User Guide - Active@ Undelete For Windows
Contents
1. Disk Image geometry d Accept defaults or specify Disk Image parameters ign Enable LBA Mode x Number of Cylinders 255 Number of Tracks per Cylinder 1024 Number of Sectors per Track 63 Number of Bytes per Sector 512 On this screen specify the geometry of the Disk Image you are opening Important Disk Image geometry settings only apply to Physical Device disk images To use default values select Use default settings To set custom values select Specify custom settings and enter disk geometry values in the appropriate fields When all geometry settings are complete click Next gt to continue Confirm Disk Image Settings On this screen verify information about the Disk Image you are opening Click Back to change settings if they are not correct Click Next to open the Disk Image If Disk Image opens the next screen contains a Complete message The opened Disk Image appears as Local Drive or Local Device depending on the type of Disk Image in the appropriate folder of the Active UNDELETE Explorer Tree AcTIVE UNDELETE NETWORK EDITION Active UNDELETE Network Edition is an application that allows remote access to a computer to Scan drives and devices Search for Files and Folders Preview deleted Files Recover deleted Files and Folders on remote machine and much more The remote computer must be running the client application Active Remote Recovery Agent for the hos2. 0000 0020 00 00 00 00 00 00 29 4A IF 5B 24 4E 4F 20 4E 41 JI NO NA 0000 0030 4D45 20 20 20 20 46 41 54 31 32 20 20 20 33 CO ME FATI2 3 0000 0040 8E DI BCFO 7B 8E D9 B8 00 20 8E CO FC BD00 7C 2 2227 1 0000 0050 38 4E 24 7D24 8B C1 99 E8 3C 01 72 1C 83 EB3A 8N lt 7 lt r 0000 0060 66 A11C 7C 26 66 3B 07 26 8A 57 FC 75 06 80 CA f 1 amp f amp 2W u 0000 0070 02 88 56 02 80 C310 73 EB33 C98A46 10 98 F7 V s 3 F To create a Hardware Diagnostic File in the command toolbar click Actions gt Save PC Info A Disk Image is a mirror of your logical drive or physical device that is stored in one large file A Disk Image file can be useful when you want to back up the contents of the whole drive and restore it or work with it later Before you start recovering deleted files it may be a good idea to create a Disk Image for the entire drive if you have enough space on another drive The reason for doing this is for insurance If you do something wrong while recovering the files for example recovering files onto the same drive they came from you will be able to recover these deleted files and folders from the Disk Image that you have wisely created Active UNDELETE provides extensive functionality to recover files from a Disk Image You can create an image of a logical drive a device or a partition Save the disk image as one large file or split the image into chunks the size you prefer for late
3. Dirisss 000125C0 00 DC 00 00 00 00 00 00 31 6E EB C4 04 00 00 00 U lneA 000125D0 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 vyyyy yG Decrypting Data Runs Decrypting data runs can be accomplished using the following steps First byte 0x31 shows how many bytes are allocated for the length of the run 0x1 in the example case and for the first cluster offset 0x3 in our case Take one byte 0x6E that points to the length of the run Pick up 3 bytes pointing to the start cluster offset OXEBC404 Changing bytes order we get first cluster of the file 312555 equals Ox04C4EB Starting from this cluster we need to pick up 110 clusters equals Ox6E Next byte 0x00 tells us that no more data runs exist Our file is not fragmented so we have the only one data run Lastly check to see if there is enough information size of the file Cluster size is 512 bytes There are 110 clusters 110 512 56 320 bytes Our file size was defined as 56 320 bytes so we have enough information now to recover the file clusters After the cluster chain is defined the final task is to read and save the contents of the defined clusters to another place verifying their contents With a chain of clusters and standard formulae it is possible to calculate each cluster offset from the beginning of the drive Formulae for calculating cluster offset vary depending on file system Starting from the calculated offset copy a volume of data eq
4. NTFS deallocates sparse data streams and only maintains other data as allocated When a program accesses a sparse file the file system yields allocated data as actual data and deallocated data as zeros NTFS includes full sparse file support for both compressed and uncompressed files NTFS handles read operations on sparse files by returning allocated data and sparse data It is possible to read a sparse file as allocated data anda range of data without retrieving the entire data set although NTFS returns the entire data set by default With the sparse file attribute set the file system can deallocate data from anywhere in the file and when an application calls yield the zero data by range instead of storing and returning the actual data File system application programming interfaces APIs allow for the file to be copied or backed as actual bits and sparse stream ranges The net result is efficient file system The NTFS File System 83 storage and access Next figure shows how data is stored with and without the sparse file attribute set Figure 7 8 Windows 2000 Data Storage Without sparse file attribute set Sparse Data zeros Ten Gigabytes Meaningful Data With sparse file attribute set Allocated Ten Megabytes Important If you copy or move a sparse file to a FAT or a non Windows 2000 NTFS volume the file is built to its originally specified size If the required space is not available the o
5. i Advanced Search letters The default setting has the check box cleared and all letters are recognized whether entered in upper or lower case Search among deleted only With this check box selected results of the search show only those files that are deleted or damaged Search among existing only With this check box selected results of the search show only those files that are not deleted Search Pattern Use the same type of search pattern that you use when searching for files or folders in Windows The asterisk symbol in a pattern means that at this place can be zero or any number of any type of symbol The table below illustrates some examples Table 3 1 Search Pattern Examples Pattern Results of Search All files on the drive or in the folder txt All files with txt extension my All files starting with My MyFile txt Only files named MyFile txt Note If conducting a search on a drive or drives that has never been scanned the application will scan the drive first before searching To use Advanced Search click the Advanced Search menu button at the right side of the Search Bar The Search Options Advanced Settings dialog box opens Figure 3 6 Search Options Advanced semngs Search Options Advanced Settigs ee XI Advanced Settigs Find whats Use Date Criteria Use Size Criteria eus Use Attributes Lookin s New Volume K x File Type All Files and Folders
6. This folder contains 3 entries one of them is deleted First entry is an existing folder MyFolder Second one is a deleted file MyFile txt Third one is an existing file Setuplog txt First symbol of the deleted file entry is marked with E5 symbol so Disk Scanner can assume that this entry has been deleted Example of scanning folder on NTFS5 Windows 2000 For our drive we have input parameters Total Sectors 610406 Cluster size 512 bytes One Sector per Cluster MFT starts from offset 0x4000 non fragmented MFT record size 1024 bytes MET Size 1968 records The File Recovery Process 87 Thus we can iterate through all 1968 MFT records starting from the absolute offset 0x4000 on the volume looking for the deleted entries We are interested in MFT entry 57 having offset 0x4000 57 1024 74752 0x12400 because it contains our recently deleted file My Presentation ppt Below MFT record number 57 is displayed MFT Record has pre defined structure of fold Offset 0 1 00012400 46 49 00012410 47 00 00012420 00 00 00012430 10 00 00012440 48 00 00012450 00 30 00012460 20 53 00012470 00 00 00012480 00 00 00012490 30 00 000124A0 5A 00 000124B0 20 53 000124CO0 20 53 000124D0 00 00 000124E0 20 00 000124F0 52 00 00012500 54 00 00012510 00 00 00012520 05 00 00012530 20 53 00012540 20 53 00012550 00 00 00012560 13 01 00012570 65 00 00012580 2E 00 00012590 01 00 000125A0 6D 00 000125B0 00 DC
7. V 2 The second entry is a deleted file called MyFile txt long entry and short entry 0003EE60 E5 4D 00 79 00 46 00 69 00 6C 00 OF 00 BA65 00 aM y Fill 2e 0003EE70 2E 00 74 00 78 00 74 00 00 00 00 00 FF FF FF FF tx t yyyy 0003EE80 E5 59 46 49 4C 45 20 20 54 58 54 20 00 C3 D693 aYFILE TXT AO 0003EE90 56 2B 56 2B 00 00 EE93 56 2B 03 00 33 B701 00 V V i V 3 3 The third one is an existing file called Setuplog txt only short entry 0003EEA0 53 45 54 55 50 4C 4F 47 54 58 54 20 18 SCF7 93 SETUPLOGTXT 0003EEBO 56 2B 56 2B 00 00 03 14 47 2B 07 00 8D33 03 00 V V G 3 0003EECO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 CHAPTER 6 UNDERSTANDING ADVANCED UNDELETE PROCESS 0003EEDO The first symbol of the deleted file entry MyFile txt is marked with E5 symbol 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 so Disk Scanner can assume that this entry has been deleted Scanning an NTFS5 Folder Windows 2000 For our drive we have input parameters Total Sectors 610406 Cluster size 512 bytes One Sector per Cluster MFT starts from offset 0x4000 non fragmented MFT record size 1024 bytes MFT Size 1968 records From this information we can read through all 1968 MFT records starting from the absolute offset 0x4000 on the volume looking for the deleted entries We are most interested in MFT entry 57 having offset 0x4000 57 1024 74752 0x12400 because it contai
8. Virtual Disk Arrays RAID Active UNDELETE Wizards File Preview lets you view the file contents before recovery To preview a file do the following With a file selected in Active UNDELETE Explorer open the viewer with one of the following methods In the command toolbar click View gt File Right click the file Click File Preview in the context menu Click File Preview in the toolbar The file contents appear in a separate window To see the contents of another file repeat steps 1 and 2 This utility helps you store information about local data storage devices ina single file This data is saved in human readable format and can help analyze the computer configuration for defects or to point out disk failures Below is an example of a Hardware Diagnostic File Active UNDELETE Kernel version 03 10 24 File created 27 10 2003 01 59 Platform WinNT Device 00h Media Type Floppy Disk Serial Number not detected Physical Geometry Mode LBA On Cylinders 80 Tracks Per Cylinder 2 Sectors Per Track 18 Total Sectors 2880 Bytes Per Sector 512 Size 1 40Mb Has MBR No Partitions Primary 1 0 Active Yes Offset 0 Total Sectors 2880 30 CHAPTER 3 USING ACTIVE UNDELETE Disk I mages Size 1 40Mb File System FAT 12 Drive A 0000 0000 EB3C 90 4D 53 44 4F 53 35 2E 30 00 02 01 01 00 lt MSDOSS 0O 0000 0010 02 EO 00 40 OB FO 09 00 12 00 02 00 00 00 00 00 Q
9. 000000170 67 20 66 72 6F 6D 20 74 68 65 20 64 69 73 6B 2E g from the disk 000000180 OD OA 00 25 00 41 20 6B 65 72 6E 65 6C 20 66 69 A kernel fi 000000190 6C 65 20 69 73 20 74 6F 6F 20 64 69 73 63 6F 6E le is too discon 0000001A0 74 69 67 75 6F 75 73 2E OD OA 00 33 00 49 6E 73 tiguous 3 Ins 000000180 65 72 74 20 61 20 73 79 73 74 65 6D 20 64 69 73 ert a system dis 0000001C0 6B 65 74 74 65 20 61 6E 64 20 72 65 73 74 61 72 kette and restar 0000001D0 74 OD OA 74 68 65 20 73 79 73 74 65 6D 2E OD OA t the system 0000001E0 00 17 00 5C 4E 54 4C 44 52 20 69 73 20 63 6F 6D NNTLDR is com 0000001F0 70 72 65 73 73 65 64 2E OD OA 00 00 00 00 55 AA pressed Uy Offset T prz 334 3 60 Wd 8 9 A B CD E F The printout is formatted in three sections Bytes 0x00 0x0A are the jump instruction and the OEM ID shown in bold print Bytes 0x0B 0x53 are the BIOS Parameter Block BPB and the extended BPB This block contains such essential parameters as Bytes Per Sector WORD offset OxOB a Sectors Per Cluster BYTE offset OxOD Media Descriptor BYTE offset 0x15 Sectors Per Track WORD offset 0x18 Number of Heads WORD offset 0x1A a Hidden Sectors DWORD offset Ox1C Total Sectors LONGLONG offset 0x28 etc The remaining code is the bootstrap code that is necessary for the proper system boot and the end of sector marker shown in bold print 100 CHAPTER 7 DATA RECOVERY CONCEPTS This sector is so im
10. A value of OxF8 indicates a hard disk 0x16 WORD 0xC900 Sectors per file allocation table FAT Number of sectors occupied by each of the file allocation tables on the volume By using this information together with the Number of FATs and Reserved Sectors you can compute where the root folder begins By using the number of entries in the root folder you can also compute where the user data area of the volume begins 0x18 WORD Ox3F00 Sectors per Track The apparent disk geometry in use when the disk was low level formatted Ox1A WORD 0x1000 Number of Heads The apparent disk geometry in use when the disk was low level formatted 0x1C DWORD 3F 00 00 00 Hidden Sectors Same as the Relative Sector field in the Partition Table 0x20 DWORD 51 42 06 00 Large Sectors If the Small Sectors field is zero this field contains the total number of sectors in the volume If Small Sectors is nonzero this field contains zero 0x24 BYTE 0x80 Physical Disk Number This is related to the BIOS physical disk number Floppy drives are numbered starting with 0x00 for the A disk Physical hard disks are numbered starting with 0x80 The value is typically 0x80 for hard disks regardless of how many physical disk drives exist because the value is only relevant if the device is the startup disk 0x25 BYTE 0x00 Current Head Not used by the FAT file system 0x26
