 374 KB AI 06 04 12 06 22 56 D DAEMON Tools Lite 13 0 KB Al 11 04 12 05 52 28 DADAEMON Tools Lite Lang j 87 5 KB AI 11 04 12 05 52 26 D DAEMON Tools Lite Lang BGR dll 118 KB AI 11 04 12 05 52 28 D DAEMON Tools Lite Lang amp BIH dll 107 KB AI 11 04 12 05 52 28 DADAEMON Tools Lite Lang CAT dll 111 KB AI 11 04 12 05 52 30 DADAEMON Tools Lite Lang CHS dll 45 5 KB AI 11 04 12 05 52 24 DADAEMON Tools Lite Lang CHT dll 45 5 KB AI 11 04 12 05 52 24 DADAEMON Tools Lite Lang CSY dll 103 KB AI 11 04 12 05 52 24 DADAEMON Tools Lite Lang DAN dll 99 5 KB AI 11 04 12 05 52 28 DADAEMON Tools Lite Lang DEU dll 122 KB AI 11 04 12 05 52 24 D DAEMON Tools Lite Lang 7 g ELL 92 0 KB AI 11 04 12 05 52 28 DADAEMON Tools Lite Lang Le EMIL A oe S vd AT 11 04 12 05 652 254 MANACMORN Tanle Ei ane To recover an item in this list right click the item and choose Recover from the context menu or click Recover button in toolbar To preview an item select it and click File Preview To change search criteria and repeat the search at the same location click Search Again 5 Note You can create a custom filter for this list For more information see File Filter Toolbar on page 40 g Note For information about how to start a search see Search for deleted Files and Folders
140. e actions such as volume scan etc Create virtual copy of existing partition Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks 1 Select a partition volume In Recovery Explorer select a logical drive or a partition 2 Open the Create Virtual Copy dialog e Use command Actions gt Create Virtual Partition from main menu Right click the selected item and click Create Virtual Partition command from the context menu 3 Adjust dialog options Partition to copy will be selected automatically Use sliders to specify partition boundaries offset and size Mouse click on partition box will select virtual partition boundaries Using Active UNDELETE Overview 57 Copy of data H will be created as virtual partition on selected disk You can change default selection and click Create button to complete action WAPhysicalDrive4 976773168 sectors a a a IM Local Disk Local Disk 46 8 GB Prin 7 68 GB Prin 23 8 GB Una 164120040 Caption Display Name data H File System NTFS First Sector 164120040 Size MB 15798 E Calculate in Sectors Virtual Partition will be created on PhysicalDrive4 starting from 164120040 sector with size 15 4 GB 32354910 sectors with NTFS file system Virtual partition will be shown in Recovery Explorer with name data H Cancel Help
141. e boundaries when by scanning physical disk you can specify custom boundaries of disk surface to scan Volume logical drive Scan During volume of scan you have to select file signatures on scan dialog and they will be detected if any among other deleted or live files on selected volume s only Drive Scan searches existing volumes partitions for deleted or damaged files or folders Use Dete wE template patterns If you have several volumes logical drives in the system all ir General Scan Options Select file types to be Tutorial K uU MIES EE detected by their signatures v Save scan results as r data H s NTFS y raw F OE wits x Major D Images and Camera Raw files oS NTFS _ Bitmap Images v Canon CRW Raw Images TREMOW E E Icon Files FAT32 E n E Note See Scan a volume logical drive for deleted files on page 18 for more information Physical Disk Scan Files by signatures can be also detected during scan of disk surface not limited by volume boundaries Using Active UNDELETE Overview 22 PhysicalDrive 976773168 sectors Scan entire disk Detect partitions by File System Besides detecting deleted partition user can select certain types of files to be detected during Disk Scan E Formatted AI E Compr LA Archives ii Images and Camera Raw files
142. e for example the DiskProbe program on Windows NT Workstation Resource Kit CD to display the Master Boot Record and compare it to the Master Boot Record shown above There are also utilities on the Microsoft Windows Resource Kits that enable you to save and restore the Master Boot Record Tip For more detailed information see resource kits on Microsoft s web site ttp www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com Partition Table Understanding of underlying mechanisms of data storage organization and data recovery The information about primary partitions and an extended partition is contained in the Partition Table a 64 byte data structure located in the same sector as the Master Boot Record MBR on page 120 cylinder 0 head 0 sector 1 The Partition Table conforms to a standard layout that is independent of the operating system Each Partition Table entry is 16 bytes long making a maximum of four entries available Each entry starts at a predetermined offset from the beginning of the sector as follows Partition 1 0x01BE 446 Partition 2 0x01CE 462 e Partition 3 0x01DE 478 Partition 4 0x01EE 494 The last two bytes in the sector are a signature word for the sector and are always 0x55AA The next figure is a printout of the Partition Table for the disk shown in a Master Boot Record MBR on page 120 earlier in this chapter When there are
143. e Deleted 216 KB 145746315 432 4 amp Disk Scan at 22 05 12 18 12 05 0 114 Incomg E i Deleted 285 KB 145746747 571 4 7 Files Detected By Signatures He Deleted 167 KB 145747318 335 Bitmap Images He 9894 jpg Deleted 9 66 KB 146520597 20 E Icon Files 29 141647 jpg Deleted 138 KB 146520629 277 JPEG Images He jpg Deleted 178 KB 146520917 356 E jg F Und 146521285 415803jpg Deleted 406KB 146521285 813 Z Found 146522101 1 jpg Deleted 172 KB 146522101 345 Found 146522453 395721 jpg Deleted 386 KB 146522453 753 Figure 5 File Detected by signatures Search Results View Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks The Search Results view appears after you perform a Search for deleted Files and Folders on page 37 The top panel displays the results of the search in a list To make this list easier to read you may do the following To sort the list by a column in ascending order click the column header To sort the list by the same column in descending order click the column header a second time To show a list that is reduced in size by a filter select one of the preset options in the File Filter toolbar File Getting Started with Active UNDELETE 12 View Group by Filter by gt fea es EN DTCommonRes dil 464MB Al 11 04 12 05 53 54 DADAEMON Tools Lit
144. e Type File System Total Size Offset Total Sectors Name Value 4 PhysicalDrived Fixed Disk 932 GB 1953525168 4 Developer Info B terras E Volume NTFS 156 GB 327682047 Modified No Tutorial K Volume NTFS 114 GB 239102759 Unique Name drive K 5EBO F9BC 3 New Volume T Volume NTFS 103 GB 216499823 Node Attributes Drive Static Local Disk R Volume Unknown 85 8 GB 180000768 Name drive K_5EBO FOBC _ 3 td U Volume NTFS 79 6 GB 166983679 Path Tutorial K Unallocated Space Unallocated Space Unallocated 279 GB 1367498486 586026649 Disk Attributes Fixed d PhysicalDrivel Fixed Disk 932 GB 1953525168 4 aae General 4 Logical Disk ManagerO Virtual LDM 233 GB 488921491 ees Pa m gt TREMOW E Volume FAT32 178 GB 374018048 gt New Volume L Volume NTFS 952 MB 1949695 ETE ine gt PORTO Q Volume FAT32 539 GB 112953746 ipium ES n P i Serial Number 5EBO F9BO d PhysicalDrive2 Fixed Disk 932 GB 1953525168 GUID Name WAWolumeiS0b814 amp PhysicalDrive 3 Fixed Disk 55 9 GB 117231408 Last Formatted 3 Jan 14 10 30 10 d PhysicalDrive4 Fixed Disk 466 GB 976773168 Status Ready Scanned No 4 Volume integrity info Overall integrity status Good Primary Boot Sector Valid Copy of Boot Sector Invalid Primary Boot Sector matches a Copy Invalid Primary SMFT Valid x 4 gt Open Disk Image Details Open Cancel Figure 31 Open disk or volume in Disk Editor You will see physical drives and partitions onl
145. e renamed by their given specified file root name and added enumeration ID The file s extension remains intact Existing files conflict resolution Unique file name If a file with the same name exists in the destination folder files with a unique name will be generated to avoid overwriting Ask before overwrite If a file with a certain name already exists in the destination folder the application will ask the user what action to take Overwrite without prompt All files will be overwritten in the event they already exist in the destination folder Skip existing files If file with the same name exists in the destination folder the recovery of a new file will be skipped Additional Options Create Folder Structures When this option is selected files will be recovered with their original folder structures e g the original folder hierarchy as it was on the source storage device In case the files were organized in groups by date file extensions or an associated application then such groupings will be created by the folder structure in the location where the files will be recovered to Recover Name Streams With this option on files will be recovered with their original named streams Verify default recovery options and click Next to continue 6 Confirm Recovery Active UNDELETE Wizards Overview 107 Review recovery options destination path etc and click Recover to start recovering files 7 Complete wizard Click to close t
146. e sectors instead of megabytes as partition measurements Partition Attributes Page Options Mark Partition as Active Newly created partition will be set as Active Partition Assign Drive letter For Primary Partition or Logical Drive on extended partition drive letter can be assigned from the list of available in the system drive letters Format Partition This step is optional Click set so Do not format new partition and click Next button to continue Page Options Active UNDELETE Wizards Overview 115 Volume Label Enter distinctive volume label File System Select on of the file system supported Allocation unit size Allocation unit size depends on File System selected Leave Default for mots of the cases 5 Confirm Actions Review and confirm new partition attributes and click Create Partition button to initiate creation process 6 Complete Click Finish to close the Wizard A new partition will appear for corresponded disk in Recovery Explorer Create a Virtual RAID Array Wizard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks This Wizard will guide you via simple steps to help you to re assemble a damaged or disassembled RAID set to create a Virtual Disk Array It will allow you to review and recover data located on the RAID set To create a Virtual Disk Array you must specify the type of disk array RAID type disk
147. e very important for starting up the computer The code in the Master Boot Record uses these fields to find and load the Partition Boot Sector The Ending Cylinder field in the Partition Table is ten bits long which limits the maximum number of cylinders that can be described in the Partition Table to 1024 The Starting and Ending Head fields are one byte long which limits this field to the range 0 255 The Starting and Ending Sector field is 6 bits long limiting its range to 0 63 However sectors start counting at 1 versus 0 for the other fields so the maximum number of sectors per track 1s 63 Since current hard disks are low level formatted with the industry standard 512 byte sector size the maximum capacity disk that can be described by the Partition Table can be calculated as follows MaxCapacity sector size x sectors per track x cylinders x heads Substituting the maximum possible values yields 512 x 63 x 1024 x 256 8 455 716 864 bytes or 7 8 GB The maximum formatted capacity is slightly less than 8 GB However the maximum cluster size that you can use for FAT volumes when running Windows NT is 64K when using a 512 byte sector size Therefore the maximum size for a FAT volume is 4 GB If you have a dual boot configuration with Windows 95 or MS DOS FAT volumes that might be accessed when using either of those operating systems are limited to 2 GB In addition Macintosh computers that are viewing volumes on a
148. e wizard when the disk image creation is complete You can work with a disk image in the same way as you work with a regular storage device or logical drive You can Scan it as a device for deleted or damaged partitions e Scan logical drives and search for files Active UNDELETE Wizards Overview 109 Recover or copy files and folders to another safe location Open a Disk Image Wizard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks This Wizard will guide you via simple steps to open a Disk Image that was previously created You can open a Disk Image based on a configuration file or compose a Disk Image from raw chunks These chunks may be created by third party software After a Disk Image is opened you are able to work with it as you would work with a regular Logical Drive or Data Storage Device You can scan an opened Disk Image view its contents and recover files and folders from the Disk Image To start the Open Disk Image Wizard run the Open Disk Image menu command from the Wizards menu or click the Open Disk Image button on the Disk Image Tab Command Bar on the left side 1 Open Disk Image configuration file A Disk Image Configuration File is a file used to store all information about a created Disk Image including disk geometry and annotation labels A Disk Image configuration File is created during the Create Disk Image p
149. ead dword 16h if height 0 goto exit pixel read word lich if pixel 1 goto valid if pixel 4 goto valid if pixel 8 goto valid if pixel 16 goto valid if pixel 24 goto valid sti oel l 32 GOTO exui syetlbibels pixel mul pixel width pixel mul pixel height pixel div pixel 1000b read dword 22h Using Active UNDELETE Overview 49 Using Active UNDELETE Overview 50 iit rastr size lt Pizel Goto exit rastr offset read dword OAh ir nemus Oweser lt 309 GOTO ext LESicic OQuLsSec Sumus Ode TASTE Suse size read dword 2 ii size gt raestr OTLSSr GOTO cut size 0 How to Use Wildcards Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks A wildcard is a character that can be used as a substitute for any of a class of characters in a search Wildcard characters are often used in place of one or more characters when you do not know what the real character is or you do not want to enter the entire name In Active UNDELETE three types of wildcard are used star or asterisk question mark and number sign Wildcard characters are used in the File Filter Toolbar on page 40 and Search for deleted Files and Folders on page 37 Examples of using wildcards Wildcard character Example Description Asterisk Use the asterisk as a substitute for zero or more char
150. ecovery clusters chain on FAT16 Lets continue examine an example for deleted file MyFile txt from the previous topics By now we have chain of clusters 3 4 5 6 ready for recovering Our cluster consists of 64 sectors sector size is 512 bytes so cluster size is 64 512 32 768 bytes 32 Kb First data sector is 535 we have 1 boot sector plus 2 copies of FAT by 251 sectors each plus root folder 32 sectors total 534 occupied by system data sectors Clusters 0 and 1 do not exist so first data cluster is 2 Cluster number 3 is next to cluster 2 i e is located 64 sectors behind the first data sector 535 i e 535 64 599 sector equal offset of 306 668 byte from the beginning of the drive Ox4AEO00 With a help of low level disk editor on the disk we can see our data starting with offset OXAAEO0 or 3 cluster or 599 sector ORE 3E SNC 0 1 2 9 4 5 6 7 9 S9 A B C D gm I 0004AE00 47 55 49 20 GD OF 64 65 20 53 65 74 75 70 20 GS GUI mode Setup h 0004AE10 GL 73 20 73 74 Gl 72 74 65 G4 2 OD OA 45 JA 5C as started C 0004AE20 5 49 dim 4m 54 5C 44 72 59 16 GS 72 20 43 O1 G3 WINNTNDriver Cac All we need to do is just copy 112 435 bytes starting from this place because clusters chain is consecutive If it was not we would need to re calculate offset of each found cluster and copy 3 times by 64 512 32768 bytes starting from each cluster offset and then from the last cluster copy reminder 14 131 bytes that is c
151. ed Device Scan or Virtual Partition Management Simple Drive view At this mode only accessible Logical Drives are present Toggle between Simple Drive view and Expert Device view can be done by toolbar button To perform an action on any item Data Storage Device Drive etc select this and choose a command from Toolbar at the top of the view Menu Action orfrom the right click context menu Getting Started with Active UNDELETE 9 To add an item to the Recovery Toolbox select the check box next to the item The Properties Panel displays default properties for each selected item Updates to these properties appear dynamically along with commands and activities performed in the workspace To toggle the Properties Pane click View gt Properties pane Logical Drive Scan Result View Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Logical Drive Partition scan results view displays all files detected after a logical drive scan To make the result easier to read you may group detected files by Extension Application Date Created Accessed and Modified id Save Scan Results SM Recover Checked a Recover All Eod Search Group by Filter by 4 Major D Fr 7 52 GB 19 02 12 11 10 12 07 03 12 12 26 05 RD F Q 5 E mS r m Downl File Grouping by Date Extend d System 20 1 MB 19 02 12 11 10
152. efore contains a record for this file 0003EE60 a5 4D 00 79 00 46 00 69 00 6C 00 OF 00 BA 65 00 eil Wolottolls oo Ge 0003EE70 2m 00 74 00 76 00 74 OO 00 00 00 OO BY PE BE BE 5 5 1E oio leo ooo 6 YYYY E m5 59 46 49 AC 45 20 20 34 56 54 20 00 C3 D 93 EET IDE SQZAMOPS 0003EE90 56 25 36 Zi 00 00 ma 95 56 25 OS 00 33 B7 OL 00 VN ANV oS 9s We can calculate size of the deleted file based on root entry structure Last four bytes are 33 B7 01 00 and converting them to decimal value changing bytes order we get 112435 bytes Previous 2 bytes 03 00 are the number of the first cluster of the deleted file Repeating for them the conversion operation we get number 03 this is the start cluster of the file What we can see in the File Allocation Table at this moment 00000200 F8 FF FF FF FF FF 00 00 00 00 00 00 00 00 08 00 oyyyyy 00000210 09 00 0A 00 08 00 0C 00 0D 00 HE EE 00 00 00 00 10 es o m e 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 e eee Zeros And it is good in our case it means that these clusters are free 1 e most likely our file was not overwritten by other file s data Now we have chain of clusters 3 4 5 6 and ready to recover it Some explanations we started looking from offset 6 because each cluster entry in FAT16 takes 2 bytes our file starts from 3rd cluster i e 3 2 6 we considered 4 clusters because cluster size on our
153. ence the limited functionality compresses the entire primary volume or logical volume NTFS allows for the compression of an entire volume of one or more folders within a volume or even one or more files within a folder of an NTFS volume The compression algorithms in NTFS are designed to support cluster sizes of up to 4 KB When the cluster size is greater than 4 KB on an NTFS volume none of the NTFS compression functions are available Each NTFS data stream contains information that indicates whether any part of the stream is compressed Individual compressed buffers are identified by holes following them in the information stored for that stream If there is a hole NTFS automatically decompresses the preceding buffer to fill the hole NTFS provides real time access to a compressed file decompressing the file when it is opened and compressing it when it 1s closed When writing a compressed file the system reserves disk space for the uncompressed size The system gets back unused space as each individual compression buffer is compressed NTFS Encrypted Files Windows 2000 only The Encrypting File System EFS provides the core file encryption technology used to store encrypted files on NTFS volumes EFS keeps files safe from intruders who might gain unauthorized physical access to sensitive stored data for example by stealing a portable computer or external disk drive EFS uses symmetric key encryption in conjunction with publi
154. ends on how many attributes are found and what condition they are in You may perform the following actions on partitions in the Scan Results branch Stop and Resume a scan on page 33 Filter detected partitions by certainty on page 34 Save and Load scan results Stop and Resume a scan Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks To stop a physical device scan at any time press Stop After you stop a scan a Scan Results branch appears in the Recovery Explorer tree gt backup J Ready Logical Drive NTFS backup 372 GB Unallocated Space Unallocated 2 49 MB 4 amp Disk Scan Results 4 amp PhysicalDrived scans 4 amp Disk Scan at 10 06 12 12 47 31 4 0 Completed Disk Scan mi 2 Good Detected Drive NTFS mil 2 23 GB m1 Not Bad Detected Drive NTFS mil 399 GB mi 4 Poor Detected Drive NTFS mi 398 GB Local Disk 5 Bad Detected Drive NTFS 2 23 GB amp Disk Scan at 10 06 12 12 48 45 0 0 Incomplete Disk Scan The example above shows how incomplete scan results are indicated An icon appears next to each node in the Scan Results branch Uncompleted Device Scan An uncompleted aborted device scan can be resumed at any time Using Active UNDELETE Overview 34 Welcome to Active UNDELETE E Wj Recovery Explorer E Application Log View E Partition Manager fx SF Pryscarivet scars
155. ent of a bad sector error NTFS implements a recovery technique called cluster remapping When Windows 2000 detects a bad sector NTFS dynamically remaps the cluster containing the bad sector and allocates a new cluster for the data If the error occurred during a read NTFS returns a read error to the calling program and the data is lost If the error occurs during a write NTFS writes the data to the new cluster and no data is lost NTFS puts the address of the cluster containing the bad sector in its bad cluster file so the bad sector 1s not reused o Important Cluster remapping is not a backup alternative Once errors are detected the disk should be monitored closely and replaced if the defect list grows This type of error is displayed in the Event Log Tip For more detailed information see resource kits on Microsoft s web site h tp www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com Extended File System exFAT Understanding of underlying mechanisms of data storage organization and data recovery Extended File System exFAT is a successor of FAT family of file systems FAT12 16 32 It has similar design though renders many significant improvements Larger volume and file size limits Native Unicode file names Bigger boot area allowing a larger boot code Better performance Time zone offset support File Systems 140 OEM paramete
156. enu Right click the selected item and click Format command from the context menu 3 Adjust dialog options Format selected volume with selected File System and Allocation size unit Volume label is optional Volume label lont File System FAT32 v Allocation unit size Default v Perform a quick format Figure 27 Format Partition dialog Dialog Options Volume label Text label of partition disk This field can be blank File System Select file one of the supported file systems FAT FAT 32 or NTFS Unit Allocation Size Depending on selected file system and total partition disk size available allocated unit size may be different Default value of unit size is recommended 4 Click Format button to start formatting process Danger All data on formatting Logical Drive partition will be lost Backup all your valuable data g 8 Log before formatting When formatting is complete volume item should appear in Partition Manager with new attributes and file system Resize a partition or logical drive volume Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Existing logical drive volume can be extended to use unallocated space available right after that partition or shrunk to utilize unused space To resize Logical Drive Partition 1 In Partition Manager select a Logical Drive volume node 2 To open the Resize Volume d
157. er 786 432 786 432 000000100 42 Bb H X SMFTMirr cluster number 2 022181 2 022181 000000110 58 XfX n f3Tf Clusters per File Record Se 246 246 000000120 F7 fucmBIKf PEBK u6 Clusters per Index Block 1 2 000000130 06 wane seri number Sane Sane ee 000000140 02 _ H BA RAS Bootstrap code FA 33 CO8E FA33CO8ED0B 900000150 zudem egal oes Signature 55 AA 55 AA 55 AA 000000160 AO 000000170 01 000000180 FZ nvDP A disk read Applying a template In order to apply a template to the desired offset move the cursor to the location and use Edit menu command Set Template position You can select this command either from Edit toolbar menu or from a context menu The next step select a required template from the list box with template names in the toolbar of templates window Master Boot Record Copy Value FAT Boot Sector FAT32 Boot Sector exFAT Boot Sector HFS Volume Header Ext2 Ext3 Superblock NTFS MFT File Record FAT Directory Entr m always zero unused Media descriptor unused Sectors per track Number of heads Hidden sectors unused Signature Total sectors SMFT cluster number SMFTMirr cluster number Clusters per File Record Se Clusters per Index Block Volume serial number Checksum Bootstrap code Signature 55 AA When you are jumping to particular system areas using Navigate menu the corresponding template might be applied automatically This is true for templat