11. Do not use dpb_first_access Indicates whether the medium in the drive has been accessed This member is initialized to 1 to force a media check the first time this DPB is used dpb_reserved3 Reserved member Do not use dpb_next_free The cluster number of the most recently allocated cluster dpb_free_cnt The number of free clusters on the medium This member is OFFFFh if the number is unknown extdpb free cnt hi The high word of free count extdpb flags Flags describing the drive The low 4 bits of this value contain the 0 based FAT number of the Active FAT This member can contain a combination of the following values Value BGBPB F ActiveFATMsk 000Fh BGBPB_F_NoFATMirror 0080h Description Mask for low four bits Do not mirror active FAT to inactive FATs Bits 4 6 and 8 15 are reserved extdpb_FSInfoSec The sector number of the file system information sector This member is set to OFFFFh if there is no FSINFO sector Otherwise this value must be non zero and less than the reserved sector count extdpb_BkUpBootSec The sector number of the backup boot sector This member is set to OFFFFh if there is no backup boot sector Otherwise this value must be non zero and less than the reserved sector count extdpb_first_sector The first sector of the first cluster extdpb max cluster The number of clusters on the drive plus 1 extdpb fat size
12. FREE DEMO COPY You may use the full featured DEMO SOFTWARE without charge on an evaluation basis to recover any files having size less than 64Kb You must pay the license fee and register your copy to recover files bigger than 64Kb in size b REDISTRIBUTION OF DEMO COPY If you are using DEMO SOFTWARE on an evaluation basis you may make copies of the DEMO SOFTWARE as you wish give exact copies of the original DEMO SOFTWARE to anyone and distribute the DEMO SOFTWARE in its unmodified form via electronic means Internet BBS s Shareware distribution libraries CD ROMs etc You may not charge any fee for the copy or use of the evaluation DEMO SOFTWARE itself but you may charge a distribution fee that is reasonably related to any cost you incur distributing the DEMO SOFTWARE e g packaging You must not represent in any way that you are selling the software itself Your distribution of the DEMO SOFTWARE will not entitle you to any compensation from Active Data Recovery Software You must distribute a copy of this EULA with any copy of the Software and anyone to whom you distribute the SOFTWARE is subject to this EULA c REGISTERED COPY After you have purchased the license for SOFTWARE and have received the registration key and the SOFTWARE distribution package you are licensed to copy the SOFTWARE only into the memory of the number of computers corresponding to the number of licenses purchased The primary user of the computer on which each licen
13. Options Dialog Box 13 Options Dialog Box You can change many of the settings that affect the behaviour of this application in the Options dialog box To open the Options dialog box click View gt Options The table below describes the options Table 2 4 Options Options Name Description General Default Path to Save Recovered Items This points to the folder where recovered files and folders will be saved Default Path to Store Disk Images This points to the folder where newly created Disk Images will be saved Show Scan Modes Dialog This option enables displaying the Select Advanced Scan option Show Wizard Welcome screens Allow wizard Welcome screens to appear during wizard execution Write Log on disk Allow application logs to be written in the program directory Number of read attempts The system will attempt to read damaged areas this number of times during the scan procedures before moving on Application Views Show Application Log Show or hide Application Log view Show Property view Show or hide Property view Show Drag n Drop Recovery view Show or hide Drag n Drop Recovery view Show Search view Show or hide Search view Show HEX Editor View Show or hide Disk HEX Editor view Remote Connections Listening Port Number Port number reserved for TCP connection between Active Remote Recovery Agent and Active UNDELET
14. _DATA_ attribute that describes data runs Disassembling data runs reveals extents For each extent there is a start cluster offset and a number of clusters in extent By enumerating the extents the file s cluster chain can be assembled The clusters chain can be assembled manually using low level disk editors however it is much simpler using a data recovery utility like Active UNERASER Defining a Cluster Chain in FAT16 In the previous topic we were examining a sample set of data with a deleted file named MyFile txt This example will continue with the same theme The folder we scanned before contains a record for this file 0003EE60 E5 4D 00 79 00 46 00 69 00 6C 00 OF 00 BA65 00 aM y Fill 2e 0003EE70 2E 00 74 00 78 00 74 00 00 00 00 00 FF FF FF FF t x t yyyy 0003EE80 E5 59 46 49 4C 45 20 20 54 58 54 20 00 C3 D693 aYFILE TXT AO 0003EE90 56 2B 56 2B 00 00 EE93 56 2B 03 00 33 B701 00 V V i V 3 We can calculate size of the deleted file based on root entry structure Last four bytes are 33 B7 01 00 and converting them to decimal value changing bytes order we get 112435 bytes Previous 2 bytes 03 00 are the number of the first cluster of the deleted file Repeating for them the conversion operation we get number 03 this is the start cluster of the file What we can see in the File Allocation Table at this moment Offset 0123456789 ABCDEF 00000200 F8 FF FF FF FF FF 00 00 00 00 00 00 00 00 08 00 oyyy
15. file table MFT during startup On NTFS volumes the MFT is not located in a predefined sector as on FAT16 and FAT32 volumes For this reason the MFT can be moved if there is a bad sector in its normal location However if the data is corrupted the MFT cannot be located and Windows NT 2000 assumes that the volume has not been formatted The following example illustrates the boot sector of an NTFS volume formatted while running Windows 2000 The printout is formatted in three sections Bytes 0x00 Ox0A are the jump instruction and the OEM ID shown in bold print The NTFS File System 75 Bytes 0x0B 0x53 are the BPB and the extended BPB The remaining code is the bootstrap code and the end of sector marker shown in bold print Physical Sector Cyl 0 Side 1 Sector 1 00000000 EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 R NTFS 00000010 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00 rM m 00000020 00 00 00 00 80 00 80 00 4A F5 7F 00 00 007 00 00 2 Ez Uca pts 00000030 04 00 00 00 00 000000 54 FF 07 00 00 00 00 00 To reza 00000040 F6 00 00 0001 00 0000 14 A5 1B 74 C9 IB PO se iedisnwrs gated t t 00000050 00 00 00 00 FA 33 CO 8E DO BC 00 7C FB B8 CO 07 Bau as PTT 00000060 8E D8 E8 16 00 B8 00 OD 8E CO 33 DB C6 O67 OE 00 Lorem have Junkie 00000070 10 E8 53 00 68 00 OD 68 6A 02 CB 8A 16 24 00 B4 S h hj 00000080 08 CD 13 73 05 B9 FF FF 8A F1 66 O
16. together the parts of the array To start this wizard do one of the following In the command toolbar click Tools gt Virtual Disk Arrays In the toolbar click RAID Follow the steps as presented by the wizard to complete the Disk Array creation ACTIVE UNDELETE WIZARDS For better guidance in most complex or routine tasks Active UNDELETE presents several wizards for creating and opening a disk image or creating a virtual disk array Virtual Disk Array Wizard The Virtual Disk Array Wizard guides you through the process of assembling together the parts of a disk array in order to recover damaged or deleted files or folders To start this wizard do one of the following On the toolbar click RAID In the command toolbar click Tools gt Virtual Disk Arrays Follow the wizard steps as prompted to complete Disk Array creation Select Disk Array Type Figure 4 1 Select Virtual Disk Array Type amp Create Virtual Disk Array Wizard Ki us x Select Virtual Disk Array Type a What type of Disk Array do you want to create Ce r Volume Type Spanned Virtual Volume Mirrored RAID 1 Virtual Volume Striped RAID 0 Virtual Volume RAID 5 Virtual Volume Description A Spanned Volume composed of disk space located on several disks To create a virtual spanned volume you need to add to the list two or more disks in proper order On this screen click a radio button to select one
17. 000125C0 00 DC 000125D0 EE FE 000125E0 00 00 000125F0 00 00 00012600 00 00 er parameters SY nA SY nA BLF DAs SY nA SY nA SY nA It has a set of attributes defining any file MFT Record begins with standard File Record Header first bold section offset 0x00 FILE identifier 4 bytes 88 CHAPTER 7 DATA RECOVERY CONCEPTS Offset to update sequence 2 bytes Size of update sequence 2 bytes LogFile Sequence Number LSN 8 bytes Sequence Number 2 bytes Reference Count 2 bytes Offset to Update Sequence Array 2 bytes Flags 2 bytes Real size of the FILE record 4 bytes Allocated size of the FILE record 4 bytes File reference to the base FILE record 8 bytes Next Attribute Id 2 bytes The most important information for us in this block is a file state deleted or in use If Flags in red color field has bit 1 set it means that file is in use In our example it is zero i e file is deleted Starting from 0x48 we have Standard Information Attribute second bold section File Creation Time 8 bytes File Last Modification Time 8 bytes File Last Modification Time for File Record 8 bytes File Access Time for File Record 8 bytes DOS File Permissions 4 bytes 0x20 in our case Archive Attribute Following standard attribute header we have File Name Attribute belonging to DOS name space short file names third bold section offset 0xA8 and again following standard
18. 01 05 00 01 00 00 00 BE 00 00 00 28 O1 s 00000060 03 00 01 OO 00 00 02 00 00 00 32 01 02 OO 14 00 eee X He tee ewe 00000070 00 00 c6 00 00 00 13 02 03 00 01 00 00 00 02 00 E Ap isek unen Hei 00000080 00 00 69 87 04 OO 01 OO 00 OO DA OO 00 OO AO 02 Er 5 2 c 00000090 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2 2454331 000000A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3 2454332 4 2454333 5 2454334 v Byte Offset 00000043 Byte Value 00 Editable Read Only Edit mode Using this editor you can browse through the content of the open item using the scroll bar keyboard arrows or the mouse wheel Click either the binary area or the text area to focus on it You can also use the Tab button to switch the cursor between hexadecimal and text modes Disk Hex Editor Options E There are several options available in Disk Hex Editor To access these l options click the Options icon in the task bar at the top of the pane The options are described below Show Data Inspector Display or hide the Data Inspector window When the check box is selected the Data Inspector appears as a separate window For more information see Data Inspector below Drag n Drop Recovery Explorer Tool Views 11 Hexadecimal Offset Switch the display of the current address offset between hexadecimal and decimal format When the check box is selected offset appears in hexadecimal format Allo
19. 0x01DE 478 Partition 4 empty offset 0x01EE 494 Each Partition Table entry is 16 bytes long making a maximum of four entries available Each partition entry has fields for Boot Indicator BYTE Starting Head BYTE Starting Sector 6 bits Starting Cylinder 10 bits System ID BYTE Ending Head BYTE Ending Sector 6 bits Ending Cylinder 10 bits Relative Sector DWORD Total Sectors DWORD Thus the MBR loader can assume the location and size of partitions MBR loader looks for the active partition i e partition that has Boot Indicator equals 0x80 the first one in our case and passes control to the partition boot sector for further loading Below a number of situations are simulated demonstrating events which cause a computer to hang while booting or in a data loss scenario No disk partition has been set to the Active state Boot Indicator 0x80 To simulate this scenario remove the Boot Indicator from the first partition as below 0000001B0 DO Od 1 are ears 0000001C0 01 00 07 FE 7F 3E 3F 00 00 00 40 32 4E 00 00 00 gt 2N When we try to boot now we see an error message like Operating System not found This demonstrates a situation where the loader wants to pass control to the active system and cannot determine which partition is active and contains the system A partition has been set to the Active state Boot Indicator 0x80 but there are no system files on that partition This situat
20. 1 fox which has along name of The quick brown fox The long name is in Unicode so each character in the name uses two bytes in the folder entry The attribute field for the long name entries has the value OxOF The attribute field for the short name is 0x20 Figure 7 4 Long File Name Folder Entry Example 2nd long entry and last e or o rv Lr me sum x00 Q0 xFFFF OXF FFF OXF FFF OXF FFF x00 00 OXF FFF OXF FFF ENSEM E32 DODDDUDOUDC CES Short entry 1st long entry Note Windows NT 2000 XP and Windows 95 98 ME use the same algorithm to create long and short filenames On computers that dual boot these two operating systems files that you create when running one of the operating systems can be accessed when running the other The following topics describe the FAT32 file system File System Specifications Boot Sector and Bootstrap Modifications FAT Mirroring Partition Types File System Specifications FAT32 is a derivative of the File Allocation Table FAT file system that supports drives with over 2GB of storage Because FAT32 drives can contain more than 65 526 clusters smaller clusters are used than on large FAT16 drives This method results in more efficient space allocation on the FAT32 drive The largest possible file for a FAT32 drive is 4GB minus 2 bytes The FAT File System 65 The FAT32 file system includes four bytes per cluster within the file allocation table Note that the high 4 bits
21. 65 00 6E 00 74 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 70 00 70 00 74 00 80 00 00 00 48 00 00 00 01 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 6D 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 DCO00 00 00 00 00 00 00 DCO00 00 00 00 00 00 FILE t G 0 O SY nA SY nA SY nA SY nA SY nA T i o n O M y P r e s PPN Hs Overview 51 000125C0 00 DC00 00 00 00 00 00 31 6E EBC404 00 00 OO U 1neA 000125D0 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 yyyy yG 000125E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000125F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 eee 00012600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MFT Record has pre defined structure It has a set of attributes defining any file of folder parameters MFT Record begins with standard File Record Header first bold section offset 0x00 FILE identifier 4 bytes Offset to update sequence 2 bytes Size of update sequence 2 bytes LogFile Sequence Number LSN 8 bytes Sequence Number 2 bytes Reference Count 2 bytes Offset to Update Sequence Array 2 bytes Flags 2 bytes Real size of the FILE record 4 bytes Allocated size of the FILE record 4 bytes File reference to the base FILE record 8 bytes Next Attribute Id 2 bytes The most important information in this block is the file state either delete
22. FAT Eile Systetm ge tee e peer e cre dae e o ENAA eee ede 59 Structure of a FAT Volume ia paca ein Aneta ikea aad 59 File Allocation System ssssssssssssseeeesee enne ennt entries 61 FAE ROOL Folder n e ette eee dites ra truc tu n teet ees 62 FAT Folder Structure niipea e a nennen a a en nsns ens 62 FAT32 Features dede pete nee deed eee Deu ee eene ane beue Doe dee Pneus 64 TheNTES ElleSystem o hr det rtt Eee nda 73 NTFS Partition Boot Sector entree nenn nnne nennen 74 NTFS Master File Table MFT sessssssesseeeneee nennen ennemi 77 INDIES File Ty POS scidit Seat es an Heide aa 78 The File Recovery Process 0 cccccceesseseeeeeeeeeeeeeeeaneeeeeesaeaeeeeensaeeeceeesenaaeseenseeeeeeeenenaees 85 Disk Scanning for Deleted Entries ssssssssseeeeeennnenenns 86 Defining the Chain of Clusters 89 Recovering the Chain of Clusters 91 The Partition Recovery Process escia A nennen nnn nennen ntn ener en nnns 93 System Boot Process etu dede tee a de ea 93 MBR 1S Damage iiss s csccerceneen aR aAa RE K SAA KATET AAE PA EAA EEOAE ERE CERK E KAET AIN RE NOE ESRA AN 94 Partition is Deleted or Partition Table is Damaged eene 97 Partition Boot Sector is Damaged ssssssssssseeeeneeeen nens 99 Missing or Corrupted System Files sssssssseeeeeenneenn 101 GETTING STARTED WITH AcCTIVE UNDELETE This chapte
23. Name NTFS System Files Used only in the Volume system file Contains the volume label NTFS includes several system files all of which are hidden from view on the NTFS volume A system file is one used by the file system to store its metadata and to implement the file system System files are placed on the volume by the Format utility Table 7 14 Metadata Stored in the Master File Table System File MFT File Name Record Purpose of the File Master file table Mft 0 Contains one base file record for each file and folder on an NTFS volume If the allocation information for a file or folder is too large to fit within a single record other file records are allocated as well Master file table MftMirr 1 A duplicate image of the first 2 four records of the MFT This file guarantees access to the MFT in case of a single sector failure Log file Log file 2 Contains a list of transaction steps used for NTFS recoverability Log file size depends on the volume size and can be as large as 4 MB It is used by Windows NT 2000 to restore consistency to NTFS after a system failure 80 3 CHAPTER 7 DATA RECOVERY CONCEPTS MFT System File File Name Record Purpose of the File Volume Volume 3 Contains information about the volume such as the volume label and the volume version Attribute definitions AttrDef 4 A table of attribute names numbers and descriptions Root f
24. The number of sectors occupied by the FAT extdpb root clus The cluster number of the first cluster in the root directory extdpb next free FAT32 Partition Types The number of the cluster that was most recently allocated The following table displays all valid partition types and their corresponding values for use in the Part FileSystem member of the s partition structure Table 7 9 Partition Type Values Value Description PART_UNKNOWN 00h Unknown i Value The FAT FileSystem 71 Description PART_DOS2_FAT 01h 12 bit FAT PART_DOS3_FAT 04h 16 bit FAT Partitions smaller than 32MB PART_EXTENDED 05h Extended MS DOS Partition PART_DOS4_FAT 06h 16 bit FAT Partitions larger than or equal to 32MB PART DOS32 0Bh 32 bit FAT Partitions up to 2047GB PART DOS32X 0Ch Same as PART DOS32 0Bh but uses Logical Block Address Int 13h extensions PART DOSX13 0Eh Same as PART DOSA FAT 06h but uses Logical Block Address Int 13h extensions PART DOSX13X 0Fh s partition FAT32 Same as PART EXTENDED 05h but uses Logical Block Address Int 13h extensions Note Values for head and track are 0 based Sector values are I based This structure is implemented in Windows OEM Service Release 2 and later s partition STRUC Part BootInd Part FirstHead Part FirstSector Part FirstTrack Part FileSystem Part LastHead Part LastSector
25. and so on It is easy to switch between logical drives and physical devices in the same tree pane File Pane Explorer Overview 5 The File Pane is used to display the detail elements of the currently selected tree item In this pane you can sort the displayed list by clicking on column header The column by which the list has been sorted will be highlighted Tool Views The Tool Views extend the detail level of selected elements and provide additional tools in the context of your navigation Toolbar Commands Table 2 1 Toolbar Commands Toolbar Command Name The table below describes commands found on the toolbar Description gt Scan Default scan of selected Item Stop Process Cancel any concurrent process Ce Recover Initiate recovery process for selected item RAID Starts Virtual Disk Array RAID wizard Save Disk Image Starts Creation DIsk Image Wizard for selected item F Open Disk Start Open Disk Image Wizard E Image EA File Preview Opens File Preview window for selected file a Help Opens the online help file 6 Command Menu CHAPTER 2 ACTIVE UNDELETE EXPLORER The table below describes commands found in the menus on the command menu bar Table 2 2 Command Menu Commands Command Menu Item Icon Command Description Action gt Scan Initiate scan process for context item Stop Stop or c
26. attribute header we have File Name Attribute belonging to Win32 name space long file names third bold section offset 0x120 File Reference to the Parent Directory 8 bytes File Modification Times 32 bytes Allocated Size of the File 8 bytes Real Size of the File 8 bytes Flags 8 bytes Length of File Name 1 byte File Name Space 1 byte File Name Length of File Name 2 bytes In our case from this section we can extract file name My Presentation ppt File Creation and Modification times and Parent Directory Record number Defining the Chain of Clusters The File Recovery Process 89 Starting from offset 0x188 there is a non resident Data attribute green section Attribute Type 4 bytes e g 0x80 Length including header 4 bytes Non resident flag 1 byte Name length 1 byte Offset to the Name 2 bytes Flags 2 bytes Attribute Id 2 bytes Starting VCN 8 bytes Last VCN 8 bytes Offset to the Data Runs 2 bytes Compression Unit Size 2 bytes Padding 4 bytes Allocated size of the attribute 8 bytes Real size of the attribute 8 bytes Initialized data size of the stream 8 bytes Data Runs In this section we are interested in Compression Unit size zero in our case means non compressed Allocated and Real size of attribute that is equal to our file size OXDCOO 56320 bytes and Data Runs see the next topic To reconstruct a file from a set of clusters we need
27. computer name or computer IP address into the combo box text field and press Enter to connect Click Browse to Computer located on the right side of the neighborhood computers drop down list A Browse to Computer dialog box opens In the command toolbar click Actions gt Connect to open the Browse to Computer dialog box If the remote computer has Active Remote Recovery Agent protected with a password you will be prompted when connection is established If the password you enter matches the password defined for Active Remote Recovery Agent the connection will be established See Active Remote Recovery Agent Options for details UsiNG ACTIVE UNDELETE This chapter describes how to perform various functions using Active UNDELETE Outline of UNDELETE Steps To perform the UNDELETE process on a file or folder you must scan a drive or folder to discover deleted entries as listed in the Root Folder File Allocation Table or Master File Table NT File System Once a deleted entry has been found a chain of file clusters is defined for recovery and then the contents of these clusters is written to the newly created file Although different file systems maintain their own specific logical data structures basically each file system follows these rules A list or catalog of file entries and deleted files is kept This list can be scanned for entries marked as deleted For each catalog entry a list of data cluster add
28. drives properties in as many combinations and as many times as you want while in this virtual drive Saving Device s Drive Info After scanning a device for deleted or damaged partitions or after manually editing a device s existing Local Drives all device drive information can be stored into the file and loaded back at any time 34 CHAPTER 3 USING ACTIVE UNDELETE Virtual Disk Arrays To save a device s drive info you have to select the desired device and do one of the following In the command toolbar click Edit gt Save Drive Info Right click a device with virtual or detected drive items Click Save Drive Info from the context menu Later you can open a previously saved device drive information file To do so select the desired device and do one of the following In the command toolbar click Edit gt Load Drive Info Right click the device item Click Load Drive Info from the context menu There are many reasons for a RAID system to fail RAID controller failures software RAID emulator errors etc Active UNDELETE provides an easy way to manage array disks together and make damaged or deleted data accessible You can combine together a disk that was previously used as a part of a RAID system in a temporal virtual Disk Array With this configuration you are able to do all drive UNDELETE manipulations like it is regular drive The Virtual Disk Array Wizard will guide you through the process of assembling
29. emulate the functions of a real Local Drive or partition to gain access to data on your hard drive To create a Virtual Drive select the desired device in which you what to create the Virtual Drive and then do one of the following In the command menu click Edit gt Add Virtual Drive Right click the device item Click Add Virtual Drive from the context menu The Create New Virtual Drive Info dialog box appears Figure 3 12 Create New Virtual Drive Info Create New Virtual Drive Info for Hard Disk Drive 80h x File system FAT 32 First sector 63 Total sectors 4558315 Use the descriptions below to help you configure the Virtual Drive File system Select a file system from the drop down list First sector Enter the number of the first sector of the Virtual Drive Total sectors This is the number of sectors that will be in the newly created Virtual Drive When configuration is complete click OK to create the Virtual Drive or Cancel to exit the dialog box If creation is successful the new Virtual Drive appears under the selected device and can be scanned for files and folders the same as a normal Local Drive You can also modify the properties of this Virtual Drive or even delete it from device tree Other Active UNDELETE Tools 33 Modifying the Properties of an Existing Drive Sometimes a local drive s properties become corrupted As a result all data on this drive becomes inaccessi
30. file association but not multiple files program source file doc file object file executable file To create an alternate data stream at the command prompt you can type commands such as The NTFS File System 81 echo text program source file more program source file Important When you copy an NTFS file to a FAT volume such as a floppy disk data streams and other attributes not supported by FAT are lost NTFS Compressed Files Windows NT 2000 supports compression on individual files folders and entire NTFS volumes Files compressed on an NTFS volume can be read and written by any Windows based application without first being decompressed by another program Decompression occurs automatically when the file is read The file is compressed again when it is closed or saved Compressed files and folders have an attribute of C when viewed in Windows Explorer Only NTFS can read the compressed form of the data When an application such as Microsoft Word or an operating system command such as copy requests access to the file the compression filter driver decompresses the file before making it available For example if you copy a compressed file from another Windows NT 2000 based computer to a compressed folder on your hard disk the file is decompressed when read copied and then recompressed when saved This compression algorithm is similar to that used by the Windows 98 application DriveSpace 3 with one important