158. er data lost or deleted data Damaged or corrupted RAID system can be recovered To assembly virtual RAID 1 Open the Virtual Disk Array Assembly dialog From the Tools menu choose Create Virtual RAID RAID command From the Tools tab in Command Bar choose Create Virtual RAID command ws Select Physical Devices from the list of available devices in correct order and RAID Type For each selected device you can specify individually device boundaries if needed E Data Storage Devices available for RAID Assembly Name status Partitioning Total Size Total Sectors Bytes Sector V amp PhysicalDriveO Ready Initialized MBR Basic 932GB 1953525168 amp PhysicalDrivel ReadyaInitialized MBR Dynamic 932GB 1953525168 512 7 amp PhysicalDrive2 Ready I ized MBR Basic 932GB 1953525168 512 7 PhysicalDrive3 Ready Initidh SMBR Basi 9 117231408 512 T PhysicalDrivet Read 4 Select Data Storage Devices 976773168 512 Damaged Disk Read s backup J 372 GB Primary NTFS 2 49 MB 2 Device Order 3 Array boundaries Data Storage Fax wich Sr wd es sr ie Array order can be changed if its selected if necessary Clicking on partition will GAL ir solacio RAK typa set banundaties t that parition 456390658 343454721 O 976773168 4 X Local Disk P 138 GB Lo
159. er duster eff 01 01 0E Always00 ff 0000 Invalid field indicator 10 Always00 f 000000 13 Always00 f 0000 f 0000 15 Media descriptor ef F8 A 00 m 16 Always 00 f 0000 18 Sectors per track 0000 1A Heads amp 0000 00FF ic Hidden Sectors 00000000 0000003F 20 Always00 f 00000000 f 00000000 00000000 24 Always 00800080 ef 80008000 A 00000000 80008000 m Show offset in hexadecimal mode V Show values in hexadecimal mode Save on Disk Sese Des mmm erm enm Figure 29 Synchronize Boot sectors dialog box Edit partition table Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks You can edit Disk System Records MFT Boot sector etc by using specially designed forms To edit Partition Table 1 In Recovery Explorer or in Partition Manager select a Physical Device 2 To open the Edit Partition Table dialog Use command Actions gt Partition Table from main menu Right click the selected item and click Partition Table command from the context menu 3 Change desired fields to appropriate values A View and edit master boot record 00 188 Disk Index BF0418E6 1BC Reserved 0000 1FE Signature 55AA 55AA Active UNDELETE Tools Overview 66 Master bootstrap first 32 EB0600000000000033CO0FASEDOBCOO 7CFBSEDSSBF 48ECOBF 26 7E0657BF007EB9 Partiti
160. er in different ways to find and recover lost data All information in the application is organized in tabbed views that provide easy access to information for different purposes New to Active UNDELETE To familiarize you with the Active UNDELETE workspace read the following topics in this guide Active UNDELETE Views And Windows on page 7 Search for deleted Files and Folders on page 37 File Filter Toolbar on page 40 Ready to Use Recover deleted Files and Folders on page 17 Restore Partition on page 29 Virtual RAID Assembly on page 25 Decrypt recovered files on page 27 Step by step guided tasks Recover Deleted Files Wizard on page 96 Recover Files by Signature Wizard on page 98 Recover Files from a Formatted Partition Wizard on page 101 Recover files from a deleted partitions wizard on page 104 File Recovery Expert Wizard on page 107 Restore a Deleted Partition Wizard on page 112 Create a New Partition Wizard on page 113 Create a Disk Image Wizard on page 107 Open a Disk Image Wizard on page 109 Verify a Disk Inage Wizard on page 110 Create a Virtual RAID Array Wizard on page 115 Advanced Tools Partition Manager Overview on page 59 Disk Editor Tool on page 66 Virtual RAID Assembly on page 25 Active UNDELETE Views And Windows Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks
161. es Logical Block Address Int 13h extensions Part LastHead The last head of the partition This is a 0 based number that represents the offset from the beginning of the disk The partition includes the head specified by this member Part LastSector The last sector of this partition This 1s a 1 based 6 bit number representing offset from the beginning of the disk The partition includes the sector specified by this member Bits 0 through 5 specify the 6 bit value bits 6 and 7 are used with the Part LastTrack member Part LastTrack The last track of this partition This is a 0 based 10 bit number that represents offset from the beginning of the disk The partition includes this track The high 2 bits of this value are specified by bits 6 and 7 ofthe Part LastSector member Part StartSector Specifies the 1 based number of the first sector on the disk This value may not be accurate for extended partitions Use the Part FirstSector value for extended partitions Part NumSectors The 1 based number of sectors in the partition g Note Values for head and track are 0 based Sector values are 1 based This structure is implemented in Windows OEM Service Release 2 and later File Recovery Process 169 File Recovery Process Understanding of underlying mechanisms of data storage organization and data recovery File recovery process can be briefly described as drive or folder scanning to find deleted entries in Root Folder
162. es like boot sectors MBR or MFT record but not all access points have a template associated with them 164 120 040 00 00 00 00 80 00 80 00 32 354 909 786 432 2 022181 246 1 45 62 90 39 0 FA 33 C0 8E 55 AA The following templates are supported MBR GUID Partition table NTFS boot sector NTFS MFT file record FAT boot sector e FAT32 boot sector FAT directory entry e exFAT boot sector e exFAT directory entry e HFS Volume header HFS Catalog Node HFS File Record Ext2 Ext3 Ext4 superblock Ext2 Ext3 Ext4 inode e UFS superblock e UFS inode LDM structures EB 52 90 NTFS 512 164 120 040 00 00 00 00 80 00 80 00 32 354 909 786 432 2 022 181 246 1 45 62 90 39 A6 90 0 FA 33 C0 8E DOB 55 AA Active UNDELETE Tools Overview 76 As you edit data in Hex ASCII or Unicode pane or in Templates window modified data is fully synchronized between views After each modification a template view is recalculated giving you an up to date interpretation of data Active UNDELETE Tools Overview 77 Template Copy The following templates have their copy NTFS Boot Sector e FAT32 Boot Sector HFS Volume Header Ext2 Ext3 super block LDM Private Header LDM TOC Block In this case template window will have an additional column named Copy Value which contains the data from the copy record Template copies are useful to compare record loc
163. escription Comments 8 0x08 Reserved2 20 0x14 FirstCluster 24 0x18 DataLength The checksum is calculated against DataLength bytes of Up case Table according to the following code UINT32 UpCaseTableChecksum const unsigned char data int bytes UINT32 checksum 0 ror ime i Of lt bytes i checksum checksum lt lt 31 checksum gt gt 1 data i return checksum Volume Label Directory Entry Description Comments 0 0x00 Entry type 0x83 1 0x01 CharacterCount Length in Unicode characters max 11 2 0x02 VolumeLabel Unicode string 24 0x18 Reserved If volume is formatted without a label the Volume Label Entry will be present but Entry Type will be set to 0x03 not in use File Directory Entry File directory entry describes files and directories It is a primary critical directory entry and must be immediately followed by 1 Stream Extension directory entry and from 1 to 17 File Name directory entries Those 3 19 directory entries comprise a directory entry set describing a single file or a directory Description Comments 0 0x00 1 Entry type 0x85 1 0x01 1 SecondaryCount Must be from 2 to 18 2 0x02 2 SetChecksum 4 0x04 2 FileAttributes see below 6 0x06 2 Reservedl 8 0x08 4 CreateTimestamp 12 0x0C 4 LastModifiedTimestamp 16 0x10 4 LastAccessedTimestamp 20 0x14 1 Create 10msIncrement 0 199 21 0x15 1 LastModified10msIncrement 0 199 Table 1
164. file or by individually applied file name pattern depending on file type For more information read File renaming patterns by File Type on page 86 Create custom file organizing rule Active UNDELETE can use custom file organizing rules to group or and rename files before recovery In addition to predefined file organizing rules user can create custom rules in File Organizer dialog and either apply run it immediately or use from context menu Active UNDELETE Tools Overview 85 1 Open File Organizer dialog Click Organize Files gt Customize command in view s toolbar where File Organizer is used Using this dialog you can specify folder hierarchy for folder presets Some presets already defined and shown as default none editable Create your own folder pres or edit existing one File naming template can be set individually for each preset using name tags Folder Pattern Name gt GI By Created Date gt amp By Modified Date and Day This pattern can not be changed gt amp By Accessed Date Organ Click to modify file renaming and Day This pattern can not be changed gt d By File Extensions Organ patterns by File Type gt GI By Applications Organize 4 amp Preset for images Double click to add pattern s description a Double click to add folder pattern jn a folders by Created Year Month and Day This pattern can not be changed pttern can not be changed atron and File extensions This
165. fined to specify part of a disk used in RAID assembly By default entire disk is used in disk array 4 Specify the virtual array type Using Active UNDELETE Overview 27 Select one of the supported RAID types Simple volume Spanned array e Mirror RAID 1 Stripe RAID 0 e RAID 5 left asynchronous default value e RAID 5 left synchronous e RAID 5 right asynchronous e RAID 5 right synchronous 5 Set additional options if required In Block size specify the stripe block size in kilobytes Required for Stripe and RAID 5 arrays only 6 Click Create Virtual RAID As a result assembled virtual RAID must appear in Recovery Explorer view as a device ready for scan or other actions applicable for virtual devices Decrypt recovered files Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks During the recovery of encrypted files to any destination that doesn t support encryption Active UNDELETE creates temporary EFS files These files can be decrypted later at any time by using the File Decryption Tool 1 Open the Decrypt Files dialog Use the command tools and select Decrypt Files from the main menu From the Tools tab in the command bar choose the Decrypt Files command 2 Add files to decrypt Add temporary recovered encrypted files efs or open the Decrypted Files log txt
166. folder pattern choices Each following folder pattern depends on previous choice E g if media file pattern selected then all following pattern choices will be relevant to media files See File attributes and meta tags on page 89 for more info 4 Set file rename rule optional by selecting one of the option Leave default Use original file name option selected to skip file renaming Select Use file name pattern and enter file name pattern to rename all files in rule or Select Rename by File Type option to rename all files in rule by renaming patterns associated with supported file types See File renaming patterns by File Type on page 86 for details 5 Confirm and apply changes Click Run button to apply and execute selected rule or click Apply button to save changes After rule is created it will be automatically added to drop down Organize Files menu in all related views and appear in context menu for file folders or file groups E Note Using file meta attributes for grouping or renaming may seriously impact file organizing performance File renaming patterns by File Type By applying file organizing rule applicable files can be renamed by using file name pattern specific to each supported File Type In File Name Patterns dialog user can review and modify these patterns if necessary 1 Open File Organizer dialog To modify file renaming patters for specific file time open File Organizer dialog first Click Organize Files gt
167. g actions with virtual partitions Create virtual copy of existing partition on page 56 Create virtual copy of real partition changing any attribute of its geometry without affecting disk partitioning Create virtual partition on page 55 Besides a copy of real partition or volume you can create custom partition linked to any physical device without changing data Edit virtual partition on page 57 You can change attributes of virtual partition at any time To delete virtual partition select it in Recovery Explorer and click Delete button in toolbar or use context menu command Delete or click Del key for the same purpose Create virtual partition Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks RE To create virtual partition in Active UNDELETE proceed as follows 1 Select disk physical device Select a disk physical device node in Recovery Explorer Use Expert Device View Partition View or Enhanced View modes Select a disk physical device node Partition Manager device list or in Disk Navigator tree 2 Open the Create Virtual Partition dialog From the Partition Manager toolbar click Create Virtual Partition button e Use command Actions gt Create Virtual Partition from main menu Right click the selected item and click Create Virtual Partition command from the context menu 3 Adjust dialog
168. ge Caption Disk Image Description Disk Image made by Active UNDELETE Data Recovery Toolbox Image completed No Image Validated No Compression Level Medium Media type Fixed Disk Bytes per Sector 512 Sectors per Track 63 Tracks per Cylinder 255 Checksum 0 4 Disk Image Chunks File1 D temp di drive_F_3990 6245 001 f ox customize cance Hep Click OK to open disk image or click Compose button to alter disk image configuration see next step 3 Compose Disk Image optional If there is no DIM file for Disk Image or to open third party Disk Images click Compose button g Add Disk Image chunks and provide disk geometry attributes if necessary Final Disk Image configuration can be saved in Disk Image Configuration DIM file for later use Caption Display Name Disk Image Image chunks p temp di drive_F_3990 6245 001 Disk Image Options Image Type LSoft Disk Image v MediaType Fixed Disk v Bytes per Sector 512 Sector per Track 63 Track per Cylinder 255 J Remove 4f Move Up g Move Down jJ cme we jJ Dialog Options Caption Enter any label to distinguish newly opened disk image among other devices and disks Active UNDELETE Tools Overview 83 Disk Image Chunks A Disk Image consists of one or many files which contains actual image data A Disk Image can be cut into several files chunks during creation for better space
169. gical 4 RAID Type and Block Size X Select RAID type and block Offset sector 456390658 Size sectors 343454721 size as required RAID Options RAID Type Mirror RAID 1 Size 512 bytes Default v Sectors per Block 1 4 To create Mirror RAID 1 select two Data Storage devices Hep Dialog Options RAID Type RAID type See article Disk Arrays RAID s on page 126 for information about how to select proper RAID type Block size Size of stripe block in bytes Applicable only for stripe or RAID 5 array types Sectors per Block Size of a block in sectors Active UNDELETE Tools Overview 95 Offset Offset of selected disk area from beginning if a disk in sectors Size Size of selected area in sectors Select disks from list of Available Data Storage Devices by double click or using check marks Double click a disk in the Available disks list to move it to the Selected disks list or select a disk in the Available disks list and click Add button To change the order of a disk in the Selected disks list select it and click Move Up or Move Down To remove a disk from the Selected disks list double click a disk in the Selected disks list or select disk and click Remove button To remove all disks from the Selected disks list click Remove All Specify used disk range Drag sliders to desired position to mark used disk range or Enter exact values in Offset and Size text boxes B Note For each selected disk use
170. gnized by Windows NT CE 13 46 30 Volume Serial Number A unique number that is created when you format the volume NO NAME Volume Label This field was used to store the volume label but the volume label is now stored as special file in the root directory System ID Either FAT12 or FAT16 depending on the format of the disk i Tip For more detailed information see resource kits on Microsoft s web site Attp www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com File Systems 159 FAT File Allocation Table Understanding of underlying mechanisms of data storage organization and data recovery The FAT file system is named for its method of organization the file allocation table which resides at the beginning of the volume To protect the volume two copies of the table are kept in case one becomes damaged In addition the file allocation tables must be stored in a fixed location so that the files needed to start the system can be correctly located The file allocation table contains the following types of information about each cluster on the volume see example below for FAT16 e Unused 0x0000 Cluster in use by a file Bad cluster OxFFF7 e Last cluster in a file 0xXFFF8 OxFFFF There is no organization to the FAT folder structure and files are given the first available location on the volume The starting cluster number is the
171. gt Bitmap Images bmp Canon CRW Raw Images D Icon Files ico JPEG Images jpg DO S 3 S S Konica Minolta Raw Images mrw B Note See Scan Disk Physical Device on page 29 for more information Evaluate scan results Detected files if any grouped in special virtual folder Files by Signatures Due to particular qualities of this algorithm it is impossible to recover original file names date and other attributes To evaluate integrity of some of the detected files you can use File Preview on page 36 feature ET Group by Filter by gt OBE R BLB a E Tutorial K gt 7 Gg Extend System 20 1 MB 20 Jan 13 12 05 01 20 Jan 13 12 05 01 HSD 11 gt 7 Gg SRECYCLEBIN System 341 KB 20 Jan 13 12 45 51 20 Jan 1312 45 51 HSD 52 8 0 bytes 14 Mar 13 03 02 32 14 Mar 13 03 02 32 D 39 4 27 MB D 1 P eted 164 KB 1 P gj 0000adc8 jpg N 581 KB 1 F gj 0000b254 jpg 138KB o f 1 E 0000b36c jpg Deleted 1 E 0000b47c jpg B 1 E 0000b5a0 jpg Files detected by theirs signatures will 1 P az 0000b664 jpg be collected in one special folder i F ij 0000b740 jpg 4 E gj 0000b814 pg Deleted 992 KB 1 E gj 0000fe04 jpg Deleted 606 KB d Using Active UNDELETE Overview 23 B Note Amount of selected files signatures directly impacts on total scan time Recover files and folders Active UNDELETE is an advanced data recove
172. h it later Before you start recovering the deleted files it may be a good idea to create a Disk Image for this drive 1f you have enough space at another drive Why Because if you do something wrong while recovering the files for example recovering them onto the same drive could destroy their contents you still will be able to recover these deleted files and folders from the Disk Image that you have wisely created Active UNDELETE provides extensive functionality to operate with Disk Images You can create image of either Logical disk Device or Partition Save it as one large file or split on image chunks with size you prefer for later use When you creating Disk Image it stores in at least two files one is Configuration file with file extension DIM and the second actual image body file If you decide to save disk image chopped on peaces chunks then image body files can be as many as its required to save data Here is an example If you save a raw disk image with the name MyImage the application creates a file named MyImage dim This is the configuration file Data is stored in a file named MyImage dim 001 If more than one file is created the next file is named MyImage dim 002 and so on The data file can be split in several files chunks that can be useful if you want to save the Disk Image on a CD or Data DVD When to use Disk Image Raw disk images are very helpful in a data recovery Here are some reasons why a
173. he Wizard After the recovery wizard has completed you can open the destination folder to which the files were recovered Use the default OS File Explorer or repeat the wizard again to scan another logical drive 5 Note All scan results will remain available after the wizard closes File Recovery Expert Wizard Active UNDELETE file recovery wizards The File Recover Expert wizard is a universal guided tool that allows the recovery of files from logical drives or data storage devices where files are detected by file signatures Select the logical drive or data storage device to be scanned for deleted files Depending on your selection use the following instructions Recover files from Logical Drives See the Recover Deleted Files Wizard on page 96 for further instructions Recover files from Data Storage Devices See Recover Files sections in Recover Files by Signature Wizard on page 98 Recover files from a deleted partitions wizard on page 104 for further instructions Disk Image Wizards Create a Disk Image Wizard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks This wizard guides you through simple steps to create a Disk Image of a data storage device or a logical drive A Disk Image is a single file or a series of files that stores all the data from your logical drive or physical device as a mirror image Having a Disk Image can be usef
174. he first data cluster becomes invalid and further entry restoration is not possible Third we assume that the file data clusters are safe not overwritten with other data The less the write operations have been performed on the drive where deleted file was resided the more chances that the space occupied by data clusters of the deleted file has not been used for other data storage 9 Important As general advices after data loss 1 DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING YOUR IMPORTANT DATA THAT YOU HAVE JUST DELETED ACCIDENTALLY Even data recovery software installation could spoil your sensitive data If the data is really important to you and you do not have another logical drive to install software to take the whole hard drive out of the computer and plug it into another computer where data recovery software has been already installed or use recovery software that does not require installation for example recovery software which is capable to run from bootable floppy 2 DO NOT TRY TO SAVE ONTO THE SAME DRIVE DATA THAT YOU FOUND AND TRYING TO RECOVER When saving recovered data onto the same drive where sensitive data is located you can intrude in process of recovering by overwriting FAT MFT records for this and other deleted entries It s better to save data onto another logical removable network or floppy drive Disk scan for deleted entries Understanding of underlying mechanisms of data storage organization and data rec
175. here size of the file being calculated B Note If field SCRIPT is present then field FOOTER is ignored in template header section Beginning of the file section Section describing file beginning required contains fields of the same type snignatume M Mois cpm lt O Teer enc signature expression regular or Reg Exp compatible Expression max length is 1024 bytes offset start acceptable minimal signature offset from the beginning of the file offset end acceptable maximum signature offset from the beginning of the file E Note If there are several fields listed in signature beginning logical AND operation applied to confirm file start End of file section Section describing file end not required contains fields of the same type signature bytes to append signature expression regular or RegExp compatible Expression max length is 1024 bytes bytes to append not required How many bytes to append to the file after the signature is found g Note If there are several fields listed in signature logical OR operation applied to define file end File size calculation script Section calculating file size not required contains operators of four types result command lt argument gt lt argument gt lt result gt lt argument gt IF lt argument gt lt condition gt lt argument gt GOTO lt label gt GOTO lt label gt commands READ ENDIAN SUM SUB MUL DIV SHR SHL AND OR and XOR Mo