31. hard drive out of the computer and plug it into another computer where data recovery software has been already installed or use recovery software that does not require installation for example recovery software which is capable to run from bootable floppy 86 CHAPTER 7 DATA RECOVERY CONCEPTS Disk Scanning for Deleted Entries i 2 DO NOT TRY TO SAVE ONTO THE SAME DRIVE DATA THAT YOU FOUND AND TRYING TO RECOVER When saving recovered data onto the same drive where sensitive data is located you can intrude in process of recovering by overwriting FAT MFT records for this and other deleted entries It is better to save data onto another logical removable network or floppy drive Disk Scanning is a process of low level enumeration of all entries in the Root Folders on FAT12 FAT16 FAT32 or in Master File Table MFT on NTFS NTFS5 The goal is to find and display deleted entries In spite of different file folder entry structure for the different file systems all of them contain basic file attributes like name size creation and modification date time file attributes existing deleted status etc Given that a drive contains root file table and any file table MFT root folder of the drive regular folder or even deleted folder has location size and predefined structure we can scan it from the beginning to the end checking each entry if it s deleted or not and then display information for all found deleted entries No
32. is enough information size of the file Cluster size is 512 bytes There are 110 clusters 110 512 56 320 bytes Our file size was defined as 56 320 bytes so we have enough information now to recover the file clusters After the cluster chain is defined the final task is to read and save the contents of the defined clusters to another place verifying their contents With a chain of Overview 55 clusters and standard formulae it is possible to calculate each cluster offset from the beginning of the drive Formulae for calculating cluster offset vary depending on file system Starting from the calculated offset copy a volume of data equal to the size of the chain of clusters into a newly created file To calculate the cluster offset in a FAT drive we need to know Boot sector size Number of FAT supported copies Size of one copy of FAT Size of main root folder Number of sectors per cluster Number of bytes per sector NTFS format defines a linear space and calculating the cluster offset is simply a matter of multiplying the cluster number by the cluster size Recovering Cluster Chain in FAT16 This section continues the examination of the deleted file MyFile txt from previous topics By now we have chain of clusters numbered 3 4 5 and 6 identified for recovering Our cluster consists of 64 sectors sector size is 512 bytes so cluster size is 64 512 32 768 bytes 32 Kb The first data sector is 535 we have 1 boot secto
33. listed in the table below Table 6 1 Common File Attributes FAT12 FAT16 FAT32 NTFS NTFS5 Root File Allocation Table Master File Table Table Location Table Location File Size File Size Table Structure Table Structure File Name File Name Date Time Created Date Time Created Attributes Attributes Existing Deleted Status Existing Deleted Status Given that a any file table folder or file has a location size and predefined structure it is possible to scan data on the drive from the beginning to the end reading the actual data not only the record kept in the file table That information can be displayed and assessed NOTE Deleted entries are marked differently depending on the file system For example in FAT any deleted entry file or folder is marked with the ASCII symbol 229 OxE5 as the first symbol of the entry file name On NTFS a deleted entry has a special attribute in the file header that points to whether the file has been deleted or not Scanning a FAT16 Folder In this example the folder contains 3 entries one of which is deleted 1 The first entry is an existing folder called MyFolder long entry and short entry 0003EE20 41 4D 00 79 00 46 00 6F 00 6C 00 OF 00 09 64 00 AM y F o l d 0003EE30 65 00 72 00 00 00 FF FF FF FF 00 00 FF FF FF FF e r yyyy yyyy 0003EE40 4D 59 46 4F 4C 44 45 52 20 20 20 10 00 4AC493 MYFOLDER JA 0003EE50 56 2B 56 2B 00 00 C593 56 2B 02 00 00 00 00 00 V V A
34. of the 32 bit values in the FAT32 file allocation table are reserved and are not part of the cluster number Boot Sector and Bootstrap Modifications Table 7 4 Modifications to Boot Sector Modifications Description Reserved Sectors FAT32 drives contain more reserved sectors than FAT16 or FAT12 drives The number of reserved sectors is usually 32 but can vary Boot Sector Modifications Because a FAT32 BIOS Parameter Block BPB represented by the BPB structure is larger than a standard BPB the boot record on FAT32 drives is greater than 1 sector In addition there is a sector in the reserved area on FAT32 drives that contains values for the count of free clusters and the cluster number of the most recently allocated cluster These values are members of the BIGFATBOOTFSINFO structure which is contained within this sector These additional fields allow the system to initialize the values without having to read the entire file allocation table Root Directory The root directory on a FAT32 drive is not stored in a fixed location as it is on FAT16 and FAT12 drives On FAT32 drives the root directory is an ordinary cluster chain The A BF BPB RooitDirStrtClus member in the BPB structure contains the number of the first cluster in the root directory This allows the root directory to grow as needed In addition the BPB RootEntries member of BPB is ignored on a FAT32 drive Sectors Per FAT The A BF BPB SectorsPerFAT member of BPB
35. of the disk array types A description of each type appears as you select it After selecting appropriate type of array click Next gt to continue 36 CHAPTER 4 ACTIVE UNDELETE WIZARDS 2 Compose Disk Array from available disks Figure 4 2 Select Disks Q Create Virtual Disk Array Wizard n x Select Disks E You can select the disks that will compose the Virtual Disk Array E All available disks Selected disks Hard Disk Drive 80h 9 55 Hard Disk Drive m 37 21 Hard Disk Drive 82h 74 5 Add gt Move Up lt Remove Move Down lt Remove All In this screen select the local disks that will be a part of the disk array and put them in sequence To add one of the available disks as part of the disk array do one of the following Select one of the disks in the All available disks list Click Add The disk moves to the Selected disks list Double click one of the disks in the All available disks list and it moves to the Selected disks list To remove any of the selected disks Select one of the disks in the Selected disks list Click Remove The disk moves back to the All available disks list Double click one of the disks in the Selected disks list and it moves back to the All available disks list To clear the Selected disks list click Remove All To change the order of drives in the Selected disks list select one of the disks and click Up or Down The selected disk moves in the d
36. to define a chain of clusters Here are the steps Scan the drive to locate and identify data One by one go through each file cluster NTFS or each free cluster FAT that we presume belongs to the file Continue chaining the clusters until the size of the cumulative total of clusters approximately equals the total size of the deleted file If the file is fragmented the chain of clusters will be composed of several extents NTFS or select probable contiguous clusters and bypass occupied clusters that appear to have random data FAT The location of these clusters can vary depending on file system For example a file deleted in a FAT volume has its first cluster in the Root entry the other clusters can be found in the File Allocation Table In NTFS each file has a _DATA_ attribute that describes data runs Disassembling data runs reveals extents For each extent there is a start cluster offset and a number of clusters in extent By enumerating the extents the file s cluster chain can be assembled The clusters chain can be assembled manually using low level disk editors however it is much simpler using a data recovery utility like Active UNERASER 90 CHAPTER 7 DATA RECOVERY CONCEPTS Defining a Cluster Chain in FAT16 In the previous topic we were examining a sample set of data with a deleted file named MyFile txt This example will continue with the same theme The folder we scanned before contains a record for this fi
37. 00 00 00 00 00 00 00 00 00 eee When we try to boot now we see the Operating System not found error message When encountering this message on system boot run Disk Viewer and check the first physical sector on the hard drive to see whether it looks like a valid MBR or not Here are things to check See if it is filled up with zeros or any other single character Check whether error messages like you can see above Invalid partition table are present or not Check whether the disk signature 0x55AA is present The simplest way to repair or re create the MBR is to run Microsoft s standard utility called FDISK with a parameter MBR The command looks like the sample below A gt FDISK EXE MBR FDISK is a standard utility included in MS DOS Windows 95 98 ME If you have Windows NT 2000 XP you can boot from startup floppy disks or CD ROM choose Repair option during setup and run Recovery Console When you are logged on you can run FIXMBR command to repair the MBR Another alternative is to use a third party MBR recovery utility or if you ve created an MBR backup repair the damaged MBR by restoring the backup Active Partition Recovery has such capabilities Recovering Data if the First Sector is Bad or Unreadable In the Blank Screen simulation above we simulated the destroyed first sector scenario When you try to read the first sector using Disk Viewer Editor you should get an error me
38. 000000 Clusters Per File Record Segment 0x44 DWORD 0x01000000 Clusters Per Index Block 0x48 ore 0x14A51B74C91B741C Volume Serial Number 0x50 DWORD 0x00000000 Checksum Protecting the Boot Sector Because a normally functioning system relies on the boot sector to access a volume it is highly recommended that you run disk scanning tools such as Chkdsk regularly as well as back up all of your data files to protect against data loss if you lose access to a volume NTFS Master File The NTFS File System 77 Each file on an NTFS volume is represented by a record in a special file called Table MFT the master file table MFT NTFS reserves the first 16 records of the table for special information The first record of this table describes the master file table itself followed by a MFT mirror record If the first MFT record is corrupted NTFS reads the second record to find the MFT mirror file whose first record is identical to the first record of the MFT The locations of the data segments for both the MFT and MFT mirror file are recorded in the boot sector A duplicate of the boot sector is located at the logical center of the disk The third record of the MFT is the log file used for file recovery The log file is discussed in detail later in this chapter The seventeenth and following records of the master file table are for each file and directory also viewed as a file by NTFS on the volume Figure provides a simplified illust
39. 000001B0 6E 67 00 OD 0A 4E 54 4C 44 52 20 69 73 20 63 6F ng NTLDR is co 76 CHAPTER 7 DATA RECOVERY CONCEPTS 000001C0 2B 41 6C 000001E0 00 00 00 00 00 00 restart ire siese s 83 AO B3 C9 00 00 55 AA 6D 70 72 65 73 73 65 64 65 73 73 mpressed Press 000001D0 74 2B 44 65 6C 20 74 6F 20 72 65 73 74 61 72 74 000001F0 00 OD OA 50 72 20 43 74 72 6C Ctrl Alt Del to OD OA 00 00 00 00 00 00 00 00 The following table describes the fields in the BPB and the extended BPB on NTFS volumes The fields starting at OxOB OxOD 0x15 0x18 Ox1A and Ox1C match those on FAT16 and FAT32 volumes The sample values correspond to the data in this example Table 7 12 BPB Fields on NTFS Byte Offset pers Sample Value Field Name OxOB WORD 0x0002 Bytes Per Sector 0x0D BYTE 0x08 Sectors Per Cluster OxOE WORD 0x0000 Reserved Sectors 0x10 3 BYTES 0x000000 always 0 0x13 WORD 0x0000 not used by NTFS 0x15 BYTE OxF8 Media Descriptor 0x16 WORD 0x0000 always 0 0x18 WORD OxSF00 Sectors Per Track Ox1A WORD OxFFOO Number Of Heads 0x1C DWORD 0x3F000000 Hidden Sectors 0x20 DWORD 0x00000000 not used by NTFS 0x24 DWORD 0x80008000 not used by NTFS 0x28 ae 0x4AF57F0000000000 Total Sectors 0x30 LONGLON 0x0400000000000000 Logical Cluster Number for G the file MFT 0x38 LONGLON 0x54FF070000000000 Logical Cluster Number for G the file MFTMirr 0x40 DWORD OxF6
40. 00001E0 41 65 OF FE BF 4A 25 83 57 00 66 61 38 00 00 00 Ae J W fa8 0000001F0 00 00 00 00 00 00 00 00 000000 00 00 00 55 AA U If we try to boot now the MBR loader will try to read and interpret zeros or other garbage as partition parameters The error message will read Missing Operating System Thus the second step in partition recovery is to run Disk Viewer and to make sure that the proper partition exists in the partition table and has been set as active Can Recovery Software Help in the Above Scenarios Recovery Software can help in the following ways Discover and suggest you to choose the partition to be active even FDISK does so 2 Discover and suggest you to choose the partition to be active 3 Perform a free disk space scan to look for partition boot sector or remaining of the deleted partition information in order to try to reconstruct Partition Table entry for the deleted partition Perform all disk space scan to look for partition boot sector or remaining of the damaged partition information in order to try to reconstruct Partition Table entry for the damaged partition entry Why is the Partition Boot Sector so Important If recovery software finds it all necessary parameters to reconstruct partition entry in the Partition Table are there see Partition Boot Sector topic for details What if a Partition Entry was Deleted Then Recreated and Re formatted In this case instead of the