176. ia MPG Files Shockwave Flash Files swf Sony SRF Raw Images srf mpg Windows ASF Container asf Sony SR2 Raw Images sr2 QuickTime multimedia MQV Files Windows Media Video wmv Sigma Raw Images x3f mqv e Windows Media Audio wma Hasselblad 3F Raw Images 3fr QuickTime multimedia SDV Files sdv MPEG Transport Stream mts Panasonic LX3 LX5 Raw Images Miscellaneous Material Exchange Format mxf wa DJVU Files djvu Real Media Format rmf Seiko Epson Raw Images erf QuickBooks Files qbw Monkey s Lossless Audio File ape Kodak KDC Raw Images kdc Corel Draw Files cdr e WavPack Audio Stream wvc Kodak DCR Raw Images dcr Compiled HTML Help chm M uL ede Leaf Aptus Raw Images mos FileMaker Pro 3 0 File fp3 Simple Avdio Pile an Due Mae Ped f FileMaker Pro Database fp5 e Autodesk Animation fli e Multiple image Network Graphics FileMaker Pro Ver 7 Database fp7 2 mn Autodesk Animation Clip flc gl FileMaker Pro Document fmp12 Free Lossless Audio Codec File flac Audio Interchange File aiff l Advanced Audio Coding File aac Compressed Audio Interchange Compressed Archives File aifc RAR Archives rar e Mamiya Raw Interchange mef ZIP Archives zip LZH Archives 1zh gif e ARJ Archives arj e CAB Archives cab e GZip Archives gz
177. ialog From the toolbar click Resize button or use command Actions gt Resize from main menu Right click the selected item and click Resize command from the context menu 3 Use Resize Volume dialog to define new partition volume size Active UNDELETE Tools Overview 64 To resize volume select resize option below or drag n release right side volume slider to choose desired volume size For exact volume size enter new volume size in Size field WN Used space BN Actual space 4 Extended space INN Unallocated space Up size extend partition from 11328 MB to maximum size 35583 MB using available 24255 MB of unallocated space Down size shrink partition from 11328 MB to minimum available size 3077 MB using 8251 MB of free space on that partition Custom Partition Resize Size MB 14183 Partition volume will be extended to 14183 MB Figure 28 Resize Volume dialog Dialog Options Resize options Use radio buttons to expand to use maximum space available or shrink to last used cluster Use custom option to define exact new size of partition B Note Use device control drug n release feature to set approximate partition size w Warning Logical drive volume resize is not part of Rollback feature all changes are final and can not be undone 4 Click Resize to resize selected partition volume Edit boot sectors Active UNDELETE is an advanced data recovery
178. ift so max cluster size is 32 MB 110 Ox6E NumberOfFats 2 is for TexFAT only 111 Ox6F DriveSelect Extended INT 13h drive number typically 0x80 112 0x70 PercentInUse 0 100 percentage of allocated clusters rounded down to the integer OxFF percentage is not available 113 0x71 7 Reserved 120 0x78 390 BootCode 510 0x1FE 2 BootSignature 512 0x200 2 BytesPerSectorShift ExcessSpace 512 Table 5 Volume Flags Field ActiveFat 0 First FAT and Allocation Bitmap are active 1 Second VolumeDirty 0 clean 1 dirty MediaFailure 0 no failures reported or they already marked as BAD clusters 1 some read write operations failed ClearToZero no meaning Reserved Extended Boot Sector Description Comments 0 0x00 2 BytesPerSectorShift 4 ExtendedBootCode 2 BytesPerSectorShift 4 4 ExtendedBootSignature 0xAA550000 Whole sector is used for boot code except last 4 bytes used for signature in each sector If Extended Boot Sector is not used it should be filled with 0x00 Extended signature must be preserved OEM Parameters Description Comments 0 0x00 48 Parameters 0 File Systems 143 Offset i Description Comments 432 0x1B0 48 Parameters 9 480 0x01E0 2 BytesPerSectorShift Reserved 480 OEM parameters are ignored by Windows but can be used by OEM implementations OEMs can define their own parameters with unique GUIDs All unused Paramete
179. ined 20 0x14 FirstCluster 0 no cluster allocation 2 ClusterCount 1 cluster index 24 0x18 DataLength In bytes Table 8 Enty Types description Description Comments Code Importance 0 Critical entry 1 Benign entry Category 0 Primary entry 1 Secondary entry In use status 0 Not in use 1 In use EntryType can have the following values 0x00 End Of Directory marker All other fields in directory entry are invalid All subsequent directory entries are also End Of Directory markers 0x01 0x7F InUse 0 All other fields in this entry are not defined 0x81 0xFF InUse 1 Regular record with all fields defined Table 9 Generic Primary Directory Entry Template Offset i Description Comments 0 0x00 1 EntryType 1 0x01 1 SecondaryCount Number of secondary entries which immediately follow this primary entry and together comprise a directory entry set Valid value is 0 255 2 0x02 2 SetChecksum Checksum of all directory entries in the given set excluding this field See EntrySetCheckSum 4 0x04 2 GeneralPrimaryFlags see below 6 0x06 14 CustomDefined File Systems 146 Offset i Description Comments 20 0x14 FirstCluster 24 0x18 DataLength Description Comments AllocationPossible 0 not possible FirstCluster and DataLength undefined 1 possible NoFatChain 0 FAT cluster chain is valid 1 FAT cluster chain is not used contiguous
180. inistrators and advanced users only If the emergency repair process is successful your computer will automatically restart and you should have a working system Recovery Console Recovery Console is a command line utility similar to MS DOS command line You can list and display folder content copy delete replace files format drives and perform many other administrative tasks To run Recovery Console boot from Windows bootable disks or CD and choose Repair option when system suggests you to proceed with installation or repairing and then press C to run Recovery Console You will be asked to which system you want to log on to and then for Administrator s password and after you logged on you can display drive s contents check the existence and safety of critical files and for example copy them back if they have been accidentally deleted Partition Recovery Process 185 Recovery Software Third party recovery software in most cases does not allow you to deal with system files due to the risk of further damage to the system however you can use it to check for the existence and safety of these files or to perform virtual partition recovery
181. ink tracking service that maintains the integrity of shortcuts to files as well as OLE links within compound documents For more detailed information see resource kits on Microsoft s web site Attp www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com NTFS Partition Boot Sector Understanding of underlying mechanisms of data storage organization and data recovery Next table describes the boot sector of a volume formatted with NTFS When you format an NTFS volume the format program allocates the first 16 sectors for the boot sector and the bootstrap code Byte Offset Field Length 3 bytes LONGLONG 25 bytes 48 bytes 426 bytes WORD Field Name Jump Instruction OEM ID BPB Extended BPB Bootstrap Code End of Sector Marker On NTFS volumes the data fields that follow the BPB form an extended BPB The data in these fields enables Ntldr NT loader program to find the master file table MFT during startup On NTFS volumes the MFT is not located in a predefined sector as on FAT16 and FAT32 volumes For this reason the MFT can be moved if there is a bad sector in its normal location However if the data is corrupted the MFT cannot be located and Windows NT 2000 assumes that the volume has not been formatted The following example illustrates the boot sector of an NTFS volume formatted while running Windows 2000 The printout is formatted in three
182. ion or adaptation without written permission from LSOFT TECHNOLOGIES INC LSOFT TECHNOLOGIES INC reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of LSOFT TECHNOLOGIES INC to provide notification of such revision or change LSOFT TECHNOLOGIES INC provides this documentation without warranty of any kind either implied or expressed including but not limited to the implied warranties of merchantability and fitness for a particular purpose LSOFT may make improvements or changes in the product s and or the program s described in this documentation at any time All technical data and computer software is commercial in nature and developed solely at private expense As the User or Installer Administrator of this software you agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide LSOFT NET logo is a trademark of LSOFT TECHNOLOGIES INC Active UNDELETE Overview 6 Active UNDELETE Overview Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Active UNDELETE is a software application designed to help you restore your lost data from deleted files folders or even partitions Main Features short list Recover deleted files and folders
183. irectly when some attributes are detected incorrectly or need adjustments Any detected partition can be cloned virtually copied before manually altering partition attributes and properties We recommend that you edit the clone rather than directly edit the original partition Any detected partition can be cloned as any times as you want Clone detected partition 1 Select a detected partition in the Recovery Explorer tree 2 To clone the selected partition do one of the following From the Recovery Explorer toolbar click Clone Partition Right click the selected partition and click Clone from the context menu Edit the boot sector template in detected partition 1 Select a detected partition in the Recovery Explorer tree 2 To open the Edit Boot Sector Template dialog box do one of the following From the Recovery Explorer toolbar click Edit Partition e Right click the selected partition and click Edit Partition from the context menu 3 In the Edit Boot Sector Template dialog box edit the Primary or Copy Boot sectors separately or simultaneously by entering values in designated fields Restore detected partition Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks We recommend that you restore a partition with a certainty status of Acceptable or higher Before you restore a partition you may clone or edit the partition direct
184. irectory Entry on page 147 Up Case Table Directory Entry on page 147 Volume Label Directory Entry on page 148 File Directory Entry on page 148 e Volume GUID Directory Entry on page 150 TexFAT Padding Directory Entry on page 151 Windows CE Access Control Table Directory Entry on page 151 Stream Extension Directory Entry on page 151 File Name Directory Entry on page 152 Allocation Bitmap Directory Entry Offset i Description Comments 0 0x00 Entry type 0x81 1 0x01 BitmapFlags see below Indicates which Allocation Bitmap the given entry describes 2 0x02 Reserved 20 0x14 First Cluster 24 0x18 Data Length Description Comments Bitmapldentifier 0 Ist bitmap 1 2nd bitmap Reserved The number of bitmaps and therefore a number of Bitmap Allocation entries is equal to the number of FATs In case of TexFAT two FATS are used and bit 0 of Flags indicates which bitmap and FAT are referred The First Allocation Bitmap shall be used in conjunction with the First FAT and the Second Allocation Bitmap shall be used with the Second FAT ActiveFat field in Boot Sector defines which FAT and Allocation Bitmap are active Bitmap size in bytes must be a number of clusters in the volume divided by 8 and rounded up Up Case Table Directory Entry Offset i Description Comments 0 0x00 1 Entry type 0x82 1 0x01 3 Reservedl 4 0x04 4 TableChecksum Up case Table checksum File Systems 148 Offset i D
185. isk Space available 496 GB 532 670 271 488 bytes Total size 932 GB 1 000 202 042 880 bytes File System NTFS Enough space on destination disk volume Use Recover All button to recove Space meter Used 435 GB Left free 496 GB Figure 6 File Organizer view All selected files will be added to File Organizer view excluding duplicates You can repeat commands above and add files from different sources InFile Organizer view you can remove unwanted files by selecting them and then click Remove button in toolbar or click Clear button in toolbar to remove files from File Organizer view Use File Organizer feature to group o rename files before recovery File Organizer is advanced tool designed to group and rename files using their system attributes or meta attributes before actual recovery Click on Organize Files drop down menu and select one of the predefined file organizing rules to group files in a view By Created Date By Modified Date By Accessed Date By File Extension By Application Select Organize Files gt Customize command to create and apply custom file organizing rule Read Create custom file organizing rule on page 84 for more information When all files grouped and renamed as desired select location to recover files and change default options if necessary Click Recover All button in right bottom corner or click Recover All button in toolbar to recover all files from File Organizer view toone l
186. isk partitioning 3 Click OK to complete disk initialization After disk initialization it should be visible and accessible in Partition Manager for other actions such as Create partition on page 61 and more Create partition Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks To create new partition Logical Drive 1 Select partition location In Partition Manager select a Disk Physical Device or Unallocated space node 2 Open the Create New Partition dialog From the toolbar click Create New Partition button or use command Actions gt Create New Partition from main menu Right click the selected item and click Create New Partition command from the context menu 3 Adjust dialog options Use sliders to specify partition boundaries offset and size Mouse click on unallocated space will select it to utilize all space available To create New Partition on Data Storage Device select partition boundaries within unallocated space Formatting and other partition attributes are optional PhysicalDriveO 1953525168 sectors 2048 531475806 Partition Geometry Partition Attributes Primary Partition 5 Extended Partition L Mark partition as Active Assign Drive Letter F Maximum Partition size 932 GB Fromat New Partition Volume label New Volume Sector offset 2048 Size MB 259508 z File System FAT32 All
187. isplays information in binary and text modes at the same time You can use this view to analyze the contents of data storage structure elements such as Hard disk drives disks Partitions e Volumes Logical drives Files To open any of these items in the editor 1 In the Recovery Explorer tree pane or file pane select an item Active UNDELETE Tools Overview 67 2 Do one of the following From the Edit menu click Open In Disk Editor Right click the item and click Open In Disk Editor from the context menu Disk Editor shows detailed information about the selected object in the information panel on the left side of the view The right panel displays the binary and text view of the file After the Disk Editor view appears you may browse through the content of the open item using the scroll bar keyboard arrows or the mouse wheel Click either the binary area or the text area to focus on it You may also use the Tab keyboard key to switch the focus between hexadecimal and text modes T Warning As with any advanced tool use extreme caution with the Disk Editor Changes that you make may affect disk structure integrity You must be certain that the changes you make are in line with correct data structures before you save changes Disk Editor Preferences Disk Editor memorize its state and when closed those settings are preserved The settings saved are view options and geometry of windows Saving Changes Unle
188. ition also has a Partition Table which is the last 66 bytes of the sector The last two bytes of the sector are the end of sector marker These are the entries in an extended Partition Table The first entry is for the current logical drive The second entry contains information about the next logical drive in the extended partition Entries three and four are all zeroes This format repeats for every logical drive The last logical drive has only its own partition entry listed The entries for partitions 2 4 are all zeroes The Partition Table entry is the only information on the first side of the first cylinder of each logical drive in the extended partition The entry for partition 1 in each Partition Table contains the starting address for data on the current logical drive And the entry for partition 2 is the address of the sector that contains the Partition Table for the next logical drive The use of the Relative Sector and Total Sectors fields for logical drives in an extended partition is different than for primary partitions For the partition 1 entry of each logical drive the Relative Sectors field is the sector from the beginning of the logical drive that contains the Partition Boot Sector The Total Sectors field is the number of sectors from the Partition Boot Sector to the end of the logical drive For the partition 2 entry the Relative Sectors field is the offset from the beginning of the extended partition to the secto
189. ition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Overlapped partition detected Total Size 141 MB 141 MB 141 MB 141 MB 141 MB 141 MB 201 MB 201 MB 10 1 MB 141 MB 10 1 MB 141 MB 10 1 MB 512 MB 512 MB 195 GB 141 MB First Sector To 146132511 146455928 146152671 146415183 146149791 146418063 146104666 146395978 145976268 146129631 146312699 146458845 147841682 146917356 147965612 145677483 145747661 Detected partitions displayed with their status to be recovered and overall partition integrity When partition Recover Status is Can be recovered then this partition can be restored as part of disk partitioning To restore detected partition select it in view and click Restore button in view s toolbar or use Restore command from item s context menu If partition cannot be restored by any reason data from this partition still can be recovered To do so partition must be scanned as regular Logic Drive and files needs to be selected individually and recovered to safe location Getting Started with Active UNDELETE 11 n Results Open in Hex Editor bw backup 09 15 4 GB Primary NT 372 GB P
190. ity mapping 0x0042 B is mapped into itself 0x041 a is mapped into A non identity mapping 0x0042 b is mapped into B Up case Table can be written in compressed format where the series of identity mappings is represented with OxFFFF followed by the number of identity mappings Mandatory First 128 Up case Table Entries Index Table Entries 0000 0000 0001 0002 0003 0004 0005 0006 0007 0008 0009 000A 000B 000C 000D 000E OOOF 0010 0010 0011 0012 0013 0014 0015 0016 0017 0018 0019 001A 001B 001C 001D OO1E OO1F 0020 0020 0021 0022 0023 0024 0025 0026 0027 0028 0029 002A 00258 002 002D 002E 002F 0030 0030 0031 0032 0033 0034 0035 0036 0037 0038 0039 0032 00358 003 003D 003E 003F 0040 0040 0041 0042 0043 0044 0045 0046 0047 0048 0049 004A 004B 004C 004D 004E 004F 0050 0050 0051 0052 0053 0054 0055 0056 0057 0058 0059 005A 005B 005c 005D 005E 005F File Systems 155 0060 0060 0041 0042 0043 0044 0045 0046 0047 0048 0049 004A 004B 004C 004D 004E 004F 0070 0050 0051 0052 0053 0054 0055 0056 0057 0058 0059 005A 007B 007C 007D 007E 007F Remember Non identity mappings are highlighted in bold Mandatory First 128 Up case Table Entries in compressed format Index Table Entries 0000 FFFF 0061 0041 0042 0043 0044 0045 0046 0047 0048 0049 004A 004B 004C 004D 004E 0010 00r 0050 0051 0052 0053 0054 0055 0056 0057 0058 0059 005A FFFF 0
191. ium in the specified drive reserved Reserved member Do not use dpb_first_access Indicates whether the medium in the drive has been accessed This member is initialized to 1 to force a media check the first time this DPB is used dpb_reserved3 Reserved member Do not use dpb_next_free The cluster number of the most recently allocated cluster dpb_free_cnt The number of free clusters on the medium This member is OFFFFh if the number is unknown extdpb_free_cnt_hi The high word of free count extdpb_flags Flags describing the drive The low 4 bits of this value contain the 0 based FAT number of the Active FAT This member can contain a combination of the following values BGBPB F ActiveFATMsk 000Fh Mask for low four bits BGBPB F NoFATMirror 0080h Do not mirror active FAT to inactive FATs Bits 4 6 and 8 15 are reserved extdpb FSInfoSec The sector number of the file system information sector This member is set to OFFFFh if there is no FSINFO sector Otherwise this value must be non zero and less than the reserved sector count extdpb BkUpBootSec The sector number of the backup boot sector This member is set to OFFFFh if there is no backup boot sector Otherwise this value must be non zero and less than the reserved sector count extdpb first sector The first sector of the first cluster extdpb max cluster The number of clusters on the drive plus 1 extdpb fat size The number of sectors occupied by the FAT
192. izard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Some files has unique patterns allowed them to be found by advanced scan process This Wizard will guide you via simple steps to help you to detect files by File Signature It will allow you to review and recover detected files To run this Wizard click Recover Files by Signature from the Wizards menu or click Recover Files by Signature button in Tools Tab in Command Bar 1 Select Logical Drives Select at least one Logical Drive to scan for deleted files by File Signatures Select File Signatures to detect Scan selected Logical Drives for deleted files and folders Scan can be stopped at any time Active UNDELETE Wizards Overview 99 Konica Minolta Raw Images mrw Fuji FinePix Raw Images raf TIFF Images tif Sony Alpha Raw Images arw Canon CR2 Raw Images cr2 b amp Microsoft Office Documents gt 7 amp Formatted Text files 3 4 7 amp Compressed Archives 7 ZIP Archives zip 4 ii amp Images and Camera Raw files E 7 Bitmap Images bmp V Canon CRWRawImages crw 7 Icon Files ico V JPEG Images jpg E 7 7 E 3 B Note Number of File Signatures impacts the scanning time 3 Confirm and Scan Review scan options and initiate scan process by clicking Scan button The scan can be stopped at any
193. k or grow depending on the size of the replaced file In a regular situation you should not be concerned about partition size If the partition size is important however a raw image is the solution Create a Disk Image Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Using Active UNDELETE you can create a Disk Image of a volume logical drive or a disk physical device To create disk image 1 Open the Create Disk Image dialog From the Recovery Explorer toolbar click Create Disk Image button or use command Actions gt Create Disk Image from main menu Right click the selected item and click Create Disk Image command from the context menu From the Disk Images tab in Command Bar choose Open Disk Image command 2 Create Disk Image dialog Active UNDELETE Tools Overview 80 f Select Destinatoin Path where to save Disk Image Use compression to save space w x Destination D Virtual Images Dynamic test drive_W_3990 6245 dim Description Disk Image made by Active UNDELETE Data Recovery Toolbox Compression None Raw Data v F Store Disk Image as chunks 4 7 GB DVD 5 Options V Replace existing Disk Image files V Ignore Read Write Errors Use Disk Lock Restore Defaults Cancel Help Dialog Options Multiple disk selection Additional areas on other disks can be selecte
194. k the Reset filter to default button in the toolbar Files List Detected Files and Folders Select desired Files for recovery using check marks File Filter can be used to narrow down files list Select file s to recover and click Next to continue 4 Recover Files File Recovery Select required options and click Next to continue F 0 bytes 12 05 12 N 12 05 2131442 D F 0 bytes 12 05 12 13 1 12 05 12 13 14 43 D 54550 F 0 bytes 03 03 12 10 41 50 N 41 D 54548 m 0 bytes 24 11 11 03 01 39 11 03 01 39 D 54518 PI 341 MB 25 08 11 19 38 12 2 D H gt gt 7 amp Lost amp Found Healthy 1 24 MB gt 7 amp SRECYCLE BIN System 325 MB 17 10 09 20 01 26 C F Gy 381856 Deleted 0 bytes 11 02 11 03 21 11 ry Gy 569497_ Deleted 0 bytes 15 04 11 05 04 18 T TTS D TA F dy 942607 Deleted 0 bytes 10 05 11 05 57 32 10 05 11 05 57 32 D 4462 gt 7 amp copy Healthy 2 56 GB 05 03 09 12 52 35 26 04 11 13 47 05 D 20976 gt P island Healthy 1 55 MB 05 03 09 12 50 24 12 05 12 11 57 34 D 18410 7 G MSitel45 tmp Deleted 0 bytes 12 05 12 13 14 43 12 05 12 13 14 43 D 4466 7 G MSBddbf tmp Deleted 0 bytes 23 08 11 10 29 02 23 08 11 10 29 02 D 4467 amp MSH9277 tmp Deleted 0 bytes 08 03 12 08 54 58 08 03 12 08 54 58 D 4