41. 1117 H Q Span 80h 1127481h 1129 B Stripe 80h 1204u81h 1206 B e Primary NTFS Sg STRIPED T Note When local drive items are found in the Local Device tree all Active UNDELETE features apply for example Scan Search Recovery etc the same as they apply to drives items in Local Drives Tree Searching for Deleted Files and Folders Lookfor Type your search here After a scan is complete search for files and folders using the Search Bar located at the top of Explorer s File View Figure 3 5 Search Bar v 4 Options g Search in System disk C dH Advanced Search Simple Search To conduct a simple search follow these steps In the Look for text field enter search criteria This can be a full file or folder name a partial name or a search pattern 2 Click Search in to initiate the search process 3 Results of the search appear below in the Search Results view To change searching options click the Options drop down menu button in the Search Bar The descriptions below will help you to change options Recursive search With this check box selected search covers the root level of the drive and all sub folders This is the default setting Clear this check box to search only the root level of the drive Case sensitive search With this check box selected search results match the search criteria where file names have both upper case and lower case 22 CHAPTER 3 USING ACTIVE UNDELETE
42. 4 E4 33 CO CD 13 EB B8 00 00 00 00 00 00 OOta3AI e 0000000E0 56 33 F6 56 56 52 50 06 53 51 BE 10 00 56 8B F4 V3oVVRP SQ V o 0000000F0 50 52 B8 00 42 8A 56 24 CD 13 5A 58 8D 64 10 72 PR BSVSI ZX d r 000000100 0A 40 75 01 42 80 C7 02 E2 F7 F8 5E C3 EB 74 49 Qu B C a o AetI 000000110 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E nvalid partition 000000120 20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 table Error loa 000000130 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 ding operating s 000000140 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 ystem Missing op 000000150 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 erating system 000000160 00 00 00 00 00 00 00 00 0000000000000000 000000170 00 00 00 00 00 00 00 00 O00 00 00 00 00 00 00 00 000000180 00 00 00 8B FC 1E 57 8B F5 CB 00 00 00 00 00 00 634005 WCOES S Vs 000000190 00 00 00 00 00 00 00 00 0000000000000000 0000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eee ee eee 0000001B0 00 00 00 00 00 00 00 00 A634 1F BA 00008001 HAV ace s 0000001C0 01 00 07 FE 7F 3E 3F 00 00 00 40 32 4E 00 00 00 weitere ges B2N is 0000001D0 41 3F 06 FE 7F 64 7F 32 4E 00 A6 50 09 00 00 00 A d2N P 0000001E0 41 65 OF FE BF 4A 25 83 57 00 66 61 38 00 00 00 Ae J W fa8 0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA U To simulate what will happen if the first sector has been damaged by a
43. 7 00 00 00 00 00 Ges sies Veiis 000000040 02 00 00 00 08 00 00 00 10 EC 46 C4 00 47 C4 0C iFA GA 000000050 00 00 00 00 00 00 00 00 00 00 00 00 00 FA 33 CO eS u3A 000000060 8E DO BC 00 7C FB B8 CO 07 8E D8 C7 06 54 00 00 2 7 u A ZOC T 000000070 00 C7 06 56 00 00 00 C7 06 5B 00 10 00 B8 00 OD eC Vus e Grat Roni arn 000000080 8E CO 2B DB E8 07 00 68 00 OD 68 66 02 CB 50 53 ZA Ue h hf EPS 000000090 51 52 06 66 Al 54 00 66 03 06 1C 00 66 33 D2 66 ORE PI sata ESOT 0000000A0 OF B7 OE 18 00 66 F7 F1 FE C2 88 16 5A 00 66 8B es EON IRR Dr EK 0000000B0 DO 66 Cl EA 10 F7 36 1A 00 88 16 25 00 A3 58 00 fAe 6 X 0000000C0 A1 18 00 2A 06 5A 00 40 3B 06 5B 00 76 03 A1 5B Pav Ze Ore Vs 2 0000000D0 00 50 B4 02 8B 16 58 00 B1 06 D2 E6 OA 36 5A 00 SPP ita Xe E 090562 0000000E0 8B CA 86 E9 8A 36 25 00 B2 80 CD 13 58 72 2A 01 EteS6 I Xr 0000000F0 06 54 0083 16 56 00 00 29 06 5B 00 76 OB C1 EO Ola 5Vas wLswAa 000000100 05 8C C2 03 D0 8E C2 EB 8A 07 5A 59 5B 58 C3 BE A Z2AeS ZY XA 000000110 59 01 EB 08 BE E3 01 EB 03 BE 39 01 E8 09 00 BE Y e a e 9 e 000000120 AD 01 E8 03 00 FB EB FE AC 3C 00 74 09 B4 OE BB e ue 7 t 000000130 07 00 CD 10 EB F2 C3 1D 00 41 20 64 69 73 6B 20 I e0A A disk 000000140 72 65 61 64 20 65 72 72 6F 72 20 6F 63 63 75 72 read error occur 000000150 72 65 64 2E 0D 0A 00 29 00 41 20 6B 65 72 6E 65 red A kerne 000000160 6C 20 66 69 6C 65 20 69 73 20 6D 69 73 73 69 6E l file is missin
44. 87 clusters FAT16 2 Between 4 087 and 65 526 clusters inclusive FAT32 4 Between 65 526 and 268 435 456 clusters inclusive For more detailed information see resource kits on Microsoft s web site http www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN http msdn microsoft com 60 CHAPTER 7 DATA RECOVERY CONCEPTS FAT Partition Boot Sector The Partition Boot Sector contains information that the file system uses to access the volume On x86 based computers the Master Boot Record use the Partition Boot Sector on the system partition to load the operating system kernel files Table 7 2 describes the fields in the Partition Boot Sector for a volume formatted with the FAT file system Table 7 2 Fields in Partition Boot Sector FAT File System Byte Offset Sample in hex Field Length Value Description 00 3 bytes EB 3C 90 Jump instruction 03 8 bytes MSDOS5 0 OEM Name in text 0B 25 bytes BIOS Parameter Block 24 26 bytes Extended BIOS Parameter Block 3E 448 bytes Bootstrap code 1FE 2 bytes 0x55AA End of sector marker Table 7 3 describes BIOS Parameter Block and Extended BIOS Parameter Block Fields Table 7 3 BIOS Parameter Block and Extended BIOS Parameter Block Fields Field Sample Byte Offset Length Value Description 0x0B WORD 0x0002 Bytes per Sector The size of a hardware sector For most disks in use in the United States the value of this fie
45. Active UNDELETE ULTIMATE DATA RECOVERY SOLUTIONS User Guide Version Number 5 1 Active UNDELETE v 5 1 END USER LICENSE AGREEMENT Copyright c 1998 2004 Active Data Recovery Software All rights reserved IMPORTANT READ CAREFULLY This End User License Agreement EULA is a legal agreement between you either an individual or a single entity and The Active Data Recovery Software for the Active UNDELETE later referred to as SOFTWARE By installing copying or otherwise using the SOFTWARE you agree to be bound by the terms of this EULA If you do not agree to the terms of this EULA do not install or use the SOFTWARE WE REQUIRE ALL OUR DEALERS TO PROVIDE EACH PURCHASER WITH FREE DEMO OF THE SOFTWARE TO GET A FULL UNDERSTANDING OF THE CAPABILITIES AND THE EASE OF USE OF THE SOFTWARE OUR DEALERS HAD TO RECOMMEND YOU TO DOWNLOAD DEMO WE WON T ISSUE ANY REFUNDS AFTER PURCHASING FULL VERSION OF THE SOFTWARE Active Data Recovery Software may have patents patent applications trademarks copyrights or other intellectual property rights covering subject matter in this document The furnishing of this document does not give you any license to these patents trademarks copyrights or other intellectual property SOFTWARE LICENSE 1 The SOFTWARE is licensed not sold Copyright laws and international copyright treaties as well as other intellectual property laws and treaties protect the SOFTWARE 2 GRANT OF LICENSE a
46. BYTE 0x29 Signature Must be either 0x28 or 0x29 in order to be recognized by Windows NT 0x27 4 bytes CE 13 46 30 Volume Serial Number A unique number that is created when you format the volume 0x2B 11 bytes NO NAME Volume Label This field was used to store the volume label but the volume label is now stored as special file in the root directory 0x36 8 bytes FAT16 System ID Either FAT12 or FAT16 depending on the format of the disk For more detailed information see resource kits on Microsoft s web site http Awww microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN http msdn microsoft com The FAT file allocation system is named for its method of organization the file allocation table which resides at the beginning of the volume To protect the volume two copies of the table are kept in case one becomes damaged In addition the file allocation tables must be stored in a fixed location so that the files needed to start the system can be correctly located The file allocation table contains the following types of information about each cluster on the volume see example below for FAT16 62 CHAPTER 7 DATA RECOVERY CONCEPTS FAT Root Folder FAT Folder Structure Unused 0x0000 Cluster in use by a file Bad cluster OxFFF7 Last cluster in a file OxFFF8 OxFFFF There is no organization to the FAT folder structure and files are given
47. D620 0989D630 0989D640 0989D650 0123456789 ABCDEF DOCF11 E0 AI Bl 1AEI 00 00 00 00 00 00 00 00 DL js 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 gt py 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 69 00 00 00 00 00 00 00 00 10 00 00 6B 00 00 00 i k 01 00 00 00 FE FF FF FF 00 00 00 00 6A 00 00 00 pyyy j FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF yyyyyyyyyyyyyyyy In the above data data recovery is complete when data has been read from this point through 110 clusters 56320 bytes This data is copied to another location DATA RECOVERY CONCEPTS This chapter describes some basic concepts that might help when unerasing data Hard Disk Drive Basics Making Tracks A hard disk is a sealed unit containing a number of platters in a stack Hard disks may be mounted in a horizontal or a vertical position In this description the hard drive is mounted horizontally Electromagnetic read write heads are positioned above and below each platter As the platters spin the drive heads move in toward the center surface and out toward the edge In this way the drive heads can reach the entire surface of each platter On a hard disk data is stored in thin concentric bands A drive head while in one position can read or write a circular ring or band called a track There can be more than a thousand tracks on a 3 5 inch hard disk Sections within each track are called sector
48. E RPC Port Number Port number reserved for call backs between Active Remote Recovery Agent and Active UNDELETE 14 CHAPTER 2 AcTIVE UNDELETE EXPLORER Symbols and I cons Used in the Explorer Table 2 5 Symbols and Icons The table below describes the symbols that are used in Active UNDELETE Explorer trees and file lists Icon Name Description 4 Root Node Represents a local or remote computer 4 Floppy Drive a Logical Drive Represents a logical drive on one of the detected hard drives CD ROM Drive 2 ca lt Network Drive Represents a shared network resource fr E e Folder Regular file system folder eS Service Folder This folder contains additional drive scanning results such as orphan files and folders e Deleted Folder This folder was detected as deleted and available for recovery Destroyed Folder This folder was detected as completely destroyed data from this folder is impossible to recover File A common file of any type System File Temporary Saved Encrypted File Disk Image Configuration File Previously created and ready for use Deleted File This file was detected as deleted and available for recovery Icon Name Symbols and Icons Used in the Explorer 15 Description Destroyed File This file was detected as completely destroyed data from this file is impossible to recover Device Collection The root element of the d
49. F B6 Q6 40 166 2o Sete f f 00000090 OF B6 D1 80 E2 3F F7 E2 86 CD CO ED 06 41 66 OF LES Af 000000A0 B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A f f A U 00000080 16 24 00 CD 13 72 0F 81 EB 55 AA 75 09 F6 C Ol 1 U U 000000C0 74 04 FE 06 14 00 C3 66 60 1E 06 66 Al LO OOF 6 6 t oce ut f f f 000000D0 03 06 1C 00 66 3B 06 20 00 OF 82 3A 00 1E 66 6A f fj 000000E0 00 66 50 06 53 66 68 10 0001 00 80 3E 14 00 00 fP Sfh gt 000000F0 OF 85 OC 00 E8 B3 FF 80 3E 14 00 00 OF 84 61 00 PERS a 00000100 B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 5g 5B QT JB S sies fX 00000110 66 58 66 58 IF EB 2D 66 33 D2 66 OF B7 OE 18 00 f fXfX f3 f 00000120 66 F7 F1 FE C2 8A CA 66 8B DO 66 Cl EA TOC ET S6 Eede f f 6 00000130 1A 00 86 D6 8A 16 24 00 8A E8 CO E4 06 OA CC B8 SO endi udine ers 00000140 01 02 CD 13 OF 82 19 00 8C CO 05 20 00 SE COGO zi e ers 00000150 FF 06 10 00 FF OR OR QU OE 65 6E BE sO E 66 6L iz VG Os vaa 00000160 C3 AO F8 01 E8 09 00 AO FB O1 E8 03 00 EB BEBE Erm IA GA eher mE 00000170 B4 01 8B FO AC 3C 00 74 09 B4 OE BB 07 00 CD 10 SO Caer Dv irs 00000180 EB F2 C3 OD OA 41 20 64 69 73 6B 20 72 65 OL 64 x A disk read 00000190 20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00 error occurred 000001A0 OD OA 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69 NTLDR is missi
50. NDED 05h PART_DOS4_FAT 06h PART_DOS32 0Bh PART_DOS32X 0Ch PART_DOSX13 0Eh PART_DOSX13X 0Fh Description Unknown 12 bit FAT 16 bit FAT Partition smaller than 32MB Extended MS DOS Partition 16 bit FAT Partition larger than or equal to 32MB 32 bit FAT Partition up to 2047GB Same as PART_DOS32 0Bh but uses Logical Block Address Int 13h extensions Same as PART_DOS4_FAT 06h but uses Logical Block Address Int 13h extensions Same as PART_EXTENDED 05h but uses Logical Block Address Int 13h extensions Part_LastHead The last head of the partition This is a 0 based number that represents the offset from the beginning of the disk The partition includes the head specified by this member Part_LastSector The last sector of this partition This is a 1 based 6 bit number representing offset from the beginning of the disk The partition includes the sector specified by this member Bits 0 through 5 specify the 6 bit value bits 6 and 7 are used with the Part_LastTrack member Part_LastTrack The last track of this partition This is a 0 based 10 bit number that represents offset from the beginning of the disk The partition includes this track The high 2 bits of this value are specified by bits 6 and 7 of the Part_LastSector member Part_StartSector Specifies the 1 based number of the first sector on the disk This value may not be accurate for extended partitions Use the Part_FirstSect
51. Offset to the Name 2 bytes Flags 2 bytes Attribute Id 2 bytes Starting VCN 8 bytes Last VCN 8 bytes Offset to the Data Runs 2 bytes Compression Unit Size 2 bytes Padding 4 bytes Allocated size of the attribute 8 bytes Real size of the attribute 8 bytes Initialized data size of the stream 8 bytes Data Runs In this section we are interested in Compression Unit size zero in our case means non compressed Allocated and Real size of attribute that is equal to our file size OxDCOO 56320 bytes and Data Runs see the next topic Defining the Chain of Clusters Overview 53 To reconstruct a file from a set of clusters we need to define a chain of clusters Here are the steps 1 Scan the drive to locate and identify data One by one go through each file cluster NTFS or each free cluster FAT that we presume belongs to the file Continue chaining the clusters until the size of the cumulative total of clusters approximately equals the total size of the deleted file If the file is fragmented the chain of clusters will be composed of several extents NTFS or select probable contiguous clusters and bypass occupied clusters that appear to have random data FAT The location of these clusters can vary depending on file system For example a file deleted in a FAT volume has its first cluster in the Root entry the other clusters can be found in the File Allocation Table In NTFS each file has a