195. lick an image file and click File Preview from the context menu Select an image file and click File Preview from the main toolbar 5 Note If the preview file is not an image file it appears in hexadecimal and text mode Search for deleted Files and Folders Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks To help you find deleted files in a long list of files from a scanned drive you may search the list with specific search criteria and review results in a Search Results View on page 11 1 Select a scanned logical drive or scanned detected partition 2 To open the Search for Files and Folders dialog box do one of the following From the main toolbar click Search Right click the selected item and click Search from the context menu 3 Inter search criteria in Look for and other search options if required and click Search button to start searching in selected location Using Active UNDELETE Overview 38 Search in Major D E Look for lcm Date Size File Attributes Recursive search in subdirectories Match case E Search among existing only __ Search among deleted only Figure 17 General Search Options General Search Options Recursive search in subdirectories Use this option to search the root level of the drive and all sub folders To search only the root folder clear
196. lick and hold down the left mouse button and start dragging to select an area The selected area background will be highlighted Release the mouse to finish selecting You can select an area bigger than will fit into the screen by dragging the mouse beyond the top or bottom edge of the hex editor window The alternative way to make a selection 1s to define a beginning and an end of the block This method might be more convenient when a large area has to be selected in order to simply select data in a particular range Move the cursor to the position where you want the selection to start and do one of the following Select the menu command Edit gt Beginning of block from the Edit menu in the toolbar Right click and select Edit gt Beginning of block from a context menu Press CtrH 1 Move the cursor to the end of the desired selection and set the end of a selection in a similar way If you need to select all the data you can use the Select All command instead Copying to the clipboard Select an area of data as described above and either select the command Edit gt Copy or press Ctrl C The selected area will be copied into the clipboard in binary format If you later want to insert it into a text editor use the Copy Formatted command instead It will copy data as a formatted text Please note that you can copy a maximum of 1MB of data into the clipboard Pasting data from the clipboard If you copied data into the clipboard you c
197. like the following illustrates file association but not multiple files program source file saoe Tile SOIRS sexecutable iile To create an alternate data stream at the command prompt you can type commands such as echo tert progrem soure Tile more lt program source file vO Important When you copy an NTFS file to a FAT volume such as a floppy disk data streams and other attributes not supported by FAT are lost NTFS Compressed Files Windows NT 2000 supports compression on individual files folders and entire NTFS volumes Files compressed on an NTFS volume can be read and written by any Windows based application without first being decompressed by another program Decompression occurs automatically when the file is read The file is compressed again when it is closed or saved Compressed files and folders have an attribute of C when viewed in Windows Explorer Only NTFS can read the compressed form of the data When an application such as Microsoft Word or an operating system command such as copy requests access to the file the compression filter driver decompresses the file before making it available For example if you copy a compressed file from another Windows NT 2000 based computer to a compressed folder on your hard disk the file is decompressed when read copied and then recompressed when saved This compression algorithm is similar to that used by the Windows 98 application DriveSpace 3 with one important differ
198. ll appear and all write errors will be ignored during the recovery process Ignore Read Errors No error messages will appear and all read errors will be ignored during the recovery process 4 Observe recovery process Observe recovery process and verify recovered files in destination folder Repeat recovery process if necessary Virtual RAID Assembly Active UNDELETE is an advanced data recovery toolset allows to reconstruct damaged or broken RAIDS To open the Virtual Disk Array Assembly dialog do one of the following From the Tools menu choose Create Virtual RAID RAID command From the Tools tab in Command Bar choose Create Virtual RAID command Using Active UNDELETE Overview 26 3 Select Physical Devices from the list of available devices in correct order and RAID Type For each selected device you can specify individually device E boundaries if needed Data Storage Devices available for RAID Assembly J amp PhysicalDrive0 Ready Initialized MBR Basic 932GB 1953525168 512 amp PhysicalDrivel ReadyaInitialized MBR Dynamic 932GB 1953525168 512 amp PhysicalDrive2 Ready ized MBR Basic 932GB 1953525168 512 amp PhysicalDrive3 Ready Initiah MBR Basi 9 117231408 512 J PhysicalDrived Read 1 Select Data Storage Devices 976773168 512 Damaged Disk Read alotoffile rr M2 1 lont W backup J 6 72 GB Y 60 5 GBP
199. ll write errors will be ignored during the recovery process Ignore Read Errors No error messages will appear and all read errors will be ignored during the recovery process Existing files conflict resolution Generate unique file name If a file with the same name exists in the destination folder then a file with a unique name will be generated to avoid overwriting Ask before overwrite If a file with a certain name already exists in the destination folder the application will ask the user for a specific action to take Overwrite without prompt Using Active UNDELETE Overview 29 All files will be overwritten even if they already exist in the destination folder Skip existing files Ifa file with the same name already exists in the destination folder recovery of that file will be skipped 3 Decrypt selected files Set other options if necessary and then click the Decrypt button to complete the task When process completes decrypted files will appear in destination folder Restore Partition Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks If you cannot see partitions on your device or if you know that partitions are missing you may first scan a device to find partitions Restoring a deleted or damaged partition can be done in three stages Scan for Deleted Partitions on page 29 Scan a physical device for a deleted or damage
200. ly to adjust its properties Here are some rules to follow when restoring a partition Assigning a drive letter Beaware ofthe location of executable files or files required by the operating system Many MS DOS and Windows programs refer to a specific drive letter when describing a path to executable files Drives A and B are usually reserved for floppy disk drives but you can assign these letters to removable drives if the computer does not have a floppy disk drive Hard disk drives in the computer receive letters C through Z while mapped network drives are assigned drive letters in reverse order Z through B Setting the partition as active e You may set only a primary partition as active You cannot set a logical drive an extended partition as active To set a partition as active the partition must have an MBR Master Boot Record as the first sector Acomputer can only have one active partition per disk The name commonly used for the partition that contains the start up files is the boot partition The name commonly used for the partition that contains the operating system files is the system partition The system partition can never be part of a striped volume spanned volume or RAID 5 volume The system partition must be a primary partition that has been marked as active for start up purposes It must be located on the disk that the computer accesses when starting up the system Using Active UNDELETE Over
201. m Welcome View or From sliding Command Bar on lefts side of a main view Active UNDELETE has following wizards File Recovery Wizards e Recover Deleted Files Wizard on page 96 Recover Files by Signature Wizard on page 98 Recover Files from a Formatted Partition Wizard on page 101 Recover files from a deleted partitions wizard on page 104 File Recovery Expert Wizard on page 107 Partition Management Wizards Create a New Partition Wizard on page 113 Restore a Deleted Partition Wizard on page 112 Disk Image Wizards Create a Disk Image Wizard on page 107 Open a Disk Image Wizard on page 109 Verify a Disk Image Wizard on page 110 Advanced Create a Virtual RAID Array Wizard on page 115 File Recovery Wizards Recover Deleted Files Wizard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks A wizard designed to recover accidentally deleted files from existing logical drives 1 Select Logical Drives Select at least one logical drive to scan for deleted files 2 Scan Scan selected logical drives for deleted files and folders The scan can be stopped at any time 3 Review volume scan results Use the File Filter Toolbar on page 40 to narrow down search Active UNDELETE Wizards Overview 97 results By default only deleted Files and Folders are shown To view all files detected on scanned devices clic
202. m virtual partition recovery and in case If something 1s found display them and give the user an opportunity to save important data to another location Software like Active UNDELETE Active UNERASER will help you here Partition is deleted or Partition Table is damaged Understanding of underlying mechanisms of data storage organization and data recovery The information about primary partitions and extended partition is contained in the Partition Table a 64 byte data structure located in the same sector as the Master Boot Record cylinder 0 head 0 sector 1 The Partition Table conforms to a standard layout which is independent of the operating system The last two bytes in the sector are a signature word for the sector and are always 0x55AA For our disk layout we have Partition Table Pinvsaicell Sxexuou Cyl O Suck WO Seco 1 0000001B0 SHON D t OE oe 0000001C0 Ol X9 07 ma 7r Sia Sus 00 00 00 40 32 4m 00 OM 00 P 2 o ANE 0000001D0 41 3F 06 FE 7F 64 7F 32 4E 00 A6 50 09 00 00 00 A DdD2N P 0000001E0 dil 65 Ow iid ii 4A 25 93 57 00 66 Gil 39 00 00 00 Ae J WEE OE 0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA We can see three existing and one empty entries e Partition 1 offset OXOIBE 446 e Partition 2 offset OXOICE 462 e Partition 3 offset 0x01DE 478 Partition 4 empty offset 0x01EE 494 Partition Recovery Process 180 Each Partition Table entry is 16 by
203. n our case means non compressed Allocated and Real size of attribute that is equal to our file size 0xDC00 56320 bytes and Data Runs see the next topic Define clusters chain for the deleted entry Understanding of underlying mechanisms of data storage organization and data recovery To define clusters chain we need to scan drive going through one by one all file NTFS clusters or free FAT clusters belonging presumably to the file until we reach the file size equals to the total size of the selected clusters File Recovery Process 173 If the file is fragmented clusters chain will be composed of several extents in case of NTFS or we take clusters bypassing occupied ones in case of FAT Location of these clusters can vary depending on file system For example file deleted on FAT volume has its first cluster in its Root entry the other clusters can be found in File Allocation Table On NTFS each file has DATA _ attribute that describes data runs Disassembling data runs to extents for each extent we have start cluster offset and number of clusters in extent so enumerating extents we can compose file s cluster chain You can try to define clusters chain manually using low level disk editors however it s much simpler to use data recovery tools like Active UNDELETE Example of defining clusters chain on FAT16 Lets continue examine an example for deleted file MyFile txt from the previous topic The folder we scanned b
204. nable to boot You ll see error messages like NTLDR is missing So the next step in recovery process is to check the existence and safety of system files for sure you won t able to check them all but you must check at least NTLDR ntdetect com boot ini which cause most of problems To do it in Windows 95 98 ME you can boot in Command Prompt Mode or from the bootable floppy and check system files in the command line or with a help of third party recovery software To do it in Windows NT 2000 XP you can use Emergency Repair Process Recovery Console or third party recovery software Emergency Repair Process To proceed with Emergency Repair Process you need Emergency Repair Disk ERD This disk is recommended to create after you install and customize Windows To create it use the Backup utility from System Tools You can use the ERD to repair damaged boot sector damaged MBR repair or replace missing or damaged NT Loader NTLDR and ntdetect com files If you do not have an ERD the emergency repair process can attempt to locate your Windows installation and start repairing your system but it may not be able to do so To run the process boot from Windows bootable disks or CD and choose Repair option when system suggests you to proceed with installation or repairing Then press Rto run Emergency Repair Process and choose Fast or Manual Repair option Fast Repair is recommended for most users Manual Repair for Adm
205. nation folder to which the files were recovered Use the default OS File Explorer or repeat the wizard again to scan another logical drive 5 Note All scan results will remain available after the wizard closes Recover Files from a Formatted Partition Wizard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Some files have unique patterns allowed them to be found by an advanced scan process This wizard will guide you via simple steps to help you to detect files by their file signature It will allow you to review and recover detected files To run this wizard click Recover Files by Signature from the wizards menu or click the Recover Files by Signature button in the Tools tab in the command bar 1 Select formatted volumes Select at least one logical drive to scan from the list of available logical drives sorted by formatted date The most recently formatted drive will be selected automatically Name Status Formatted file Total Size v S PORTO Q Ready Friday 11 May 2012 12 19 36 RA 53 9 GB New Volume L Ready Saturday 05 May 2012 18 19 28 S 52 MB 3 Major D Ready Sunday 19 February 2012 11 10 02 932 GB 7 x Local Disk C Ready Sunday 19 February 2012 10 40 18 55 8 GB 7 gt System Reserved 1 Ready Sunday 19 February 2012 10 40 100 MB y TREMOW E Read Monday 13 February 2012 22 20 40 BAT32 178 GB F
206. nd annotation labels A Disk Image configuration File is created during the Create Disk Image procedure You can select a Disk Image to be opened by specifying its Disk Image Configuration File Type in the full path to this file in the edit box or use the browse button to open a Browse for file dialog and to select this file You can skip this step in order to assemble a Disk Image manually from chunks supplying all necessary options yourself 2 Compose Disk Image Skip this step if disk image was opened using a configuration file information is already entered otherwise specify all parameters here manually Typically a Disk Image Configuration File is used to open a Disk Image This file contains necessary information about the Disk Image geometry labels and other information Nevertheless a Disk Image can be open by specifying actual files chunks of an image and other options This dialog can be also used to open raw Disk Images created by third party applications such as WinHex for example Caption Display Name Disk Imagel Image chunks D Temp di drive_G_3A3C 7C75 001 Add Disk Image Options Image Type RAW Data Binary Disk Image v Media Type Fixed Disk X Bytes per Sector 512 Sector per Track 63 Track per Cylinder 255 Save DIMFile As Page Options Caption Enter any label to distinguish newly opened disk image among other devices and disks Disk Image Chunks A Disk Image
207. ng of underlying mechanisms of data storage organization and data recovery exFAT uses tree structure to describe relationship between files and directories The root of the directory tree is defined by directory located at RootDirectoryCluster Subdirectories are single linked to there parents There is no special and directories pointing to itself and to parent like in FATI6 FAT32 Each directory consists of a series of directory entries Directory entries are classified as critical benign and primary secondary as follows Primary Directory Entries Critical Primary Entries Benign Primary Entries Secondary Directory Entries Critical Secondary Entries Benign Secondary Entries Critical entries are required while benign entries are optional Primary directory entries correspond to the entries in file system and describe main characteristics Secondary directory entries extend the metadata associated with a File Systems 145 primary directory entry end follow it A group of primary secondary entries make up a directory entry set describing a file or directory The first directory entry in the set is a primary directory entry All subsequent entries if any must be secondary directory entries Each directory entry derives from Generica Directory Entry template Size of directory entry 1s 32 bytes Table 7 Generic Directory Entry Template Description Comments 0 0x00 EntryType see below 1 0x01 CustomDef
208. ocation Application Log Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Getting Started with Active UNDELETE 14 This log view monitors each action taken by the application and displays messages notifications and other service information Use the messages in this screen to observe and further understand the flow of the recovery process We recommend that you attach a copy of the log file to all requests made to our technical support group The entries in this file will help us resolve certain issues To prepare a log file turn on Display Trace Events and Write Log on Disk options in the Preferences dialog box It is best to save the log file to a physical disk that is different from the disk that holds the deleted data By doing this you reduce the risk of writing over the data that you are trying to recover Welcome View Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks This view contains main tools wizards and recent activity shortcuts divided in groups for easy access to Act ive UNDELETE features at application start Active UNDELETE Here are some commonly used actions when working with Active UNDELETE Data Recovery Toolkit on a regular basis Getting Started Data Recovery Wizards Undelete Files Restore
209. ocation unit size Default Z Measure in Sectors Perform a quick format New Logical Drive will be created in Primary Partition starting from 2048 sector with size 253 GB 531473758 sectors Create Cancel Hep Figure 25 Create Partition dialog Partition Geometry Primary or Extended Partition can be created as Primary partition of number of available Primary partitions are not exceeded or as Extended partition Sector Offset First sector of created partition It can be set exact by numerical value entered in text box or by moving left slider in Device View control Active UNDELETE Tools Overview 62 Partition Size Partition size can be set in megabytes or in sectors depending on state of Measure in Sectors check box Partition Geometry Mark Partition as Active Newly created partition will be set as Active Partition Assign Drive letter For Primary Partition or Logical Drive on extended partition drive letter can be assigned from the list of available in the system drive letters Format Partition optional Volume label Text label of partition disk This field can be blank File System Select file one of the supported file systems FAT FAT 32 or NTFS Unit Allocation Size Depending on selected file system and total partition disk size available allocated unit size may be different Default value of unit size is recommended 4 Click Create button to create new partition Afte
210. om formatted hard disks Physical Device scan view is used to review scan results such as Partitions and Files Detected by Signature made on Data Storage Device LZ son Save Scan Results Fl View Group by Interrupted scan can be resumed 6 72 GB Unallocate 60 5 GB Primary NT on ex G 710 259 MB Loi 1 98 GB Una 1 95 GB Logi 6 84 GB Unallocated Getting Started with Active UNDELETE 10 lont W 15 4 GB Primary NT backup 0 372 GB Primary NTFS First Sector Total Sectors Name 4 PhysicalDrived scans b em Disk Scan at 21 05 12 11 38 16 1 0 incomplete 1 0 e Disk Scan at 21 05 12 11 39 42 1 0 Incomplete 1 0 0 0 Disk Scan at 21 05 12 11 39 55 0 0 Incomplete 0 gt amp Disk Scan at 21 05 12 11 40 29 46 0 Completed 46 Figure 2 Interrupted Physical Device Scan Device View Control eS cleo 8 NTFS Excellent Can be Restored 6 84 GB 149774058 143459 Tip It is highly recommended to save scan results for later use Work with scan results on page 35 In Device Scan view scanned devices represented by Device View Control For each selected scan Device View control shows scan progress indicator blue stripe means scan is incomplete and solid green stripe scan is complete for selected range All interrupted incomplete scans can be resumed by clicking Resume button
211. on Manager select not initialized Disk Physical Disk Open the Initialize Disk dialog From the Partition Manager toolbar click Initialize button or use command Actions gt Initialize from main menu Right click the selected item and click Initialize command from the context menu Confirm disk selection and other options in opened dialog amp PhysicalDrived ST1000DM003 9YN162 1953525168 932 GB Select partition style for this disk MBR Master Boot Record GPT GUID Partition Table 7 Create typical Bootstrap code Clear Primary Partition table A WARNING The GPT partition style is not recognized by all previous versions of Windows Itis recommended fordisks larger then 2TB or disks used onItanium based computers Figure 24 Initialize Disk dialog Dialog options Partition style Select either MBR Master Boot Record or GPT GUID Partition Table partition style 5 Note GPT partition style is not supported by older versions of Windows It is recommended for disks larger then 2TB For all other purposes we recommend to use MBR partition style Create typical bootstrap code Default generic bootstrap code will be written 1f this option is on Clear Primary partition table Active UNDELETE Tools Overview 61 Primary partition table records will be cleared T Warning Itis highly recommended to not clear primary partition table in case of restoring deleted or damaged d
212. on Table Entry 1 1BE Active Partition 80 1BF Start Head 1c0 Start Sector 1c0 Start Cylinder 1C2 File System hex 1c3 End Head 1c4 End Sector 1c4 End Cylinder 1C6 First Sector 1CA Partition size in sectors Partition Table Entry 3 1DE Active Partition 80 00 180 1 877 07 254 63 1023 14100345 126902160 80 Partition Table Entry 2 1CE Active Partition 80 1CF Start Head 1DO Start Sector 1D0 Start Cylinder 1D2 File System hex 1D3 End Head 1D4 End Sector 1D4 End Cylinder 1D6 First Sector 1DA Partition size in sectors Partition Table Entry 4 1EE Active Partition 80 254 63 1023 OF 254 63 1023 141002505 23117535 m 00 Figure 30 Edit Partition Table dialog m 7 Show offset in hexadecimal mode c Gm To discard all changes and restore all values to fields in the dialog click Reset To save all changes made in the dialog click Save Warning Saving incorrect values might render the partition useless You may not undo changes that you make in this dialog Disk Editor Tool Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Overview Disk Editor is advanced tool for viewing and editing sectors of Physical Disks or Partitions and Volumes and contents of any file type Disk Editor uses a simple low level disk viewer which d
213. on page 37 Organizer view Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks File Organizer view is utility view that helps to organize files regroup and rename using their system or meta attributes from different sources scan results search etc and recover them all at once to selected location To addfilesto File Organizer view 1 Select files or folders in scan result view 2 In context menu select Add to File Organizer command Getting Started with Active UNDELETE 13 ET Create Rule ET Manage Rules Bs Recover All Remove a Clear o OD BD Ue 2 apani FA Colapse an Attributes ID Status Size Date Date accessed 4 c3 2013 437 KB Create your own file 4 January 437 KB organizing rule 437 KB ealthy 129KB 28 Jan 14 19 11 00 28 Jan 14 19 11 00 A 36 mee 9 11 00 28 Jan 14 19 11 00 A 4 2011 Use Organize Files feature to Gj Sept group and rename files before 4 2012 recovery Select valid location to recover files Recover all files grouped as present to selected location Recovery destination Conflict resolution Errors control Additional A Recover All P z Recover files to d temp recovered Change Recover all listed files to destination folder Collected 7 files Total space required to recover all selected files 2 80 MB Major D Type Fixed D
214. only in the Volume system file Contains the volume version Used only in the Volume system file Contains the volume label NTFS includes several system files all of which are hidden from view on the NTFS volume A system file is one used by the file system to store its metadata and to implement the file system System files are placed on the volume by the Format utility Table 4 Metadata Stored in the Master File Table System File File Name Master file table Mft Master file table 2 MftMirr Log file LogFile MFT Record Purpose of the File 0 Contains one base file record for each file and folder on an NTFS volume If the allocation information for a file or folder is too large to fit within a single record other file records are allocated as well 1 A duplicate image of the first four records of the MFT This file guarantees access to the MFT in case of a single sector failure 2 Contains a list of transaction steps used for NTFS recoverability Log file size depends on the volume size and can be as large as 4 MB It is used System File Attribute definitions Root file name index Cluster bitmap Boot sector Bad cluster file Security file Upcase table NTFS extension file File Name MFT Record Volume AttrDef Bitmap BadClus Secure Upcase Extend NTFS Multiple Data Streams File Systems 136 Purpose of the File by Windows NT 2000 to re
215. ons If you do not know the particular disk order try all possible configurations write down the current order assemble the array and check the data in it If the data is not accessible try a different order until one works Some RAID types Span RAIDS require a certain stripe block size thus you will need to specify it in Options box If you are not sure of this value you may try to find it in the Controller s configuration utility Controller s BIOS or you can try different block sizes and check the results The most commonly used values are 32kb 64kb 128kb Confirmation Review and confirm parameters for the Virtual Disk Array to be created Click the Create button to create the Virtual Disk Array Complete Click the Finish button to close the Wizard if the RAID was reconstructed successfully otherwise you will see error messages A New Data Storage Device and one or several drives if detected will appear in the list of devices and drives in the Recovery Explorer Active UNDELETE Wizards Overview 117 You can work with reconstructed RAID sets the same way as you work with a regular storage device or logical drive i e scan device for deleted damaged partitions scan drives and search for files recover copy files and folders to another safe location etc Data Recovery Concept Overview 118 Data Recovery Concept Overview Understanding of underlying mechanisms of data storage organization and data rec
216. ontains actual image data A Disk Image can be cut into several files chunks during creation for better space allocation In this list you have to specify all these files which make ups the image To Add a Disk Image chunk to the list click the Add New button and use browse for a file dialog to select a file To Remove a Disk Image chunk select this chunk in the list and click the Remove button To modify the order of Disk Image chunks select any chunk you wish to relocate and use the Up and Down buttons to move a selected chunk in the chunk stack Image Type Select image type you about to open Usually it assigned automatically depending on Disk Image chunks added Raw Disk Image Raw fragment of a disk LSoft Disk Image Disk Image created by any LSoft Technology product Virtual PC Disk Images from Virtual PC software VMWare Image Disk Images from VMWare software Media Type Select appropriate media type Usually it assign automatically Use Fixed Disk by default Bytes per Sector Enter sector size in bytes Sectors per Track Enter track size in sectors Tracks per Cylinder Enter cylinder size in tracks Save DIM File as In case of manual composition of Disk Image properties you may save final configuration file for later use Click Next to continue 3 Confirmation Verify and confirm parameters for the disk image to be opened Click Open Disk Image to read the Disk Image structure and open the Disk Image
217. opened Click Verify Disk Image to read the Disk Image structure and initiaite verification process 4 Complete When verification is completed you will see verification report indicating current integrity of your Disk Image Click Finish to close the Wizard Pertition Management Wizards Restore a Deleted Partition Wizard Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks This wizard guides you through simple steps to help you to detect and restore deleted or damaged partitions The Restore Partition wizard guides you through three processes 1 Detecting deleted or damaged partitions 2 Analyzing the content of a detected partition and optionally modifying its geometry 3 Restoring the partition To start this wizard do one of the following From the wizards menu click Restore Deleted Partitions Select the Partition Management tab in the command bar and click Restore Deleted Partitions When the Restore Partition wizard starts for the first time the first screen describes the process Clear the Show this page next time check box to avoid seeing this screen the next time you run this wizard 1 Scan unallocated space Select unallocated area by placing check marks in the data storage devices tree and click Next to continue Active UNDELETE Wizards Overview 113
218. ot Directory The root directory on a FAT32 drive is not stored in a fixed location as it is on FAT16 and FATI2 drives On FAT32 drives the root directory is an ordinary cluster chain The A BF BPB RootDirStrtClus member in the BPB structure contains the number of the first cluster in the root directory This allows the root directory to grow as needed In addition the BPB RootEntries member of BPB is ignored on a FAT32 drive Sectors Per FAT The A BF BPB SectorsPerFAT member of BPB is always zero on a FAT32 drive Additionally the A BF BPB BigSectorsPerFat and A BF BPB BigSectorsPerFatHi members of the updated BPB provide equivalent information for FAT32 media BPB FAT32 The BPB for FAT32 drives is an extended version of the FAT16 FAT12 BPB It contains identical information to a standard BPB but also includes several extra fields for FAT32 specific information This structure is implemented in Windows OEM Service Release 2 and later A BF BPB STRUC A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB A BF BPB Nye Bene o NoectbonsBertei sire ReservedSectors NumberOfFATs PRO ORE YE 3HENS Iloiee I See OS MediaDescriptor ESecioBsbem5iAl asecsomnsPbeniacls Heads HiddenSectors HiddenSectorsHigh BigTotalSectors BigTotalSecto
219. overy Disk Scanning is a process of low level enumeration of all entries in the Root Folders on FAT12 FAT16 FAT32 or in Master File Table MFT on NTFS NTFSS The goal is to find and display deleted entries File Recovery Process 170 In spite of different file folder entry structure for the different file systems all of them contain basic file attributes like name size creation and modification date time file attributes existing deleted status etc Given that a drive contains root file table and any file table MFT root folder of the drive regular folder or even deleted folder has location size and predefined structure we can scan it from the beginning to the end checking each entry if it s deleted or not and then display information for all found deleted entries E Note Deleted entries are marked differently depending on the file system For example in FAT any deleted entry file or folder has been marked with ASCII symbol 229 OxE5 that becomes first symbol of the entry On NTFS deleted entry has a special attribute in file header that points whether the file has been deleted or not Example of scanning folder on FAT16 1 Existing folder MyFolder entry long entry and short entry 0003EE20 41 4D 00 79 00 46 00 6F 00 6c 00 OF 00 09 64 00 AM zs E o o dhe oo sls 0003EE30 65 00 72 00 00 00 SE ERE be bk Pr 00 00 PE Pe BE EP Soie sco SANA o o AWAY 0003EE40 4D 59 46 4F 4C 44 45 52 20 20 20 10 00 4A C4 93 MYFOLDER
220. overy To understand underlying mechanisms of data storage organization and recovery the following topics can give essential concepts Understanding Hardware and Disk Organization Understanding File System FAT Understanding File System NTFS Understanding Recovery Process Understanding Partition Recovery Process Basic information about Hard Disk Drives HDD and low level disk organization The FAT file system is a simple file system originally designed for small disks and simple folder structures The FAT file system is named for its method of organization the File Allocation Table which resides at the beginning of the volume To protect the volume two copies of the table are kept in case one becomes damaged In addition the file allocation tables and the root folder must be stored in a fixed location so that the files needed to start the system can be correctly located The Windows NT file system NTFS provides a combination of performance reliability and compatibility not found in the FAT file system It is designed to quickly perform standard file operations such as read write and search and even advanced operations such as file system recovery on very large hard disks Describes basic approaches and techniques of File and Folder recovery process Describes most common partition failures and techniques of their recovery Hardware and Disk Architecture 119 Hardware and Disk Architecture
221. pattern can not be changed d TOTO DY associated Use this panel to define file renaming pattern or leave default Double click here to create new sett elise hl Lond preset or add another grouping rule ile renaming rules Use original file name Use file name pattern File name pattern Original File Name Rename by File Type Found files will be ranemed by file name pattern associated with file type It is recommended to use this option to rename files detected b y Modify their signatures J Modify Restore Defaults Run Close Cancel Apply Help Figure 33 File Organizer dialog Dialog Options Caption Assign text label for virtual disk to recognize in Recovery Explorer Optional File renaming rules User can decide to leave files as is default value or rename every one of them by using file name pattern see Zunique 85 or choose to rename every file by file name pattern associated with file type see File renaming patterns by File Type on page 86 First and last sector Select virtual disk boundaries by default entire original physical disk is used 2 Create new file organizing rule by Double click on gray item labeled Double click to create new folder rule gt at the bottom of rule list orclick Add new rule button in dialog s toolbar 3 Add folder patterns Active UNDELETE Tools Overview 86 Double click on child elements in edited rules to open drop down control with
222. position or from the end Next to the offset edit field there are two labels specifying the minimum and maximum allowed vales for offsets displayed as decimal numbers Active UNDELETE Tools Overview 69 You can also open this dialog directly by using the shortcut Ctrl Shift G Go to Sector This command allows jumping to the beginning of a specified sector or cluster There are two edit fields in this dialog that allow entering a desired location either as a sector number or a cluster number The Cluster edit field is available only for logical disks and greyed out for all other objects As with the offset dialog you can also use both decimal and hexadecimal numbers Next to the edit field is the range of allowed values in brackets Notice that not all sectors correspond to clusters but every cluster corresponds to a particular sector You can enter either a sector value or a cluster value Depending on which field is active the dialog will use a sector or cluster If you enter a number in the cluster edit field a corresponding sector is displayed automatically You can also open this dialog directly using the shortcut Ctrl G Back and Forward navigation When you navigate to an access point through the Navigate menu or jump to a specific offset or sector those addresses are stored in a stack You can move backward and forward to the previous locations by using the Back and Forward commands located in the Disk Editor Toolbar
223. r containing the Partition Table for the logical drive defined in the Partition 2 entry The Total Sectors field is the total size of the logical drive defined in the Partition 2 entry E Note If a logical drive is part of a volume set the Partition Boot Sector is at the beginning of the first member of the volume set Other members of the volume set have data where the Partition Boot Sector would normally be located Tip For more detailed information see resource kits on Microsoft s web site Attp www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN Attp msdn microsoft com Disk Arrays RAID s Redundant array of independent disks RAID Hardware and Disk Architecture 127 Redundant array of independent disks RAID is a storage technology that combines multiple disk drive components into a logical unit Data is distributed across the drives in one of several ways called RAID levels depending on what level of redundancy and performance via parallel communication is required RAID Types RAID 0 RAID 1 RAID 2 RAID 3 RAID 4 RAID 5 Parity Tables Left Synchronous This technique has striping but no redundancy of data It offers the best performance but no fault tolerance This type is also known as disk mirroring and consists of at least two drives that duplicate the storage of data There is no striping Read performance is improved since either disk can
224. r partition created it should appear in Partition Manager available for other actions like formatting Change partition attributes Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks To change ogical drive partition attributes 1 Select volume In Partition Manager select a logical drive partition node 2 Open the Partition Attributes dialog From the Partition Manager toolbar click Change Attributes button or use command Actions gt Change Attributes from main menu Right click the selected item and click Change Attributes from the context menu Assign the following drive letter F v Volume Label DATA Lo cancel Figure 26 Create Partition dialog Select new drive letter from drop down list of available drive letters and enter volume label if necessary 3 Click OK to complete changes After command is complete volume item should appear in Partition Manager with new attributes Active UNDELETE Tools Overview 63 Format partition Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks To format Logical Drive Partition 1 Select volume In Partition Manager select a Logical Drive Partition node 2 Open the Format Partition dialog From the toolbar click Format button or use command Actions gt Format from main m
225. r working with Active UNDELETE a Application Start Show Welcome Page V Check for available updates at application start V Show Splash Screen Autoload last saved Session Wizards E amp When you use the software the next time configuration settings are loaded and Wizards will display the last saved parameters S b To restore configuration to the original settings right after software being installed please dick the button below Reset to Defaults General Settings Options Show Welcome page Show Hide welcome dialog at application start Check for available updates at application start Each time when Active UNDELETE starts it will request for available update upgrade and prompt for download 1f newer version is available for download Show splash screen Enable Disable splash screen at application start Auto load last saved session When this option is on at application start Active UNDELETE will load latest saved session state such as environment configuration opened Disk Images and Scan Results See Using Scan Results on page 32 Reset wizards to default Restores original wizard settings and page sequence to default state Using Active UNDELETE Overview 52 L ij Change how Active UNDELETE look and feels Display Show Context Help Panel V Show Command Bar Toolbars style Large Icons with text X Miscelanious 7 Use so
226. rameter Block and Extended BIOS Parameter Block Fields Byte Offset Field Length Sample Value Field Name 0x0B WORD 0x0002 Bytes Per Sector 0x0D BYTE 0x08 Sectors Per Cluster OxOE WORD 0x0000 Reserved Sectors 0x10 3 BYTES 0x000000 always 0 0x13 WORD 0x0000 not used by NTFS 0x15 BYTE OxF8 Media Descriptor 0x16 WORD 0x0000 always 0 0x18 WORD Ox3F00 Sectors Per Track OxlA WORD OxFF00 Number Of Heads O0x1C DWORD 0x3F000000 Hidden Sectors 0x20 DWORD 0x00000000 not used by NTFS File Systems 133 Byte Offset Field Length Sample Value Field Name 0x24 DWORD 0x80008000 not used by NTFS 0x28 LONGLONG Ox4AF57F0000000000 Total Sectors 0x30 LONGLONG 0x0400000000000000 Logical Cluster Number for the file SMFT 0x38 LONGLONG 0x54FF070000000000 Logical Cluster Number for the file MFTMirr 0x40 DWORD OxF6000000 Clusters Per File Record Segment 0x44 DWORD 0x01000000 Clusters Per Index Block 0x48 LONGLONG 0x14A51B74C91B741C Volume Serial Number 0x50 DWORD 0x00000000 Checksum Protecting the Boot Sector Because a normally functioning system relies on the boot sector to access a volume it is highly recommended that you run disk scanning tools such as Chkdsk regularly as well as back up all of your data files to protect against data loss 1f you lose access to a volume Tip For more detailed information see resource kits on Microsoft s web site Attp www microsoft com windows reskits webresources default asp or Microsof
227. raw disk image can be used for data recovery Data recovery technologies are based on searching the unused space on a partition for traces of deleted lost or damaged files and folders So called unused space on a partition is not recognized by the file system and is not saved to a regular disk image However this space does contain valuable data information and it 1s saved to a raw disk image Theuncompressed raw disk image file contains a sequence of sectors that 1s unchanged from the original There are no headers or other application specific identifiers added As a result the raw disk image can be viewed by any data rescue software as a mirror of your drive If the integrity of the data on your live disk is questionable you may want to experiment with the data on the partition image instead If file size is an issue a compressed raw image may be used Active UNDELETE is an example of data recovery software which can work with both compressed and uncompressed raw images Raw images have no regard for the file system type During the raw disk image recording process all sectors are backed up An image of any partition can be restored by using Active Disk Image software Ifyou want the data from a file to be restored from the disk image to the same exact location as they were before then use a raw disk image A regular image saves all current data but restores files to different sectors allowing the partition to shrin
228. rds i e not email amp amp match ampersands but not amp b Eric Eirik b match Eric or Eirik html using a wildcard Active UNDELETE Tools Overview 73 Editing with Disk Editor Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks The Disk Editor allows you to edit the content of a selected part of an opened object By default the Disk Editor shows the content of an object in a Read Only mode that prevents accidental modifications In Edit mode you can change the content of the opened file or disk and all modifications are stored in memory Changes are written to the drive when you click Save To toggle between Read Only and Edit modes do one of the following From the Disk Editor toolbar choose Edit gt Allow Edit content Right click in the edit pane choose Allow Edit content from the context menu When you copy selected text from the edit pane to the clipboard you may store it there in one of two formats using the following commands Copy selected data is copied into the clipboard as binary Copy Formatted selected data is copied as formatted text suitable to paste into a text editor Working with selection Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks In order to select data in the Disk Editor Area c
229. re eR d eh van Rt e e EUR Re tbe a E e ER EE Re eee e ERE ERIS 29 scan Disk Physical Device ee rete te t di ee BER eee Eden e Rete RE REI Eie 29 Scan for Deleted Partitions e eerte dei ee NE HR He ORE ERIT EDS 29 Edit or Clone Detected Partitions ccccccssecsecssesseceseeseceeceseceeceseeeeeseeeeceseeeaeeseecaecaaecaecsaeeaeesaeeeeeeees 31 Restore d tected partition ie tte eo es Nese pte TE Rea tae 31 Using Scan Results mnnn pt ette ne ate Galen te RUD ane whe cee teson ein tama cate eet 32 Stop and Resume Scan rece ere e ee a ERE ep e eee e e Ere P Lio 33 Filter detected partitions by certainty sse eene enne ener nennen nennen 34 Work with scan results isse eee eerte ce P OR E UTR P tied Re ERE RET EE Red 35 File Preview ec node o pte ette a Rh e depo tate t ER e desi ete rie tae 36 Search for deleted Files and Folders 37 File Filter Toolbat 2 255a reta Mo Oe ree tatis 40 Supported File Signatures eee er e E ee Ee ee its er e o teri uto edet 40 Custom user defined file signature templates essere enne 41 Custom Signatures Size Script uidere rete etre ee iine e e eder ec ela tete o eie End 44 How to Use Wildcards ihn ty amop ee d eR eiie etum ien P 50 Application Preferences eed eu e ERE ERROR REI Ue EEG RR TRE dede RUE HE ETUR VIR 51 Vartial Stora ees WE 54 Create virtual disk 3 entier eei tm e ee eee tence 54 Virtual partitlOns 2 ito ete boot edt A aie lese
230. read qword temp temp sum header 10h if size gt temp goto exit size 0 SWF HEADER ESCRIPTION Adobe Flash SWF XTENSION swf D B E F EGIN SWF_BEGIN CRIPT SWF SCRIPT SWF BEGIN WS 0 0 SWF SCRIPT data read byte 3 if data lt 10h goto exit size read dword 4 if size lt 8 goto exit Using Active UNDELETE Overview 47 Using Active UNDELETE Overview 48 size 0 PST HEADER DESCRIPTION Outlook Archive EXTENSION pst BECIE STERO leyea C ION SORTEM ERSTES GESSISSE PST BEGIN BDN 0 0 PST SCRE data read byte 10 if data OEh goto valid ie Cere 17a EC OS Ome Sans size read dword 184 goto exit Waele size read dword 168 MRW HEADER ESCRIPTION Minolta Camera Images XTENSION mrw e EGIN MRW BEGIN RE Se NEWESECR TEN MRW_BEGIN x0O0MRM 0 0 MRW_SCRIPT data read dword 4 if data 0 goto exit width read word 24 if width 0 goto exit width endian word width height read word 26 if height 0 goto exit height endian word height pixel read byte 32 if pixel 0 goto exit pixel mul pixel width pixel mul pixel height pixel div pixel 8 size endian dword data size sum size pixel size sum size 8 MID HEADER
231. ready exists in the destination folder the application will ask the user what action to take Overwrite without prompt All files will be overwritten in the event they already exist in the destination folder Skip existing files If file with the same name exists in the destination folder the recovery of a new file will be skipped Additional Options Create Folder Structures When this option is selected files will be recovered with their original folder structures e g the original folder hierarchy as it was on the source storage device In case the files were organized in groups by date file extensions or an associated application then such groupings will be created by the folder structure in the location where the files will be recovered to Recover Name Streams With this option on files will be recovered with their original named streams Verify default recovery options and click Next to continue 6 Confirm Recovery Active UNDELETE Wizards Overview 104 Review recovery options destination path etc and click Recover to start recovering files 7 Complete wizard Click to close the Wizard After the recovery wizard has completed you can open the destination folder to which the files were recovered Use the default OS File Explorer or repeat the wizard again to scan another logical drive B Note All scan results will remain available after the wizard closes Recover files from a deleted partitions wizard Active UNDEL