52. Part LastTrack Part StartSector Part NumSectors s partition ENDS DB DB DB DB DB DB DB DB DD DD COC t9 t9 c3 Table 7 10 s partition Members Member Name Description Part Bootlnd Specifies whether the partition is bootable or not This value could be set to PART BOOTABLE 80h or PART NON BOOTABLE 00h The first partition designated as PART BOOTABLE is the boot partition All others are not Setting multiple partitions to PART BOOTABLE will result in boot errors Part FirstHead The first head of this partition This is a 0 based number representing the offset from the beginning of the disk The partition includes this head Part FirstSector The first sector of this partition This is a 1 based 6 bit number representing the offset from the beginning of the disk The partition includes this sector Bits 0 through 5 specify the 6 bit value bits 6 and 7 are used with the Part FirstTrack member Part FirstTrack The first track of this partition This is an inclusive 0 based 10 bit number that represents the offset from the beginning of the disk The high 2 bits of this value are specified by bits 6 and 7 of the Part FirstSector member 72 CHAPTER 7 DATA RECOVERY CONCEPTS Member Name Description PartFileSystem Specifies the file system for the partition The following are acceptable values Value PART_UNKNOWN 00h PART_DOS2_FAT 01h PART_DOS3_FAT 04h PART_EXTE
53. am that writes data to the disk even the installation of data recovery software can spoil your sensitive data 2 CHAPTER 1 GETTING STARTED WITH ACTIVE UNDELETE DO NOT SAVE DATA ONTO THE SAME DRIVE THAT YOU FOUND ERASED DATA WHICH YOU ARE TRYING TO RECOVER While saving recovered data onto the same drive where sensitive data was located you can spoil the process of recovering by overwriting table records for this and other deleted entries It is better to save data onto another logical removable network or floppy drive IF YOU HAVE AN EXTRA HARD DRIVE OR OTHER LOGICAL DRIVES THAT ARE BIG ENOUGH CREATE A DISK IMAGE A Disk Image is a single file mirror copy of the contents of your logical drive Backing up the contents of the whole drive including deleted data is a good safety precaution in case of failed recovery Before you start recovering deleted files create a Disk Image for this drive 2 AcTIVE UNDELETE EXPLORER This chapter describes the features and functions of Active UNDELETE Explorer Overview Active UNDELETE Explorer is designed to probe and browse all data storage devices installed on your computer in different ways to find and recover lost or damaged data Active UNDELETE Explorer displays the hierarchical structure of your current drives devices and folders Some of this information is shown in Tree and File Panes Tool Views Status bar information at the bottom of the Explorer window Explorer uses symb
54. ancel any current process such as scanning searching etc Recover Initiate Recovery process for context item m Save PC Info Save data storage devices diagnostic information into the file ge Connect Connect to Active Remote Recovery Agent Exit Close the application Edit Add Virtual Create a virtual partition under selected Partition device Load Partition Info Load previously saved partition info for selected device Save Partition Info Save Partition Info all detected or created virtual partitions for selected device Active Table Set Active Table for selected partition It can be FAT1 or FAT2 for FAT or MFT or MFT Mirror for NTFS Duplicate Partition Create a copy of selected partition with Info corresponding device as virtual partition Modify Partition Open a dialog box that allows you to Info modify selected partition properties Delete Partition Delete selected virtual detected partition Info form corresponding device Open in Hex Opens selected item for editing in Disk Hex Editor Editor View Application Log Show or hide Application Log view Property View Show or hide Property view Search View Show or hide Search view Drag n Drop Show or hide Drag and Drop Recovery Recovery view Disk Hex Editor Show or hide Disk HEX Editor view File Preview Show File Preview for context file item Explorer Tool Views 7 Command Menu Item Icon Command Description Properties Show proper
55. and 4Gb respectively In these file systems is not possible to create a disk image file for a drive as it is likely to grow larger than the acceptable limit The solution in this case is to use a target location formatted under the operating system Windows NT 2000 XP or NTFS or create a Disk Image that is split into chunks of an appropriate size Opening Disk Images To open a previously created Disk Image follow these steps In the Active UNDELETE Explorer start the Open Disk Image wizard by doing one of the following Browse to the location where the previously created Disk Image was saved Locate and double click on the Disk Image configuration file extension DIM Note The Disk Image configuration file is highlighted in Active UNDELETE Explorer using the icon shown here La On the toolbar click Open Disk Image In the command toolbar click Tools gt Open Disk Image 2 Follow instructions of the wizard to open the Disk Image 3 If the Disk Image opens successfully it will appear as a Disk Image node in either the Local Drives or the Local Devices tree and will be ready for all tasks applicable for UNDELETING 32 CHAPTER 3 USING ACTIVE UNDELETE Virtual Drives Using Active UDELETE you can manipulate the configuration of available Local Drives or partitions as a flexible tool to recover inaccessible data Creating Virtual Drive Info You can create a Virtual Drive or a software drive access point that will
56. arch Among Deleted Only The search is performed for deleted files and folders only All existing files are ignored Search Among Existing Only The search will be applied only to existing files and only and all deleted files are ignored Use Date Criteria The figure below shows how the dialog box appears Figure 3 7 Search Options Use Date Criteria Search Options Use Date Criteria TOI x Find what Advanced Settigs Use Date Criteria Use Size Criteria r Date Criteria Use Attributes Date type Accessed Deleted Any O Today Last 7 days Last 30 days Search CIE Look for on New Volume K With file size within 0 ae infinity With Accessed Date Range 12 31 2999 23 59 Recursive search in subdirectories A description of the options follows Date type Select from Deleted Date Created Date or Modified Date in the drop down list Choose from the following radio buttons Any Date Criteria is ignored Today Date range is from 24 hours ago up to this moment Last7 days Date range is from seven days ago up to this moment Last 30 days Date range is from 30 days ago up to this moment Last 12 months Date range is from one year ago up to this moment Searching for Deleted Files and Folders 25 From To Select a custom date range by using the date picking controls Use Size Criteria The figure below shows how the dialog box appears Figure 3 8 Select Options Use Si
57. asp or Microsoft Developers Network MSDN http msdn microsoft com Folders have set of 32 byte Folder Entries for each file and subfolder contained in the folder see example figure below The Folder Entry includes the following information Name eight plus three characters Attribute byte 8 bits worth of information described later in this section Create time 24 bits The FAT File System 63 Create date 16 bits Last access date 16 bits Last modified time 16 bits Last modified date 16 bits Starting cluster number in the file allocation table 16 bits File size 32 bits There is no organization to the FAT folder structure and files are given the first available location on the volume The starting cluster number is the address of the first cluster used by the file Each cluster contains a pointer to the next cluster in the file or an indication OxFFFF that this cluster is the end of the file See File Allocation System for details The information in the folder is used by all operating systems that support the FAT file system In addition Windows NT can store additional time stamps in a FAT folder entry These time stamps show when the file was created or last accessed and are used principally by POSIX applications Because all entries in a folder are the same size the attribute byte for each entry in a folder describes what kind of entry it is One bit indicates that the entry is for a subfolder while anot
58. ater BIGFATBOOTFSINFO STRUC bfFSInf Sig DD bfFSInf free clus cnt DD bfFSInf next free clus DD bfFSInf resvd DD 3DUP BIGFATBOOTFSINFO ENDS Table 7 6 BIGFATBOOTFSINFO Members Member Name Description bfFSInf Sig The signature of the file system information sector The value in this member is FSINFOSIG 0x61417272L bfFSInf free clus cnt The count of free clusters on the drive Set to 1 when the count is unknown bfFSInf next free clus The cluster number of the cluster that was most recently allocated bfFSInf resvd Reserved member 68 CHAPTER 7 DATA RECOVERY CONCEPTS FAT Mirroring On all FAT drives there may be multiple copies of the FAT If an error occurs reading the primary copy the file system will attempt to read from the backup copies On FAT16 and FAT 12 drives the first FAT is always the primary copy and any modifications will automatically be written to all copies However on FAT32 drives FAT mirroring can be disabled and a FAT other than the first one can be the primary or active copy of the FAT Mirroring is enabled by clearing bit 0x0080 in the extdpb flags member of a FAT32 Drive Parameter Block DPB structure Table 7 7 FAT Mirroring Mirroring Description When Enabled bit 0x0080 clear With mirroring enabled whenever a FAT sector is written it will also be written to every other FAT Also a mirrored FAT sector can be read from any FAT A FAT32 driv
59. ble even if the drive is recognized by operating system To recover data from this drive you can adjust the drive s properties by taking following steps Create virtual copy of the drive All manipulation of drive properties applies to the copy of the drive to ensure that none of real drive s properties are altered Follow these steps to make a copy of a drive a Select desired drive in the Explorer tree b Run Clone Drive Info by doing one of the following In the command toolbar click Edit gt Clone Drive Info Right click the drive item Click Clone Drive Info from the context menu c After these commands the cloned copied drive appears under the appropriate device in explorer tree with the icon pictured here E Modify drive properties For a virtual drive you can alter its properties by doing one of the following In the command toolbar click Edit gt Modify Drive Info Right click the virtual drive item Click Modify Drive Info from the context menu The Modify Drive Info dialog box appears Figure 3 13 Modify Drive Info Modify Drive Infor for Local Disk 80h 1 E js XI Hidden Sectors 16065 Active Table Total Sectors 32130 Sectors Per Cluster 1 Bytes Per Sector 512 Root Cluster 0 Reserved Sectors 0 Cluster MFT 10710 Number Of FAT 0 Cluster MFT Mirror 16064 Sectors Per FAT 0 Clusters Per FRS 2 Root Entries 0 Clusters Per IB 8 OK Cancel You can modify
60. create it use the Backup utility from System Tools You can use the ERD to repair a damaged boot sector damaged MBR repair or replace missing or damaged NT Loader NTLDR and ntdetect com files If you do not have an ERD the emergency repair process can attempt to locate your Windows installation and start repairing your system but it may not be able to do so To run the process boot from a Windows bootable disk or CD and choose the Repair option when system suggests you to proceed with installation or repairing Then press R to run Emergency Repair Process and choose Fast or Manual Repair option Fast Repair is recommended for most users Manual Repair for Administrators and advanced users only If the emergency repair process is successful your computer will automatically restart and you should have a working system 102 CHAPTER 7 DATA RECOVERY CONCEPTS Recovery Console Recovery Console is a command line utility similar to MS DOS command line You can list and display folder content copy delete replace files format drives and perform many other administrative tasks To run Recovery Console boot from Windows bootable disks or CD and choose the Repair option When the system suggests you to proceed with installation or repairing and then press C to run Recovery Console You will be asked which system you want to log on to and then for the Administrator s password After you logged on you can display the drive s contents c
61. criptions below to help with configuration in this dialog box Disk Image file name Specify the file name and path to the folder under which the newly created image will be stored Important The target location for the Disk Image file must always be on a drive other than that of the source You are creating an image of a disk You cannot write onto the same disk or you will be changing the source Important File systems FAT16 and FAT32 do not support file sizes larger than 2GB and 4GB respectively In these file systems is not possible to create a disk image file for a drive as it is likely to grow larger than the file size limit The Create Disk Image Wizard 39 solution in this case is to use a target location formatted under the operating system Windows NT 2000 XP or NTFS or to create a Disk Image split into chunks of an appropriate size Use compression for Disk Image creation With this option selected the final Disk Image created is compressed Compression saves some space on your hard drive but makes your Disk Image less useful for data recovery operations Specify chunk size If this check box is cleared the Disk Image file is created as one file It is possible this file will be as big as the original disk Select this check box and specify a size so that the Disk Image file is stored in chunks After setting are complete for this page press Next gt to proceed 2 Select Area of a Disk Figure 4 6 Disk Image Area Selectio
62. ctive Data Recovery Software polices and programs described in the online documentation and web site and or other Active Data Recovery Software provided materials as they may be modified from time to time Any supplemental software code provided to you as part of the Support Services shall be considered part of the SOFTWARE and subject to the terms and conditions of this EULA With respect to technical information you provide to Active Data Recovery Software as part of the Support Services Active Data Recovery Software may use such information for its business purposes including for product support and development Active Data Recovery Software will not utilize such technical information in a form that personally identifies you 5 TERMINATION Without prejudice to any other rights Active Data Recovery Software may terminate this EULA if you fail to comply with the terms and conditions of this EULA In such event you must destroy all copies of the SOFTWARE 6 COPYRIGHT The SOFTWARE is protected by copyright law and international treaty provisions You acknowledge that no title to the intellectual property in the SOFTWARE is transferred to you You further acknowledge that title and full ownership rights to the SOFTWARE will remain the exclusive property of Active Data Recovery Software and you will not acquire any rights to the SOFTWARE except as expressly set forth in this license You agree that any copies of the SOFTWARE will contain the same proprie
63. d or in use If Flags field in red color has bit 1 set it means that file is in use In our example it is zero which means the file is deleted Starting from 0x48 we have Standard Information Attribute second bold section File Creation Time 8 bytes File Last Modification Time 8 bytes File Last Modification Time for File Record 8 bytes File Access Time for File Record 8 bytes DOS File Permissions 4 bytes 0x20 in our case Archive Attribute Following standard attribute header we have File Name Attribute belonging to DOS name space short file names third bold section offset OxA8 and again following standard attribute header we have File Name Attribute belonging to Win32 name space long file names third bold section offset 0x120 File Reference to the Parent Directory 8 bytes File Modification Times 32 bytes Allocated Size of the File 8 bytes Real Size of the File 8 bytes Flags 8 bytes 52 CHAPTER 6 UNDERSTANDING ADVANCED UNDELETE PROCESS Length of File Name 1 byte File Name Space 1 byte File Name Length of File Name 2 bytes In our case from this section we can extract file name My Presentation ppt File Creation and Modification times and Parent Directory Record number Starting from offset 0x188 there is a non resident Data attribute green section Attribute Type 4 bytes e g 0x80 Length including header 4 bytes Non resident flag 1 byte Name length 1 byte
64. de Setup h 0004AE10 61 73 20 73 74 61 72 74 65 64 2E OD OA 43 3A 5C as started C 0004AE20 57 49 4E 4E 54 5C 44 72 69 76 65 72 20 43 61 63 WINNT Driver Cac Because the cluster chain is consecutive all we need to do is copy 112 435 bytes starting from this place If the cluster chain was not consecutive we would need to re calculate the offset for each cluster and copy 3 times the value of 64 512 32768 bytes starting from each cluster offset The last cluster copy remainder 14 131 bytes is calculated as 112 435 bytes 3 32 768 bytes Recovering Cluster Chain in NTFS In our example we just need to pick up 110 clusters starting from the cluster 312555 Cluster size is 512 byte so the offset of the first cluster would be 512 312555 160028160 0x0989D600 Offset O FT 2x OU OAL bec 077 8 9 Ay B C D RE 0989D600 DO CF 11 EO Al Bl 1A El 00 00 00 00 00 00 00 00 B jt 0989D610 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 gt py 0989D620 06 00 00 00 00 00 00 00 00 00 00 0001 00 00 00 ee eee ee eee 0989D630 69 00 00 00 00 00 00 00 00 10 00 00 6B 00 00 00 i k 0989D640 01 00 00 00 FE FF FF FF 00 00 00 00 6A 00 00 00 byjj j 0989D650 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF JUYyyYYVUVYYVVUYVYYY In the above data data recovery is complete when data has been read from this point through 110 clusters 56320 bytes This data is copied to another location The Par
65. difference the limited functionality compresses the entire primary volume or logical volume NTFS allows for the compression of an entire volume of one or more folders within a volume or even one or more files within a folder of an NTFS volume The compression algorithms in NTFS are designed to support cluster sizes of up to 4 KB When the cluster size is greater than 4 KB on an NTFS volume none of the NTFS compression functions are available Each NTFS data stream contains information that indicates whether any part of the stream is compressed Individual compressed buffers are identified by holes following them in the information stored for that stream If there is a hole NTFS automatically decompresses the preceding buffer to fill the hole NTFS provides real time access to a compressed file decompressing the file when it is opened and compressing it when it is closed When writing a compressed file the system reserves disk space for the uncompressed size The system gets back unused space as each individual compression buffer is compressed NTFS Encrypted Files Windows 2000 only The Encrypting File System EFS provides the core file encryption technology used to store encrypted files on NTFS volumes EFS keeps files safe from intruders who might gain unauthorized physical access to sensitive stored data for example by stealing a portable computer or external disk drive EFS uses symmetric key encryption in conjunction wi
66. e chunks AMSS C Temp disk_images A_disk_image 000 E Remove Move Down On this screen you can compose a disk image by specifying Disk Image chunks and type of the image Use the descriptions below to help with the settings Disk Image Label Alter the name of the label under which opened Disk Image will appear in Explorer Disk Image Type Specify whether the Disk Image file refers to a logical drive or a physical device This is set automatically by the List of Disk Image Chunks described below You may select one or the other manually List of Disk Image Chunks If you are opening a Disk Image using a Disk Image configuration file you will see the list of image body chunks and the type of disk image you opening Local Drive or Physical Device If the type is not set correctly specify manually the disk image chunks and type To add a Disk Image chunk click Add gt gt and select a disk image chunk file from the browsing dialog box You can remove any disk image chunk by selecting it in the list and then clicking Remove 42 CHAPTER 4 ACTIVE UNDELETE WIZARDS You can modify the order of disk image chunks Select one of the disk image chunks in the list and click Move Up or Move Down until the disk image chunk is in the correct position When all inputs are complete on this page click Next gt to continue Set Disk Image Geometry Figure 4 10 Disk Image Geometry Q Open Disk Image Wizard x
67. e suboperations of a transaction in a log file before they are written to the disk When a complete transaction is recorded in the log file NTFS performs the suboperations of the transaction on the volume cache After NTFS updates the cache it commits the transaction by recording in the log file that the entire transaction is complete Once a transaction is committed NTFS ensures that the entire transaction appears on the volume even if the disk fails During recovery operations NTFS redoes each committed transaction found in the log file Then NTFS locates the transactions in the log file that were not committed at the time of the system failure and undoes each transaction suboperation recorded in the log file Incomplete modifications to the volume are prohibited NTFS uses the Log File service to log all redo and undo information for a transaction NTFS uses the redo information to repeat the transaction The undo information enables NTFS to undo transactions that are not complete or that have an error Important NTFS uses transaction logging and recovery to guarantee that the volume structure is not corrupted For this reason all system files remain accessible after a system failure However user data can be lost because of a system failure or a bad sector Cluster Remapping In the event of a bad sector error NTFS implements a recovery technique called cluster remapping When Windows 2000 detects a bad sector NTFS dynamically rema
68. e with multiple FATs will behave the same as FAT16 and FAT12 drives with multiple FATs That is the multiple FATs are backups of each other When Disabled bit 0x0080 set With mirroring disabled only one of the FATs is active The active FAT is the one specified by bits 0 through 3 of the extdpb flags member of DPB The other FATs are ignored Disabling mirroring allows better handling of a drive with a bad sector in one of the FATs If a bad sector exists access to the damaged FAT can be completely disabled Then a new FAT can be built in one of the inactive FATs and then made accessible by changing the active FAT value in extdpb flags The FAT File System 69 Drive Parameter Block FAT32 The DPB was extended to include FAT32 information Changes are effective for Windows 95 OEM Service Release 2 and later DPB STRUC dpb drive DB dpb unit DB dpb sector size DW dpb cluster mask DB dpb cluster shift DB dpb first fat DW dpb fat count DB dpb root entries DW dpb first sector DW dpb max cluster DW dpb fat size DW dpb dir sector DW dpb reserved2 DD dpb media DB ifdef NOTFAT32 dpb first access DB else dpb reserved DB endif dpb reserved3 DD dpb next free DW dpb free cnt DW ifndef NOTFAT32 extdpb free cnt hi DW extdpb flags DW extdpb FSInfosec DW extdpb BkUpBootSec DW extdpb first sector DD extdpb max cluster DD extdpb fat size DD extdpb root clus DD e
69. ecovering Encrypted Fecerat a E T R E iles28 Other Active UNDELETE Tools c ccccccccccecseeeeeseeeeeeseecseceeececcceceeceeaeeceeeeeeeueueaeanananaes 29 aAA AX E 29 Save Hardware Diagnostic File sse 29 Disk ltriagess ome tet n duet a tei tet 30 Virtual Drives E E iet be Ostuni tiia taire ens 32 Virtual Disk Arrays cote ee et ettet xo debe ege ME eee ares 34 ACTIVE UNDELETE WIZARDS Virtual Disk Array Wizard sssssssssesesseseeeeneenn nennen d RiR Cera PORKE EREET ide 35 Create Disk Image Wizard ssssssssssssssseseseeeneee eene eterni nnn enne 38 Open Disk Image Wizard tisini aien sess enne enne a N E 40 AcrTivEG UNDELETE NETWORK EDITI ON Active Remote Recovery Agent Overview sssssssssseeeeeeneeeee enne 43 Using Active Remote Recovery Agent sssssssssssssseeeeeeeen nen 44 Active Remote Recovery Agent Options sssssssssseseseeeeeeneen 46 UNDERSTANDING ADVANCED UNDELETE PROCESS OVOeIVIGW date e T etate ette iei ate end 47 DISKZSCAMMING EI E 49 Defining the Chain of Clusters 53 Recovering the Chain of Clusters eene nnns 54 DATA RECOVERY CONCEPTS Hard Disk Drive Basics 2 irn rrt oet PR A exe RR X det A RET HER EEREE RP ERR a eh 57 Making Track LH 57 Sectors and Glusters 2c di pe etus toa ii iradatna aad ianiai daa 58 The
70. ects of each file is displayed Along with the name size and dates of each item you will be able to view the recovery status or potential for recovery of each item After you have finished dragging files and folders to this list select the check box for each file or folder you wish to recover You can recover all files at the same time or recover a few at a time To select files for recovery perform any of the following actions Click the Select All icon at the top of the pane 12 CHAPTER 2 AcTIVE UNDELETE EXPLORER Select the check box on the left side of each item individually Select a group of items using Shift and mouse click or Ctrl and mouse click Press the Spacebar key to select or clear check boxes for all selected items When some or all files and folders are selected click Recover Checked to initiate the recovery process After the process starts the Log View appears automatically If you selected some of the files in this pane and completed recovery for them you can repeat the recovery process after selecting different files or folders remaining in the Drag n Drop Recovery view Toolbar Commands for Drag n Drop Recovery Table 2 3 Commands for Drag n Drop Recovery Icon Command Description Check All Select or clear check boxes for all items in the list Kl Recover Checked Initiate the recovery process for all selected items in the list g Clear Clear the list of all contents
71. es the amount of disk space needed to store the information about the used and unused areas on the disk The FAT File System Structure of a FAT Volume The File Allocation Table FAT file system is a simple file system originally designed for small disks and simple folder structures The FAT file system is named for its method of organization the file allocation table which resides at the beginning of the volume To protect the volume two copies of the table are kept in case one becomes damaged In addition the file allocation tables and the root folder must be stored in a fixed location so that the files needed to start the system can be correctly located A volume formatted with the FAT file system is allocated in clusters The default cluster size is determined by the size of the volume For the FAT file system the cluster number must fit in 16 bits and must be a power of two The figure below illustrates how the FAT file system organizes a volume Figure 7 2 Partition Boot Sector Root folder Other folders and all files This section covers information about the FAT system Topics covered are FAT Partition Boot Sector FAT File System FAT Root Folder FAT Folder Structure FAT32 Features Table 7 1 displays differences between the FAT systems Table 7 1 Differences Between FAT Systems Bytes Per Cluster Within System File Allocation Table Cluster Limit FAT12 1 5 Fewer than 4 0