232. ree sides available for data Track positioning data is written to the disk during assembly at the factory The system disk controller reads this data to place the drive heads in the correct sector position Master Boot Record MBR Understanding of underlying mechanisms of data storage organization and data recovery The Master Boot Record created when you create the first partition on the hard disk is probably the most important data structure on the disk It is the first sector on every disk The location is always track cylinder 0 side head 0 and sector 1 The Master Boot Record contains the Partition Table on page 122 for the disk and a small amount of executable code On x86 based computers the executable code examines the Partition Table and identifies the system partition The Master Boot Record then finds the system partition s starting location on the disk and loads an copy of its Partition Boot Sector into memory The Master Boot Record then transfers execution to executable code in the Partition Boot Sector Hardware and Disk Architecture 121 E Note Although there is a Master Boot Record on every hard disk the executable code in the sector is used only if the disk is connected to an x86 based computer and the disk contains the system partition Figure below shows a hex dump of the sector containing the Master Boot Record The figure shows the sector in two parts The first part 1s the Master Boot Record which oc
233. reserved3 DD dpb next free DW dialo ires cnt DW ifndef NOTFAT32 explicant DW E extdpb flags DW E extdpb FSInfoSec DW E extdpb BkUpBootSec DW eeclesie ci oT EDD 8 extdpb max cluster DD 2 extdpb fat size DD extdpb root clus DD B extdpb next free DD endif DPB ENDS dpb drive The drive number 0 A 1 B and so on dpb unit Specifies the unit number The device driver uses the unit number to distinguish the specified drive from the other drives it supports dpb sector size The size of each sector in bytes dpb cluster mask The number of sectors per cluster minus 1 dpb cluster shift The number of sectors per cluster expressed as a power of 2 dpb first fat The sector number of the first sector containing the file allocation table FAT dpb fat count The number of FATs on the drive dpb root entries The number of entries in the root directory dpb first sector The sector number of the first sector in the first cluster dpb max cluster The number of clusters on the drive plus 1 This member is undefined for FAT32 drives dpb fat size The number of sectors occupied by each FAT The value of zero indicates a FAT32 drive Use the value in extdpb fat size instead dpb dir sector The sector number of the first sector containing the root directory This member is undefined for FAT32 drives File Systems 166 dpb reserved2 Reserved member Do not use dpb media Specifies the media descriptor for the med
234. rimary NTFS Restore partition indicator shows can ast Msk_03 Q0 partition be restored green or not red tition detected 141 MB 12 11 55 33 46 0 Completed 46 DRDOS 10 ition detected 201 MB Excellent FAT Excellent Overlapped partition detected 201 MB Excellent Lod FAT Excellent Overlapped partition detected 141 MB Excellent FAT Bad Overlapped partition detected 101 MB Excellent FAT Excellent Overlapped partition detected 141 MB Excellent FAT Bad Overlapped partition detected 101 MB Excellent Local Dis NTFS Bad Overlapped partition detected 512 MB Excellent Local Disk 48 NTFS Bad Overlapped partition detected 512 MB Excellent 771 Local Disk 8 FAT Bad Overlapped partition detected 10 1 MB Excellent M2 106 3 FAT32 Excellent Overlapped partition detected 1 95 GB Figure 4 Detected partition indicator Working with Files detected by signatures Files detected by signatures are shown under related Disk Scan item and combined in groups by signature LZ son ld m Cg toad Scan Resuits Ry Recover checked EY recover aga Fie Preview C view alotoffiles I on ex G 6 72 GB Unallocated 60 5 GB Primary NTFS 259 MB Logic 1 98 GB Unallo 1 95 E a 6 84 GB Unallocated Name Status S Deleted 349 KB 145745617 698 4 dj PhysicalDrived scans A
235. riting Ask before overwrite If a file with the same name already exists in the destination folder the application will ask the user for a specific action to take Overwrite without prompt All files will be overwritten in the event if they already exist in the destination folder Skip existing files If a file with the same name exists in the destination folder recovery of a new file will be skipped Additional Options Create Folder Structure When this option is selected files will be recovered with their original folder structures e g original folder hierarchy as it was on the storage source In case files were organized in groups date file extensions or by an associated application then such groupings will be created by the folder structure in the location where the files will be recovered to Recover Name Streams Using Active UNDELETE Overview 25 With this option on files will be recovered with their original name streams Browse destination folder Opens the destination folder in the default OS file browser Detailed Log With this option on the log file contains more detailed information about recovered files Use Disk Lock The source disk will be locked during the file recovery process It will be unlocked as soon as the process is completed Ignore Disk Lock Errors With this option on the file recovery process will continue even if locking of the source device fails Ignore Write Errors No error messages wi
236. rocedure You can select a Disk Image to be opened by specifying its Disk Image Configuration File Type the full path to this file in the edit box or use the Browse button to open a standard browse dialog to select this file You can skip this step in order to assemble a Disk Image manually from chunks supplying all necessary options yourself by clicking Next button 2 Compose Disk Image Skip this step if disk image was opened using a configuration file information is already entered otherwise specify all parameters here manually Typically a Disk Image Configuration File is used to open a Disk Image This file contains necessary information about the Disk Image geometry labels and other information Nevertheless a Disk Image can be open by specifying actual files chunks of an image and other options This dialog can be also used to open raw Disk Images created by third party applications such as WinHex for example Caption Display Name Disk Image Image chunks D Temp di drive_G_3A3C 7C75 001 Add eu p Disk Image Options Image Type RAW Data Binary Disk Image z Media Type Fixed Disk x Bytes per Sector 512 Sector per Track 63 Track per Cylinder 255 Save DIM File As Page Options Caption Enter any label to distinguish newly opened disk image among other devices and disks Disk Image Chunks Active UNDELETE Wizards Overview 110 A Disk Image consists of one or many files which c
237. rom the remaining data and parity You can create RAID 5 volumes only on dynamic disks on computers running the Windows 2000 Server or Windows Server 2003 families of operating systems You cannot mirror or extend RAID 5 volumes In Windows NT 4 0 a RAID 5 volume was known as a striped set with parity Mirrored and RAID 5 volumes are fault tolerant and are available only on computers running Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server or the Windows Server 2003 family of operating systems You can however use a computer running Windows XP Professional to remotely create mirrored and RAID 5 volumes on these operating systems Regardless of whether the dynamic disk uses the master boot record MBR or GUID partition table GPT partition style you can create up to 2 000 dynamic volumes although the recommended number of dynamic volumes is 32 or less For information about how to manage dynamic volumes see Manage dynamic volumes File Systems 130 File Systems Windows NT File System NTFS Understanding of underlying mechanisms of data storage organization and data recovery The Windows NT file system NTFS provides a combination of performance reliability and compatibility not found in the FAT file system It is designed to quickly perform standard file operations such as read write and search and even advanced operations such as file system recovery on very large hard disks
238. rs fields must be described as unused by GUID NULL in ParameterType This structure must be preserved during exFAT formatting except in the case of secure wipe Table 6 OEM Parameter Record Offset i Description Comments 0x00 ParameterType OEM defined GUID GUID_NULL indicate that parameter value is not used ParameterValue OEM specific define OEM FLASH PARAMETER GUID 0A0C7E46 3399 4021 90C8 FA6D389C4BA2 Seaview GUID OemParameterType Value is OEM FLASH PARAMETER GUID UINT32 EraseBlockSize Erase block size in bytes UINT32 PageSize UINT32 NumberOfSpareBlocks UINT32 tRandomAccess Random Access Time in nanoseconds UINT32 tProgram Program time in nanoseconds UINT32 tReadCycle Serial read cycle time in nanoseconds UINT32 tWriteCycle Write Cycle time in nanoseconds UCHAR Reserved 4 FlashParameters Boot Checksum This sector contains a repeating 32 bit checksum of the previous 11 sectors The checksum calculation excludes VolumeFlags and PercentInUse fields in Boot Sector bytes 106 107 112 The checksum is repeated until the end of the sector The number of repetitions depends on the size of the sector UINT32 BootChecksum const unsigned char data int bytes UINT32 checksum 0 foe dime i Of 3x lt lowtesp LFF ir i 106 i 107 i 112 continue checksum checksum lt lt 31 checksum gt gt 1 data
239. rs support exFAT vs FAT32 Comparison Feature Maximum Volume Size 8 TB Maximum File Size 4 GB Maximum Cluster Size 32 KB Maximum Cluster Count 228 Maximum File Name Length 255 Date Time resolution 2s MBR Partition Type Identifier 0x0B 0x0C D Notice Windows cannot format FAT32 volumes bigger than 32GB though itsupports larger volumes created by third party implementations 16 TB is the maximum volume size if formatted with 64KB cluster Q Notice According to Microsoft KB184006 clusters cannot be 64KB or larger though some third party implementations support up to 64KB Volume Layout Understanding of underlying mechanisms of data storage organization and data recovery Offset sectors Size sectors Comments Main Boot Region 0 1 Boot Sector 1 8 Extended Boot Sectors 9 1 OEM Parameters 10 1 Reserved 11 1 Boot Checksum Backup Boot Region 12 1 Boot Sector 13 8 Extended Boot Sectors 21 1 OEM Parameters 22 1 Reserved 23 1 Boot Checksum FAT Region 24 FatOffset 24 FAT Alignment Boot Sectors contain FatOffset FatOffset FatLength First FAT Boot Sectors contain FatOffset and FatLength FatOffset FatLength FatLength Second FAT For TexFAT only Data Region File Systems 141 Offset sectors Size sectors Block Comments FatOffset FatLength ClusterHeapOffset Cluster Heap Alignment NumberOfFats FatOffset FatLength NumberOfFats ClusterHeapOffset ClusterCount Cluster
240. rsHigh Ebugsectonsieni WBugsecionsieniti ExtFlags FS Version RootDirStrtClus RootDirStrtClusHi FSInfoSec BkUpBootSec Reserved ENDS A BF BPB BytesPerSector The number of bytes per sector A BF BPB SectorsPerCluster The number of sectors per cluster A BF BPB ReservedSectors The number of reserved sectors beginning with sector 0 A BF BPB NumberOfFATs The number of File Allocation Tables A BF BPB Roo tEntries DW DB DW DB DW DW DB DW DW DW DW DW DW DW DW DW DW DW DW DW DW DW DW This member is ignored on FAT32 drives A BF BPB TotalSectors The si ze of the partition in sectors A BF BPB MediaDescriptor The media descriptor Values in this member are identical to standard BPB A BF BPB SectorsPerFAT The number of sectors per FAT Note This member will always be zero in a FAT32 BPB Use the values from A BF BPB BigSectorsPerFat and A BF BPB BigSectorsPerFatHi for FAT32 media A BF BPB SectorsPerTrack The number of sectors per track A BF BPB Hea The number of read write heads on the drive ds A BF BPB HiddenSectors The number of hidden sectors on the drive A BF BPB HiddenSectorsHigh The high word of the hidden sectors value OV 90 90 90 0D 90 0500952858985 5 9 DUP 2 File Systems 162 File Systems 163 A BF BPB BigTotalSectors The total number of sectors on the FAT32 drive A BF BPB BigTotalSectors
241. rtition Types on page 167 File System Specifications FAT32 is a derivative of the File Allocation Table FAT file system that supports drives with over 2GB of storage Because FAT32 drives can contain more than 65 526 clusters smaller clusters are used than on large FAT16 drives This method results in more efficient space allocation on the FAT32 drive The largest possible file for a FAT32 drive is 4GB minus 2 bytes The FAT32 file system includes four bytes per cluster within the file allocation table Note that the high 4 bits of the 32 bit values in the FAT32 file allocation table are reserved and are not part of the cluster number Boot Sector and Bootstrap Modifications Modifications Description Reserved Sectors FAT32 drives contain more reserved sectors than FAT16 or FATI2 drives The number of reserved sectors is usually 32 but can vary Boot Sector Modifications Because a FAT32 BIOS Parameter Block BPB represented by the BPB structure is larger than a standard BPB the boot record on FAT32 drives is greater than 1 sector In addition there is a sector in the reserved area on FAT32 drives that contains values for the count of free clusters and the cluster number of the most recently allocated cluster These values are members of the BIGFATBOOTFSINFO structure which is contained within this sector These additional fields allow the system to initialize the values without having to read the entire file allocation table Ro
242. ry tool designed to recover data lost or deleted data or even information from formatted hard disks You may recover damaged or deleted files and folders directly from the Recovery Explorer View on page 8 Logical Drive Scan Result View on page 9 Physical Device Scan View on page 9 and Search Results View on page 11 Recovering deleted files and folders is one of the essential features of Active UNDELETE To recover detected files 1 Select files in a view Select files in any view mentioned above using cursor selection Use Shift or Ctrl keys for mutli selection 2 Open File recovery dialog After files are selected in a view click Recover button in view s toolbar or use Recover command from context menu or use CtrI R shortcut 3 Confirm recovery location Select the destination path and additional options for the recovery of files and folders It is recommended that recovery of files and folders be saved to a volume other than the volume from which they were found Recover files to d Xtemprecovered More Recovery Options Recover Cancel Figure 11 File Recovery dialog simplified By default File recovery dialog appears in simplified form in most of the cases default recovery settings are sufficient for file recovery However to use advanced options click More Recovery Options button Enter destination path where file will be recovered and click Recover button Using Active UNDELETE Overview
243. s 100 0 but if you need to specify 128 byte in sector 100 you have to enter 100 128 Highlighting template fields By default all individual fields of template record are highlighted in Disk Editor main area in hexadecimal and ASCII columns only This coloring highlighting can be disabled by clicking Toggle template fields coloring button in template window toolbar next to arrow buttons The colors used by template coloring are arbitrary and have no specific meaning their main purpose is to make separate fields visible and distinguish from each other Actually a palette of several colors is chosen and colors are used in a circle When you select a field in the template window the current field is also highlighted in hex editing area with bold field frame When you move a mouse cursor above colored field in editing area the name and value of the corresponding field is also shown in a tooltip Navigating around template fields You can set the cursor current position to a particular field in a template by double clicking it If you double click in Name Offset or Value column the position inside the main record is selected but if you click inside Copy Value column the navigation is performed to the field in template copy Please note that in Edit mode double clicking inside of Value or Copy Value starts editing of the field instead of navigating to that field Active UNDELETE Tools Overview 78 Editing using template Double
244. s E P X lt EteS6 PEAN e a f o Y e a e e ue I eoA A read error red XA 1 file is g from the 5 A kernel le is too ert a kette and t the NTLDR is Bytes Ox0B 0x53 are the BIOS Parameter Block BPB and the extended BPB This block contains such essential parameters as Bytes Per Sector WORD offset 0x0B Sectors Per Cluster BYTE offset OxOD Media Descriptor BYTE offset 0x15 e Sectors Per Track WORD offset 0x18 Number of Heads WORD offset Ox1A Hidden Sectors DWORD offset 0x1C Partition Recovery Process 183 Total Sectors LONGLONG offset 0x28 etc The remaining code is the bootstrap code that is necessary for the proper system boot and the end of sector marker shown in bold print This sector is so important on NTFS for example duplicate of the boot sector is located on the disk Boot Sector for FAT looks different however its BPB contains parameters similar to the above mentioned There is no extra copy of this sector stored anywhere so recovery on FAT is as half as less successful than on NTFS What will happen if Partition Boot Sector is damaged or bad unreadable Lets fill up with zeros several lines of Partition Boot Sector 000000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000030 00 00 00
245. s and array geometry e You can manipulate the number and order of disks in the array e You can specify your own Virtual Disk Array geometry or accept the default values To run this Wizard click Create Virtual Array from the Wizards menu or click Create Virtual RAID button in Tools Tab of Command Bar 1 Select Array Type Select a RAID type to be reconstructed Spanned Volume Composed of disk space located on several disks consecutively Stripe Set RAIDO Stores data in stripes distributed on two or more disks Mirror RAID1 Duplicates data identically on two disks RAIDS Stores data in stripes distributed on three or more disks with parity control 2 Select Array Disks Choose disks to compose a Virtual Disk Array Use the Damaged Disk virtual device instead of the disk that is physically damaged e g a non spinning disk or is known to contains invalid information Some RAIDs types Mirror RAIDS allow you to recover information even if one of the disks is lost this way 3 Disk Options Choose default geometry options or specify custom values Active UNDELETE Wizards Overview 116 B amp PhysicalDrived Ready Initialized Fixed Disk 932 GB 555147264 218122240 PhysicalDrivel Ready Initialized Fixed Disk 932 GB 396452498 112953747 amp PhysicalDrive2 Ready Initialized Fixed Disk 932 GB 0 1953525168 lt Damaged Disk Ready RAID 5 Temporal Change disk order in
246. s can be grouped by File Extensions By Associated Applications By Date Created Date Modified Date and Accessed or Deleted Date id Save Scan Results Em Recover Checked oO Recover GW search Group by Filter by Status B Tutorial K gt F Gg S xtend System Use Recover button to recover E Gy RECYCLEBIN System selected files and folders 953649 Deleted 7 gy Files by Signatures Deleted F amp MSI80791 tmp 7 North n 2 E Gg System Volume Information Sys Files detected by signatures amp Vacation ct located in this virtual folder System files and folders marked dark red Deleted file marked gray it can be recovered Search and Filtering detected files can be filtered by name extension or deleted status by using the File Filter Toolbar on page 40 For more narrow results Search for deleted Files and Folders on page 37 can be used Recover Detected Files You may recover damaged or deleted files and folders directly from the Logical Drive Scan Result View on page 9 or the Search Results View on page 11 See Recover files and folders on page 23 Scan a volume logical drive for deleted files Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Scanning logical drives is a required step for recovering files and folders During the scan all deleted and e
247. s deleted or damaged To scan a physical device for deleted partitions 1 In the Recovery Explorer select a disk physical device node Open Scan Disks dialog box Click Scan button in view s toolbar Click Scan command from context menu Double click and disk physical device node Using Active UNDELETE Overview 30 2 Define scan range and other scan options if necessary Data Storage Device Scan processes the whole surface of the physical device searching for all possible logical drives volumes and partitions whether they are existing damaged or deleted Scan reads each disk sector trying to reconstruct the drive structure based on residual clues to the drive s system structures that remain on the disk surface This is a slow process however it usually gives much better results than Drive Scan PhysicalDrive4 876773168 sectors 6 72 Ge 60 5 GB 259 1 98 1 95 14977399 Scan entire disk Scan Unallocated areas only Select specific area to scan Data Storage Device scan options Detected partitions File System lookup V NTFS V FAT32 V exFAT V FAT HFS4 Ext2 Ext3 eExt4 V Ignore errors V Save scan results as scan completes Scan results location d temp scan_results eme Figure 15 Disk Scan dialog Dialog options Multiple drive selection Additional disks can be selected to scan on the Physical Disks list to be scanned simultaneously At lea
248. s returned to the state it was in before the transaction was initiated To ensure that a transaction can be completed or rolled back NTFS records the suboperations of a transaction in a log file before they are written to the disk When a complete transaction is recorded in the log file NTFS performs the suboperations of the transaction on the volume cache After NTFS updates the cache it commits the transaction by recording in the log file that the entire transaction is complete Once a transaction is committed NTFS ensures that the entire transaction appears on the volume even if the disk fails During recovery operations NTFS redoes each committed transaction found in the log file Then NTFS locates the transactions in the log file that were not committed at the time of the system failure and undoes each transaction suboperation recorded in the log file Incomplete modifications to the volume are prohibited NTFS uses the Log File service to log all redo and undo information for a transaction NTFS uses the redo information to repeat the transaction The undo information enables NTFS to undo transactions that are not complete or that have an error Y Important NTFS uses transaction logging and recovery to guarantee that the volume structure is not corrupted For this reason all system files remain accessible after a system failure However user data can be lost because of a system failure or a bad sector Cluster Remapping In the ev
249. se and navigate to the folder that will store the Disk Image Description Enter a detailed description of the Disk Image you are about to create Compression Choose one of the following None Raw Data No compression is applied sectors are stored in raw format Fast Sectors are compressed before storing to the file using a fast compression algorithm Medium Sectors are compressed before storing to the file using a slow but more effective compression algorithm High High level of compression Highest Highest possible compression level ill be used Store Disk Image as chunks Select this check box to save the Disk Image as a series of files with a specified size Choose the file size from the drop down list This option may be useful if you want to write the Disk Image to CD ROMs or DVD ROMs By default this check box is cleared and the Disk Image is stored in one large file Ignore R W Errors Any Read or Write errors will be ignored and process will continue if possible Use Disk Lock Source disk will be locked until Disk Image creation is complete or aborted Ignore Disk Lock Errors Any errors related to disk lock will be ignored 3 Confirm actions Review and confirm the disk image parameters and click the Create Disk Image button to start the disk image creation process While the process is in progress you can stop it at any time by clicking Stop at the bottom of the screen 4 Complete Click Finish to close th
250. se the file size from the drop down list This option may be useful if you want to write the Disk Image to CD ROMs or DVD ROMs By default this check box is cleared and the Disk Image is stored in one large file Click Create Image to initiate disk image creation process with selected parameters Create image During the process To display or hide scanning events and progress details toggle More Less Info button at any time Active UNDELETE Tools Overview 81 To terminate the process click Stop at any time Results may be not accurate or complete 5 Note The file extension for a Disk Image configuration file is DIM by default Q Important The Destination Path for a Disk Image file must always be on another drive File systems such as FAT16 and FAT32 do not support file sizes larger than 2GB and 4GB respectively With these file systems it is not possible to create a Disk Image file for a drive as it is likely to grow larger than the size limit The solution in this case is to do one of the following Usea Destination Path drive that is formatted using Windows NT Windows 2000 Windows XP and using NTFS Create a Disk Image that is split into chunks of an appropriate size keeping within the limits set by the file system v Tip Use Create a Disk Image Wizard on page 107 for the same purpose Open Disk Image Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even
251. set It could be only one Stream Extension entry in the set If NoFatChain flag is set all allocated clusters are contiguous The NameHash field facilitates the purpose of fast file name comparison and is performed on up cased file name NameHash verify against a mismatch however matching hashes cannot guarantee the equality of file names If name hashes match a subsequent full name comparison must be performed fileName points to up cased file name UINT16 NameHash WCHAR fileName int nameLength UINT16 hash 0 unsigned char data unsigned char fileName tom ime st 0p lt nemelengtcoa 2p iE hash hash lt lt 15 hash gt gt 1 data i return hash ValidDataLength determines how much actual data written to the file Implementation shall update this field as data has been written The data beyond the valid data length is undefined and implementation shall return zeros File Name Directory Entry Offset i Description Comments 0 0x00 EntryType 1 0x01 GeneralSecondaryFlags see below 2 0x02 FileName Bits Size Description Comments 0 1 AllocationPossible Must be 0 1 1 NoFatChain Must be 0 File Systems 153 2 14 CustomDefined File Name directory entries must immediately follow the Steam Extension directory entry in the number of NameLength 15 rounded up The maximum number of File Name entries is 17 each can hold up to 15 Unicode characters and the maximum file name length is 255
252. signature headers and footers Please check RegExp syntax on a web for examples Custom Signatures Size Script Custom signatures file size calculation syntax Custom User Defined File Signatures are saved in text file and can be edited by using simple text editor like notepad or by using Active UNDELETE tool Custom user defined file signature templates on page 41 User defined template reference Empty lines and lines starting with semicolon are ignored Sections order and lines order in sections are not important Letter case is not important except RegExp fields Section TEMPLATES required and contains fields numbering from one TEMPLATE points to the section where signature template is described numbered from one Section Template Header required and contains fields BEGIN required Points to the section describing begin of the signature file FOOTER non required Points to the section describing end of the signature file MAX SIZE Using Active UNDELETE Overview 45 non required Maximum file size to force file end if no file end signature is detected By default it is 64Kb GROUP non required If missed template goes to User Defined templates group by default DESCRIPTION non required This is a descriptive name of user template being displayed on a screen EXTENSION non required This is a file extension to be assigned and displayed SCRIPT non required Refers to the section w
253. sk S Unknown a Name File Extension E Clear All b IE CJ Microsoft Office Documents 3 seietan 7 data H gt E GJ Formatted Tex files J NTFS gt E amp Compressed Archives 4 gl CJ Images and Camera Raw files Media J 7 Bitmap Images bmp NTFS TO v Canon CRW Raw Images crw 3 i Icon Fil i Sz Tutorial 2 F d cones I NTFS _ JPEG Images jpg L Konica Minolta Raw Images mrw File Titania NY Multiple volume scan Active UNDELETE allows scanning several volumes logical drives at the same time Scan options can be set individually for each selected volume or can be set for entire batch scan V Apply the same settings for all selected drives v Click Scan to begin scan process V Show this dialog only when CTRL button is pressed r Mm Figure 8 Scan volumes dialog Dialog options Multiple drive selection Additional drives can be selected to scan on the Logical Drives list to be scanned simultaneously At least one logical drive volume must be selected Ignore errors Ignore Read and Write errors during the scan process Save scan results If this option is on a path must be specified where scan results with a unique name will be saved for each scanned drive Provide valid path if you have this option selected Use Advanced Scan Algorithm Select this option to apply advanced scan algorithm However event if scan re
254. so identifies the extended partition if there is one defined Table 2 System ID field description 12 bit FAT primary partition or logical drive The number of sectors in the volume is fewer than 32680 16 bit FAT primary partition or logical drive The number of sectors is between 32680 and 65535 Extended partition See section titled Logical Drives and Extended Partitions presented later in this chapter for more information BIGDOS FAT primary partition or logical drive NTFS primary partition or logical drive Figure presented earlier in this section has examples of a BIGDOS FAT partition an NTFS partition an extended partition and a 12 bit FAT partition If you install Windows NT on a computer that has Windows 95 preinstalled the FAT partitions might be shown as unknown If you want to be able to use these partitions when running Windows NT your only option is to delete the partitions OEM versions of Windows 95 support the following four partition types for FAT file systems that Windows NT cannot recognize Primary Fat32 partition using interrupt 13 INT 13 extensions Extended Fat32 partition using INT 13 extensions Extended Fat16 partition using INT 13 extensions Primary Fat16 partition using INT 13 extensions When you create a volume set or a stripe set Disk Administrator sets the high bit of the System ID field for each primary partition or logical drive that is a member of the volume For
255. ss stated otherwise all modifications made in the Disk Editor are stored in memory Changes are written to the drive when you click Save Open objects in Disk Editor Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks You can open a physical disk a logical drive or a partition from the Recovery Explorer View on page 8 If you performed scanning you can also open a file from the list of found files In Disk editor you can view and edit following disk objects Physical Disk Volume Logical Drive e Partition File To open an object 1 Select an object in a list of disk objects You may select a physical drive a partition or a logical drive If you performed scanning before you can also select a file 2 Click the Open in Disk Editor Button in a toolbar 3 Alternatively right click on a disk object and select Open in Disk Editor from a context menu You can also use the CtrI H shortcut 4 In Welcome View on page 14 select tab Advanced Tools and then click Open Disk command In appeared dialog select physical disk volume or unallocated space item and click OK to open selected in Disk Editor Active UNDELETE Tools Overview 68 Select Physical Disk Partition or Volume Logical Drive and click Open button to open selected items in Active UNDELETE More then one item can be selected to open at once Nam
256. st of commands are the same as in assembler programming language except READ first argument data type size to be read second offset from the beginning of the file Using Active UNDELETE Overview 46 ENDIAN first argument data type size second expression which byte order will be swapped First argument for commands READ and ENDIAN must be one of reserved data types BYTE WORD DWORD QWORD argument can be either a named variable or a constant result can be the only named variable condition can be one of lt lt gt gt meaning is the same as in C label consists of label name followed by colon and it can precede any operator g Note Label named EXIT has been reserved and instructs to complete the calculations Named variable SIZE has been reserved and keeps the file size e Constants can be in Decimal form Binary followed by b Octal o and Hexadecimal h or can be a text string TEMPLATES TEDIOUS IIE DIRMA TETUER INDUCE A MEM ESSET TET ENG TEMPLATE3 QBW HEADER TEMPLATE4 CHM HEADER TEMPLATES SWF HEADER TEMPLATE6 PST HEADER TEMPLATE7 MRW HEADER TEMPLATE8 MID HEADER TEMPLATE9 CAB HEADER TEMPLATE10 BMP HEADER TEMPLATE11 DJV HEADER PRIMITIVE HTML DESCRIPTION Primitive HTML Signature E
257. st one disk must be selected Scan area Select scan area using predefined options Entire Disk Unallocated Only or Specific Range use arrow markers to mark scan area File System lookup Note Scan area markers shown first and last sectors of scanning area To enter exact start and end sectors to scan click on sector label and enter exact value in text field Select desired File System of a partitions to be detected Ignore Errors Ignore disk Read Write Errors Save Scan results Enter path where scan results will be saved as soon as scan completed Detect files by their signatures Select this option to specify exact file types to be detected during the scan With this option device scan reads each disk sector trying to reconstruct any possible data related to unique file format oO Important Turn this option off when you only want to detect and restore partition it will significantly save your scanning time Apply the same settings to all selected devices All scan options above can be selected for each drive individually or when this check box is selected to be the same for all selected logical drives 3 Click Scan to begin scan process Using Active UNDELETE Overview 31 Edit or Clone Detected Partitions Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks It may be necessary for you to edit detected partition attributes d
258. store consistency to NTFS after a system failure Contains information about the volume such as the volume label and the volume version A table of attribute names numbers and descriptions The root folder A representation of the volume showing which clusters are in use Includes the BPB used to mount the volume and additional bootstrap loader code used if the volume is bootable Contains bad clusters for the volume Contains unique security descriptors for all files within a volume Converts lowercase characters to matching Unicode uppercase characters Used for various optional extensions such as quotas reparse point data and object identifiers Reserved for future use NTFS supports multiple data streams where the stream name identifies a new data attribute on the file A handle can be opened to each data stream A data stream then is a unique set of file attributes Streams have separate opportunistic locks file locks and sizes but common permissions This feature enables you to manage data as a single unit The following is an example of an alternate stream myfile dat stream2 A library of files might exist where the files are defined as alternate streams as in the following example library filel Saba ILS file3 File Systems 137 A file can be associated with more than one application at a time such as Microsoft Word and Microsoft WordPad For instance a file structure
259. sults may contain more entries then with scan without this option overall scan process may take much more time Detect files by their signatures Select this option to specify exact file types to be detected during the scan With this option device scan reads each disk sector trying to reconstruct any possible data related to unique file format Apply the same settings to all selected drives Using Active UNDELETE Overview 20 All scan options above can be selected for each drive individually or when this check box is selected to be the same for all selected logical drives Click Scan to initiate scan of selected logical drives volumes scan 3 Scan selected volumes Scanning Volume Major D Z Detected 262213 file s and 13739 folder s ss Process Options Output amp lont H Completed 00 00 00 00 00 10 34565 133 amp Major D Scanning a 1 1 1 1 1 1 10000 08 00 00 12 262213 13739 Close this dialog when execution completes Figure 9 Scan in progress During the scan To display or hide scanning events and progress details toggle More Less Info button at any time To terminate the scan process click Stop at any time Results may be not accurate or complete After the scan completes you will see scan results in the Logical Drive Scan Result View on page 9 4 Review scan results A Logical Drive scan result appears in the Logical Drive Scan Result View on page 9 where results can be re
260. t Detected Files and Folders P Select desired Files for recovery using check marks File Filter can be used to narrow down files list 44 42 12 05 12 13 14 42 D i ANR 12 05 12 13 14 43 D 54550 0 bytes 03 03 12 10 41 50 2 03 12 10 41 50 D 54548 0 bytes 24 11 11 03 01 39 11 03 01 39 D 54518 b E 341 MB 25 08 11 19 38 12 2 D gt 7 amp Lost amp Found Healthy 1 24 MB 5 gt 7 dj SRECYCLE BIN System 325 MB 17 10 09 20 01 26 d 9 F Gy 381856 Deleted 0 bytes 11 02 11 03 21 11 56 F Deleted 0 bytes 15 04 11 05 04 18 15704711 09 04 18 D a Deleted 0 bytes 10 05 11 05 57 32 10 05 11 05 57 32 D 4462 b Healthy 2 56 GB 05 03 09 12 52 35 26 04 1113 47 05 D 20976 P E i Healthy 1 55 MB 05 03 09 12 50 24 12 05 12 11 57 34 D 18410 Cy Msilel45 tmp Deleted 0 bytes 12 05 12 13 14 43 12 05 12 13 14 43 D 4466 J MSBddbf tmp Deleted 0 bytes 23 08 11 10 29 02 23 08 11 10 29 02 D 4467 F amp M SH9277 tmp Deleted 0 bytes 08 03 12 08 54 58 08 03 12 08 54 58 D 4478 F amp y MSI 2da5 tmp Deleted 0 bytes 09 03 12 03 02 59 09 03 12 03 02 59 D 4464 gt 7 amp System Volume Information System 28 0 KB 16 12 08 11 18 11 26 03 12 17 51 38 HSD 27 gt F amp y Windows NT4 Deleted 345 MB 05 03 12 11 13 27 05 03 12 11 20 23 D 7777 F amp y Windows NT
261. t Developers Network MSDN Attp msdn microsoft com NTFS Master File Table MFT Understanding of underlying mechanisms of data storage organization and data recovery Each file on an NTFS volume is represented by a record in a special file called the master file table MFT NTFS reserves the first 16 records of the table for special information The first record of this table describes the master file table itself followed by a MFT mirror record If the first MFT record is corrupted NTFS reads the second record to find the MFT mirror file whose first record is identical to the first record of the MFT The locations of the data segments for both the MFT and MFT mirror file are recorded in the boot sector A duplicate of the boot sector is located at the logical center of the disk The third record of the MFT is the log file used for file recovery The seventeenth and following records of the master file table are for each file and directory also viewed as a file by NTFS on the volume Extent Master File Table Ez MFT Extent Log file record Extent 1 Small file record Large file record Small directory record Extent 3 Figure 41 Simplified illustration of the MFT structure The master file table allocates a certain amount of space for each file record The
262. t be met Dialog Options Template name Unique template name Using Active UNDELETE Overview 43 Template description Brief template description optional File extension File extension for this template optional Beginning of File Criteria List of RegEx criteria considered as beginning of file combined as AND statements Not earlier then and Not later then specifies limits of defined criteria in the beginning of a file template End of File Criteria End of files can be determined in two ways Bylist of RegEx criteria considered as end of file combined as OR statements In case of missing file footer criteria end of file will be taken by defined Maximum file size Append after attribute specifies size of end of a file File size is used in case of missing file end criteria By default its 65535 bytes To define custom file signatures enter Template Name Description and File extension optional Specify file s Header required and Dg Footer optional search criteria Size Script is useful to determine actual file size Read manual for more detail and samples how to create such script Template Name template1 Template description MIDI Audio File extension mid2 Beginning of File Criteria 1338 3816 Use RegExp conditions to detect end of file Use script to detect end of file If end of file criteria footer is not set maxi Provide RegExp expression critera atleast one of them must
263. ta or even information from formatted hard disks Some critical partition layout changes made to a physical device are backed up by default Users can roll back these changes at any point by using the Roll back Partition Changes tool These changes are e Initialize Disk Active UNDELETE Tools Overview 92 e Create Partition Format Partition Delete Partition To open the Rollback Partition Changes dialog do one of the following From the Tools menu choose the Roll Back Partition Changes command From the Tools tab in Command Bar choose the Roll Back Partition Changes command For a selected physical device disk node use the context menu Roll Back Partition Changes command Select Data Storage Device and Restore Point to rollback You can select and load another Partition Information file BPT for selectd Datat Storage Device Partition Deleted 18 05 12 15 40 36 Valid Partition Deleted 18 05 12 15 42 00 Valid ST1000DMOQ Partition Deleted 18 05 12 15 43 12 Valid Partition Deleted 18 05 12 15 43 22 Valid yp Partition Deleted 18 05 12 15 43 28 Valid C Partition Created 18 05 12 15 51 16 Valid Partition Created 18 05 12 20 45 20 Valid m ST31000524AS Partition Deleted 21 05 12 10 18 29 Valid Cx ST31000524AS Partition Deleted Date Monday 21 May 2012 10 18 29 A d Parttion deleted at sector 745244675 Total Sectors 218402816 File Sys
264. tarting and Ending Cylinder Head and Sector fields only for backward compatibility with MS DOS and Windows 95 and to maintain compatibility with the BIOS interrupt INT 13 for start up purposes Hardware and Disk Architecture 126 Logical Drives and Extended Partitions When more than four logical disks are required on a single physical disk the first partition should be a primary partition The second partition can be created as an extended partition which can contain all the remaining unpartitioned space on the disk 5 Note A primary partition is one that can be used as the system partition If the disk does not contain a system partition you can configure the entire disk as a single extended partition Some computers create an EISA configuration partition as the first partition on the hard disk Windows NT detects an extended partition because the System ID byte in the Partition Table entry is set to 5 There can be only one extended partition on a hard disk Within the extended partition you can create any number of logical drives As a practical matter the number of available drive letters is the limiting factor in the number of logical drives that you can define When you have an extended partition on the hard disk the entry for that partition in the Partition Table at the end of the Master Boot Record points to the first disk sector in the extended partition The first sector of each logical drive in an extended part
265. tatuses that will remain in the filtered partition list Filter by Size To restrict the size of a partition to display click the Filter by Partition Size check box and enter the lowest and highest partition size in MB Filter Detected Partitions V Filter by NTFS Specific Attributes Primary Boot Sector 7 Primary MFT V Copy of SMFT V Copy Boot Sector V Primary SMFT Mirror V Copy of SMFT Mirror V Root Folder V Primary SLogFile V Copy of LogFile V Bitmap Bitmap V Primary SVolume V Copy of SVolume V Boot Record Boot V Quick Formatted E Filter by FAT Specific Attributes nem oen Advanced tab filtering will let you filter a partition with specific NTFS or FAT attributes Press Reset in the Filter Detected Partition dialog to cancel partition filtering Work with scan results Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks It can take a long time to run a default disk scan or a low level disk scan Because you are dealing with a large volume of information you might not be able to review all the data in one session So that you do not have to scan a partition again you can save and re use valuable scan results You can save an entire Scan Results branch or make a separate save for each disk scan or save all scans set for a particular device File
266. te to the security attribute to the file name attribute Every sector on an NTFS volume that is allocated belongs to some file Even the file system metadata information that describes the file system itself 1s part of a file What s New in NTFS5 Windows 2000 Encryption The Encrypting File System EFS provides the core file encryption technology used to store encrypted files on NTFS volumes EFS keeps files safe from intruders who might gain unauthorized physical access to sensitive stored data for example by stealing a portable computer or external disk drive Disk quotas Windows 2000 supports disk quotas for NTFS volumes You can use disk quotas to monitor and limit disk space use Reparse points Reparse points are new file system objects in NTFS that can be applied to NTFS files or folders A file or folder that contains a reparse point acquires additional behaviour not present in the underlying file system Reparse points are used by many of the new storage Volume mount points Sparse files Distributed link tracking Tip File Systems 131 features in Windows 2000 including volume mount points Volume mount points are new to NTFS Based on reparse points volume mount points allow administrators to graft access to the root of one local volume onto the folder structure of another local volume Sparse files allow programs to create very large files but consume disk space only as needed NTFS provides a l
267. ted data or even information from formatted hard disks File Organizer is advanced tool designed to group and rename files using their system attributes or meta attributes before actual recovery Every file has system attributes like date Accessed Created and Modified file type defined by extension and associated with that file type registered application These attributes can be used to generate new file name or folder group for every file with the same attribute In addition to system attributes some files mostly media or images may contain meta fields such as artist name title album name and others File Organizer also use these meta fields to group files in a folder with same attribute Thus File Organizer operates file organizing rules which defines folder grouping hierarchy and file renaming rules File OrganizerisusedinFile Recovery wizards and in all views of Active UNDELETE that manipulates files Logical Drive Scan Result View on page 9 Physical Device Scan View on page 9 Active UNDELETE Tools Overview 84 Search Results View on page 11 To apply file organizing rule simply select it from drop down Organize Files menu File organizing rule can be also applied on folder or a group from context menu W Recovery Explorer X w Tutorial2 F X Hi Organize Files w Filter by 3 B E3 Layout Name View by Folders default Status Size Date created Date accessed 4 B Tutorial 8
268. tem Code 6 OCZ VERTEG T Source Backup File d projects_Development Active Undelete 8 Binaries backups disk_ST 1000DM003 9YN162_ 4 All changes made to device ST1000DM003 9YN162 will be reverted to modification Partition Deleted made at 21 05 12 10 18 29 Rollback is final and cannot be undone Robak Cae Web To roll back changes made to a physical device select a restore point in the chronologically ordered list and click the Roll Back button to complete the changes File Organizer view Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks File Organizer view is utility view that helps to organize files regroup and rename using their system or meta attributes from different sources scan results search etc and recover them all at once to selected location To addfilesto File Organizer view 1 Select files or folders in scan result view 2 In context menu select Add to File Organizer command Active UNDELETE Tools Overview 93 Er Organize Files E Create Rule f Manage Rules Recover All Remove a Clear GB iv expand S collapse al Date accessed Attributes ID Filter by Status Size Date 437 KB Create your own file 437 KB organizing rule 437 KB 129 KB 28 Jan 14 19 11 00 28 Jan 14 19 11 00 A 36 ERES 9 11 00 28 Jan 14 19 11 00 A 37 4 amp
269. tes a hard disk 0x16 WORD 0xC900 Sectors per file allocation table FAT Number of sectors occupied by each of the file allocation tables on the volume By using this information together with the Number of FATs and Reserved Sectors you can compute where the root folder begins By using the number of entries in the root folder you can also compute where the user data area of the volume begins 0x18 WORD Ox3F00 Sectors per Track The apparent disk geometry in use when the disk was low level formatted OxlA WORD 0x 1000 Number of Heads The apparent disk geometry in File Systems 158 Byte Offset Field Length Sample Value Meaning use when the disk was low level formatted 3F 00 00 00 Hidden Sectors Same as the Relative Sector field in the Partition Table 51 42 06 00 Large Sectors If the Small Sectors field is zero this field contains the total number of sectors in the volume If Small Sectors is nonzero this field contains Zero Physical Disk Number This is related to the BIOS physical disk number Floppy drives are numbered starting with 0x00 for the A disk Physical hard disks are numbered starting with 0x80 The value is typically 0x80 for hard disks regardless of how many physical disk drives exist because the value is only relevant 1f the device is the startup disk Current Head Not used by the FAT file system Signature Must be either 0x28 or 0x29 in order to be reco
270. tes long making a maximum of four entries available Each partition entry has fields for Boot Indicator BY TE Starting Head BYTE Starting Sector 6 bits Starting Cylinder 10 bits System ID BYTE Ending Head BYTE Ending Sector 6 bits Ending Cylinder 10 bits Relative Sector DWORD Total Sectors DWORD Thus the MBR loader can assume the location and size of partitions MBR loader looks for the active partition 1 e partition that has Boot Indicator equals 0x80 the first one in our case and passes control to the partition boot sector for further loading Lets consider the situations which cause computer to hang up while booting or data loss 1 What will happen if no partition has been set to the Active state Boot Indicator 0x80 Lets remove Boot Indicator from the first partition 0000001B0 ly OE RT 910101 RTE CO C Wi 00 07 Dia Fir E 3 00 00 00 40 32 42 00 00 OO ON ess QN TS When we try to boot now we see an error message like Operating System not found It means that the loader cannot determine which partition is system and active to pass control to 2 What will happen if partition has been set to the Active state Boot Indicator 0x80 but there are no system files on that partition it could happen if we had used for example FDISK and selected not the proper active partition Loader will try to boot from there fails try to boot again from other devices like floppy and if fails to
271. thing else mostly to work with MS DOS and Windows 95 Tracks and Cylinders On hard disks the data are stored on the disk in thin concentric bands called tracks There can be more than a thousand tracks on a 3 inch hard disk Tracks are a logical rather than physical structure and are established when the disk is low level formatted Track numbers start at 0 and track 0 is the outermost track of the disk The highest numbered track is next to the spindle If the disk geometry is being translated the highest numbered track would typically be 1023 Next figure shows track 0 a track in the middle of the disk and track 1023 A cylinder consists of the set of tracks that are at the same head position on the disk In a figure below cylinder 0 is the four tracks at the outermost edge of the sides of the platters If the disk has 1024 cylinders which would be numbered 0 1023 cylinder 1023 consists of all of the tracks at the innermost edge of each side Most disks used in personal computers today rotate at a constant angular velocity The tracks near the outside of the disk are less densely populated with data than the tracks near the center of the disk Thus a fixed amount of data can be read in a constant period of time even though the speed of the disk surface is faster on the tracks located further away from the center of the disk Hardware and Disk Architecture 120 Modern disks reserve one side of one platter for track positioning
272. this check box Match case To display files that match upper and lower case letters in the Look for field select the Match case check box Search among existing only To display only files that are not deleted select the Search among existing only check box Search among deleted only To display only files that are deleted or damaged select the Search among deleted only check box To display files by a specified date in the Date Criteria tab in the Date Type drop down list choose a type and select a date range General Date Size File Attributes By Create Date Today 9 Last 7 days Last 30 days Custom Range 21 05 12 22 05 12 By Modified Date Today 9 Last 7 days Last 30 days Custom Range 21 05 12 22 05 12 By Accessed Deleted Date Today Last 7 days Last 30 days Custom Range 21 05 12 22 05 12 Figure 18 Date Criteria To display files by a specified file size in the Size tab select Small Medium or Large or specify the size range in KB Using Active UNDELETE Overview 39 Any Small less then 100KB Medium less then 1MB Large More then 1MB Specify size range bytes from Figure 19 File Size Criteria To display files based on file attributes in the File Attributes tab select file attributes that should be present Include Files and Folders Attributes or otherwise exempt Exclude Files or Folders with Attributes in search result v Indude
273. time 4 Review volume scan results Use the File Filter Toolbar on page 40 to narrow down search results By default only deleted Files and Folders are shown To view all files detected on scanned devices click the Reset filter to default button in the toolbar Files List Detected Files and Folders P Select desired Files for recovery using check marks File Filter can be used to narrow down files list 44 42 12 05 12 13 14 42 D i ANR 12 05 12 13 14 43 D 54550 0 bytes 03 03 12 10 41 50 2 03 12 10 41 50 D 54548 0 bytes 24 11 11 03 01 39 11 03 01 39 D 54518 b E 341 MB 25 08 11 19 38 12 2 D gt 7 amp Lost amp Found Healthy 1 24 MB 5 gt 7 dj SRECYCLE BIN System 325 MB 17 10 09 20 01 26 d 9 F Gy 381856 Deleted 0 bytes 11 02 11 03 21 11 56 F Deleted 0 bytes 15 04 11 05 04 18 15704711 09 04 18 D a Deleted 0 bytes 10 05 11 05 57 32 10 05 11 05 57 32 D 4462 b Healthy 2 56 GB 05 03 09 12 52 35 26 04 1113 47 05 D 20976 P E i Healthy 1 55 MB 05 03 09 12 50 24 12 05 12 11 57 34 D 18410 Cy Msilel45 tmp Deleted 0 bytes 12 05 12 13 14 43 12 05 12 13 14 43 D 4466 J MSBddbf tmp Deleted 0 bytes 23 08 11 10 29 02 23 08 11 10 29 02 D 4467 F amp M SH9277 tmp Deleted 0 bytes 08 03 12 08 54 58 08 03 12 08 54 58 D 4478 F amp
274. tion Changes on page 91 If all your manipulation with hard disk partitioning was made by using Active UNDELETE you can rollback e g undo all changes you have made in few clicks File Preview on page 36 To confirm that the file you have detected 1s exactly the file you seek you can use File Preview feature before the actual recovery It also helps to confirm file integrity first Some restriction applies for DEMO version Recover deleted Files and Folders Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks After you can see partitions on a device the file recovery process consists of three stages 1 Scan Disk Select Volume Logical Drive scan in Recovery Explorer and scan the chosen drive for deleted files LM ELIT Cx toad Scan Resuits T Unallocated Space Unallocat Unallocated Space Unallocat 55 Volume NTFS 3 data H Volume NTFS 4 Extended Partition Extended Extended See Scan a volume logical drive for deleted files on page 18 Using Active UNDELETE Overview 18 2 Analyze Scan Results A Logical Drive scan result appears in the Logical Drive Scan Result View on page 9 where results can be reviewed and files selected for recovery File Grouping detected files can be grouped for better analyzing by using the Group By drop down menu in the toolbar Detected file
275. tool designed to recover data lost or deleted data or even information from formatted hard disks Primary Boot Sector and Copy Boot Sector if applicable can be edited and synchronized by individual fields Active UNDELETE provide suggested boot sector with most appropriate values for reference To Edit Synchronize boot sectors 1 Select logical drive partition In Partition Manager or Recovery Explorer select a ogical drive partition node 2 Open the Edit Boot Sectors dialog From the toolbar click Edit Boot Records button or use command Actions gt Edit Boot Records from main menu Right click the selected item and click Edit Boot Records command from the context menu 3 Edit boot sectors Use radio buttons near the value fields to select and click OK button to confirm changes Active UNDELETE Tools Overview 65 Partition Primary Boot Sector PBS must match Primary Boot Sector CBS and both boot sectors must be valid for the recovered drive to be accessible by operating system Select valid fields from either Primary Boot Sector Primary Boot Sector or from Suggested Boot Sector Ay Primary Boot Sector Copy Boot Sector Suggested Boot Sector Offset bytes 0 Offset bytes 536707072 00 JMP instruction 1 EBSB90 A 000000 0 EB5290 03 File System ID ef 4 54465320202020 0000000000000000 4E54465320202020 08 Bytes per sector ef 0200 0200 oD Sectors p
276. ue of this field is 512 0x0D BYTE 0x08 Sectors Per Cluster The number of sectors in a cluster The default cluster size for a volume depends on the volume size and the file system OxOE WORD 0x0100 Reserved Sectors The number of sectors from the Partition Boot Sector to the start of the first file allocation table including the Partition Boot Sector The minimum value is 1 If the value is greater than 1 it means that the bootstrap code is too long to fit completely in the Partition Boot Sector 0x10 BYTE 0x02 Number of file allocation tables FATs The number of copies of the file allocation table on the File Systems 157 Byte Offset Field Length Sample Value Meaning volume Typically the value of this field is 2 Ox11 WORD 0x0002 Root Entries The total number of file name entries that can be stored in the root folder of the volume One entry is always used as a Volume Label Files with long filenames use up multiple entries per file Therefore the largest number of files in the root folder is typically 511 but you will run out of entries sooner if you use long filenames 0x13 WORD 0x0000 Small Sectors The number of sectors on the volume if the number fits in 16 bits 65535 For volumes larger than 65536 sectors this field has a value of 0 and the Large Sectors field is used instead 0x15 BYTE OxF8 Media Type Provides information about the media being used A value of OxF8 indica
277. ul when you want to back up the contents of the whole drive and restore it or work with it later When the Create Disk Image Wizard starts for the first time the first screen describes the process Clear the Show this dialog next time check box to avoid seeing this screen the next time you create a Disk Image To start the Create Disk Image Wizard do one of the following From the Wizards menu click Create Disk Image Select Disk Image tab in the Command Bar and click Create Disk Image 1 Select imaging area Select a data storage device in the hierarchical device partition tree and select the desired device area if necessary 5 Note By clicking on a partition item in the device map control of the entire partition area will be selected 2 Set Disk Image attributes Active UNDELETE Wizards Overview 108 Create Disk Image of Dynamic New Volume L Destination D VXtempldrive L FA23 5895 dim aan J Description Disk Image made by Active UNDELETE Data Recovery Toolbox Compression Medium v Store Disk Image as chunks 4 7 GB DVD 5 Options Replace existing Disk Image files v Ignore Read Write Errors 2 Use Disk Lock Ignore Disk Lock Errors Page Options Destination Path The full path for the single Disk Image file If you decide to store the Disk Image file in chunks this path will be used to store all files You have the option to use the default path enter a new path or click Brow
278. ulation of real physical disk array that allows to read data from disassembled RAID Create virtual disk Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Virtual disks can be used to mock real physical device with altering their attributes such as bytes per sector To create virtual disk in Active UNDELETE proceed as follows 1 Select physical disk to emulate In Partition Manager select physical device item in devices list or in Disk Navigator Select physical disk Recovery Explorer Use Expert device view Partition view or Enhanced view modes 2 Open Create virtual disk dialog Click Create Virtual Disk button in Partition Manager or in Recovery Explorer or use command Actions gt Create Virtual Disk from main menu Right click the selected item and click Create Virtual Disk command from the context menu Enter disk caption to label new virtual disk in Recovery Explorer sector size and boundaries of used space of actual physical disk 4 Create virtual disk based on real physical disk providing disk first sector and size in sectors and also sector size in bytes PhysicalDrive2 117231408 sectors 1 90 MB Unall 117227520 Caption Display name My virtual disk Sector size bytes 4096 V Use custom disk boundaies Disk first sector 0 Size sectors 11
279. und notifications Preview Panel E Show Preview in Hexadecimal mode by default Environment Options Context help panel Show ide left side context help panel Context help will automatically changed when active view tab is changed to show related hints and brief description of every view Show command bar Show Mide right side command bar that contains shortcuts to most usable commands and actions Use sound Enable Disable application sound notifications Hexadecimal file preview When this option is on file preview by default will be always shown in hexadecimal mode without any attempt to load it as an image or a document Show System Files V Show Not Ready Devices V Show Logical Drive Scan Options dialog before scan A If this option is not set dialog will appear only if press and hold CTRL button Application Log Show System DEBUG Events Save Log events to the Disk iS Default log path D Active_Undeletelapplog txt Recovery Explorer Options Show system files Show Hide system files in Recovery explorer In most of the cases these files are not recoverable Show no ready device Show Hide devices that has not read state and can not be scanned Show Logical Drive scan dialog by default When this option is OFF double click logical drive volume node in Recover Explorer view will initiate scan with default most usable options Only when CTRL button is pressed down
280. ve UNDELETE Professional and Enterprise editions Remove Scan Results Data in the Scan Results branch is copied from the original physical device You may remove any node including detected partitions from the Scan Results branch without harming the data on the original physical device To remove scan results 1 To remove the entire Scan Results branch select the branch 2 To remove a device node select it under Scan Results 3 Right click the selected node and click Remove Scan Result from the context menu The selected node is removed from the Recovery Explorer tree Preview Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks File Preview allows you to view the contents of an image file jpg bmp gif png etc before you recover the file Using Active UNDELETE Overview 37 lelp lorer 3 Application Log View E ree C ere Recover Ra Fie Preview Open in Hex Editor F Gy SRECYCLE BIN System 129 bytes 30 05 12 15 37 46 30 05 12 00 00 00 C amp j IMG 5595JPG Healthy 310 KB 31 05 12 13 50 32 00 00 00 7 IMG 7297JPG Healthy 291 KB 31 05 12 13 50 32 31 05 12 00 003 Recover Preview Open in Hex Editor Ctrl H Properties To open the File Preview panel from any view do one of the following Double click an image file Right c
281. view 32 Therecan be only one active system partition on a disk at a time e You may have multiple basic disks and each disk can have one active partition However the computer will only start from one specific disk If you want to use another operating system you must first mark its system partition as active before restarting the computer Youcannot mark an existing dynamic volume as active However you can convert a basic disk containing the active partition to a dynamic disk After the disk is converted the partition becomes a simple volume that is active If the active partition is not the current system or boot partition it becomes a simple volume and loses its entry in the partition table Therefore it can no longer be active Extended partition Acomputer can only have one extended partition per physical disk device You cannot create an extended partition on a disk if it already has four primary partitions Restore Partition 1 Select a detected partition in the PAysical Device Scan View on page 9 2 To open the Restore Partition dialog do one of the following From the toolbar click the Restore Partition button or use the command action Restore Partition from the main menu Right click the selected item and click the Restore Partition command from the context menu Ca Review and confirm Partition Restore options 2 PhysicalDrive4 Partition Restore Options Create Extended Partition p Use
282. viewed and files selected for recovery Save Scan Results eere oes GD recover OP search ET Group by Filter by B8 3 N E Tutorial K 7 Ej Exend Use Recover button to recover Gg SRECYCLE BIN selected files and folders x 953649 dy Files by Signatures MSIS0791 tmp North 2 System Volume Information Sys Files detected by signatures amp Vacation yes located in this virtual folder Deleted R Healthy 09 46 09 23 Jan 13 09 46 09 Healthy 20 Jan 13 12 12 23 System files and folders marked dark red Deleted file marked gray it can be recovered Figure 10 Volume scan result view Using Active UNDELETE Overview 21 B Note We recommend you to save scan results to designated location for later use you can use saved scan results to save time on repeated scanning of same volume Scan for files by their signatures Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Files on hard drive can be detected by their unique file signatures Active UNDELETE can detect these files see Supported File Signatures on page 40 for exact list of file types during Scan a volume logical drive for deleted files on page 18 or Scan Disk Physical Device on page 29 In first case scanning will be limited by volum
283. w By Created Date By Modified Date By Accessed Date By File Extension By Application Select Organize Files gt Customize command to create and apply custom file organizing rule Read Create custom file organizing rule on page 84 for more information When all files grouped and renamed as desired select location to recover files and change default options if necessary Click Recover All button in right bottom corner or click Recover All button in toolbar to recover all files from File Organizer view toone location Hardware Diagnostic File Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks Active UNDELETE Tools Overview 94 If you want to contact our technical support staff for help with file recovery a file that contains a summary of your local devices is helpful Active UNDEL ET E allows you to create a summary listing file in XML format This data format is human readable and can help our technical support staff analyze your computer configuration or point out disk failures To create a hardware diagnostic file from the File menu click Save Hardware Info As with a hardware diagnostic file Create virtual RAID Note To save time when contacting our technical support staff we highly recommend that you provide us Active UNDELETE is an advanced data recovery tool designed to recov
284. was taken for example 2014 Make Literal transcription of genre code Model Literal transcription of genre code Note Date Taken YYYY can be additionally structured with attributes Date Taken Month Date Taken DD Date Taken DD Weekday Office documents meta attributes Author Full year for example 2014 Date Created YYYY Short year for example 2014 Date Last Saved YYYY Active UNDELETE Tools Overview 90 Short year for example 14 Date Month Day Literal transcription of genre code 5 Note Each date attribute can be additionally structured with attribute Date Month Day File name tags File name tags are used to defile file renaming pattern File name editor allows insert tags at cursor position and present name tags organized in groups General file attributes File Full Name Full file name including file suffix and extension File Base Name Full file name without extension File Extension File extension without leading dot Sequence Sequential enumerator without leading zero for example 89 Sequence 00 Three digit sequential enumerator with leading zero for example 089 Sequence 000 Four digit sequential enumerator with leading zero for example 0089 General file attributes Dates Created Created date See below for specific Date Formats Accessed Accessed date See below for specific Date Formats Modified Modified date See below for
285. xisting file and folders are detected The results of a logical drive scan are displayed in a separate tabbed views Logical Drive Scan Result View on page 9 To initiate a scan of a logical drive 1 Select volume logical drive In the Recovery Explorer view select a volume logical drive Open the Scan volumes dialog box From the Recovery Explorer toolbar click Scan Right click the selected logical drive and click Scan from the context menu Using Active UNDELETE Overview 19 Drive Scan searches existing volumes partitions for deleted or damaged files or folders Use Detect files by their signatures feature to detect files by matching template patterns If you have several volumes logical drives in the system and you are not sure where exactly deleted or damaged files located you may choose several volumes to scan them all General scan options PORTO Q FAT32 V Ignore Errors Use Advanced Scan Algorithm V Save scan results as scan competes E System Reserved Scan results location C temp scan 5D 1147S scan um Local Disk C Detect files by their signatures NTFS T z Select this option to specify exact file types to be detected during the scan With this option scan reads each disk sector trying to reconstruct any possible data related to unique file format Local Di
286. y if you switched to the Expert Device mode of Recovery Explorer view Otherwise only logical drives will be available T Warning As with any advanced tool use extreme caution with the Disk Editor Changes that you make may affect disk structure integrity You must be certain that the changes you make are in line with correct data structures before you save changes Subject Navigation and Information Active UNDELETE is an advanced data recovery tool designed to recover data lost or deleted data or even information from formatted hard disks After you have opened an object with the Disk Editor you may navigate by scrolling block by block or by jumping directly to specific addresses You may jump to disk system records such as the boot sector primary and copy or a partition table Use the Navigate button in the toolbar to jump to a specific area in the open object The selections that appear depend on the type of object that you are editing No matter what object is opened for editing the first two menu items in the Navigate menu will be Go to Offset and Go to Sector Go to Offset The Go to Offset menu opens a dialog allowing specification of an exact location offset in the disk to jump to You can use both decimal and hexadecimal values preceding hexadecimal values with 0x For example to specify location 512 as a hexadecimal number enter 0x200 There are also options to specify an offset from the beginning from the current
Download Pdf Manuals
Related Search