72. esident r Search Look for sb Volume K Jen Eae 0 bytes infinity With Accessed Date Range 12 31 1969 19 00 12 31 2999 23 59 Recursive search in subdirectories semn j Cee The options are described below Any Attribute Attribute settings are ignored Selected Attributes only f you know the attributes of the file you are searching for select check boxes here Search is conducted on only those files with selected attributes Recovering Files and Folders 27 Recovering Files and Folders After scanning and searching for files and folders start the recovery process one of the following ways The the icon toolbar click Recover Right click the file or folder From the context menu click Recover Select Actions in the command toolbar Select Recover from the drop down menu The recovery procedure begins with a confirmation dialog where recovery options can be specified Figure 3 10 Files and Folders Recovery Files and Folders Recovery E xj Specify the destination path where the selected item s will be recovered to Modify other options if necessary Destination Path C Temp 1 01 WAV Recovery Options E X Silent directory creation Replace invalid file name symbols with symbol Allow recovering to the same drive containing original data OK Cancel A description of the options follows Destination Path Specify the target location where recovered file s or folde
73. etected devices tree on the current computer Device Represents one of the detected devices on the current computer Removable Device Such as a Flash Card or Zip Drive Unknown Device Unspecified device Partition Detected partition on corresponding device 9 Unallocated Space Detected Unallocated space on corresponding device 7 Detected Partition Partition detected after device scan gt Disk Image Represents an open Disk Image as part of a File System structure A deleted file or folder that appears as a black icon indicates that deleted file or folder has a poor chance of recovery This may be because it has been partially or completely overwritten 16 CHAPTER 2 AcTIVE UNDELETE EXPLORER Connecting to Active Remote Recovery Agent If you are using the Network Edition of Active UNDELETE you be able to connect to Active Remote Recovery Agent This is a utility that provides recovery features over a network environment The computer that you want to connect to must have Active Remote Recovery Agent running with status Enabled After you establish connection through the network then you can scan and browse the file system of the remote computer Active Remote Recovery Agent connects to networked PCs in one of the following ways Select a workstation from a drop down list of network neighborhood computer names located at the top of the explorer Tree Pane Type a
74. ew screen transaction information is shown along with a brief description of each activity The Active Remote Recovery Agent window can be minimized to a small icon in the System Tray as shown in the figure below Figure 5 3 Remote Recovery Agent Icon EN oy 17 16 Active Remote Recovery Agent Overview 45 This icon changes according to different activity states of the application Usually the icon flashes when the status changes Table 5 1 System Tray Icon Activity States Icon Activity Description wb Disabled Remote Recovery cannot receive or respond to any request from Active UNDELETE Client wb Enabled Remote Recovery ready to receive and respond to any request from Active UNDELETE Client ib Connected Currently online with Recovery Toolkit Client and processing scanning recovery and other commands from the client db Processing This icon indicates that Active Remote Recovery Agent is processing requests from Active UNDELETE Client For a local computer to allow Active UNDELETE to access and process remote data recovery functions set Active Recovery Agent to Enable This can be done in one of the following ways In the command toolbar click File Enable Right click Remote Recovery Agent in the System Tray Click Enable from the context menu The figure below shows the Remote Recovery Agent context menu where you can choose to restore the Properties window Enable or Disable access
75. external clusters containing directory entries that could not be contained within the MFT structure This section covers the following topics NTFS File Attributes NTFS System Files NTFS Multiple Data Streams NTFS Compressed Files NTFS Encrypted Files NTFS Sparse Files NTFS File Attributes The NTFS file system views each file or folder as a set of file attributes Elements such as the file s name its security information and even its data are all file attributes Each attribute is identified by an attribute type code and optionally an attribute name When a file s attributes can fit within the MFT file record they are called resident attributes For example information such as filename and time stamp are always included in the MFT file record When all of the information for a file is too large to fit in the MFT file record some of its attributes are nonresident The nonresident attributes are allocated one or more clusters of disk space elsewhere in the volume NTFS creates the Attribute List attribute to describe the location of all of the attribute records Table 7 13 lists all of the file attributes currently defined by the NTFS file system This list is extensible meaning that other file attributes can be defined in the future Table 7 13 File Attributes Defined by NTFS Attribute Type Description Standard Information Includes information such as timestamp and link count Attribute List Lists the location
76. follows these rules A list or catalog of file entries and deleted files is kept This list can be scanned for entries marked as deleted For each catalog entry a list of data cluster addresses is kept From the deleted file entry a set of clusters composing the file can be located After finding the deleted file entry and assembling the associated set of clusters the data from them can be read and copied to another location It is important to note however that not every deleted file can be recovered To be successful it is important to try every method available In order to try every method sometimes it is necessary to push ahead even though going on assumed information such as In order to begin assume that the file entry still exists that is has not been overwritten with other data The sooner a recovery or undelete attempt is made the better This reduces the chance that new files have written on top of the deleted data and improves the chance that the file can be recovered The second assumption is that the file entry in the Table is reliable enough to point to the location of the file clusters In some cases specifically in Windows XP and on larger FAT32 volumes the operating system damages the Table file entries immediately after a file is deleted The important first data cluster becomes invalid and further restoration might not be possible The third assumption is that the file data clusters are intact they have no
77. found 30 Reb 30 Folders Checked 0 365196 PG Healthy DESKS 01 26 0406 1P 12 110304 1 9M 03 19 9400 00 G 1065196 0G 358793 6 Wealthy 9378 0126 0505 amp 1P 01 11 05 09 52am 03 1200400 00 GANAN PS o Afghanistan Mealthy 1 99KB 01 22 0403 20PM 04 25 03 09 34AM 03 03 0400 00 G Wem Folder Afghanistan og JL Colombias jog Healthy 1 58X5 01 22 0403 20PM 04 2303 1 03AM 03 03 0400 00 G New Folder Colombia jog O L Costa fc pg Healthy 3 555 01 22040x20PM 04 22 03 11 41AM 03 03 0400 00 G Wem Folder Costa Rica pg m L Cote divor Healthy L62X5 0O122 0000X 20P 05 23 03 06 26AM 03 03 0400 00 G ew Folder Cote d ivore jog po There are two types of search Simple Search for Files and Folders After completing the scanning process you can search for files and folders by entering search criteria in the Look for field located in the Search Bar at the top of the Explorer Select a folder in the File pane then click Search in to initiate search process Advanced Search This search uses more options such as Creation Date Size Registered File Type and more as searching criteria After a search has completed the results appear as a list in the Search Results view These files and folders can be opened for Hex viewing in Preview File They can also be recovered Recover files one by one or you can select check boxes for a number of files or folders and then apply recovery for all of t
78. gs if they are not correct Click Next to create the Virtual Disk Array 38 CHAPTER 4 ACTIVE UNDELETE WIZARDS If the new Disk Array was successfully created you will see a new image under the devices or drives folders in the Explorer Tree View Create Disk Image Wizard This wizard helps you create a Local Disk Image default file extension is hard drive or a Physical Device Image default file extension is DIM To start this wizard select either a Local Drive or a Local Device for which you wish to create a Disk Image Run the wizard by doing one of the following On the toolbar click Create Disk Image In the command toolbar click Tools gt Create Disk Image Right click the selected drive and click Create Disk Image on the context menu After the wizard starts follow the simple instuctions on each of the subsequent screens Set Disk Image Options Figure 4 5 Create Disk Image Options amp Create Disk Image Wizard Create Disk Image Wizard A Select destination path and other settings to create Disk Image Se Specify the path where disk image will be stored Note that Disk Image can be split as a set of chunks having specified size Disk Image file name C Temp disk imageslA disk image dim Options _ Use compression for Disk Image creation X Specify chunk size Maximum Disk Image chunk size 2 GB X lt Back Next gt Cancel Use the des
79. he following conditions must apply Partition Drive can be found via Partition Table Partition Drive boot sector is safe If the above conditions are true the OS can read the partition or physical drive parameters and display the drive in the list of the available drives If the file system is damaged Root FAT area on FAT12 FAT16 FAT32 or system MFT records on NTFS the drive s content might not be displayed and we might see errors like MFT is corrupted or Drive is invalid If this is the case it is less likely that you will be able to restore your data Do not despair as there may be some tricks or tips to display some of the residual entries that are still safe allowing you to recover your data to another location Partition recovery describes two things Physical partition recovery The goal is to identify the problem and write information to the proper place on the hard drive so that the partition becomes visible to the OS again This can be done using manual Disk Editors along with proper guidelines or using recovery software designed specifically for this purpose 94 CHAPTER 7 DATA RECOVERY CONCEPTS MBR is Damaged Active Partition Recovery software implements this approach Virtual partition recovery The goal is to determine the critical parameters of the deleted damaged overwritten partition and render it open to scanning in order to display its content This approach can be applied in some cases when
80. he outer edges of the disk To compensate for this physical difference tracks near the outside of the disk are less densely populated with data than the tracks near the center of the disk The result of the different data density is that the same amount of data can be read over the same period of time from any drive head position The disk space is filled with data according to a standard plan One side of one platter contains space reserved for hardware track positioning information and is not available to the operating system Thus a disk assembly containing two platters has three sides available for data Track positioning data is written to the disk during assembly at the factory The system disk controller reads this data to place the drive heads in the correct sector position A sector being the smallest physical storage unit on the disk is almost always 512 bytes in size because 512 is a power of 2 2 to the power of 9 The number 2 is used because there are two states in the most basic of computer languages on and off Each disk sector is labelled using the factory track positioning data Sector identification data is written to the area immediately before the contents of the sector and identifies the starting address of the sector The optimal method of storing a file on a disk is in a contiguous series that is all data in a stream stored end to end in a single line As many files are larger than 512 bytes it is up to the file s
81. heck the existence and safety of critical files and for example copy them back to restore them if they have been accidentally deleted Recovery Software Third party recovery software in most cases does not allow you to deal with system files due to the risk of further damage to the system however you can use it to check for the existence and safety of these files or to perform virtual partition recovery Active Data Recovery Software 2550 Argentia Road Suite 218 Mississauga Ontario Canada L5N 5R1 http www active undelete com Phone 905 812 8434 Customer Service sales active undelete com Technical Support support active undelete com
82. hem Note If you want to search a drive that has not yet been scanned the drive will be scanned using Simple Scan before searching 10 CHAPTER 2 AcTIVE UNDELETE EXPLORER Disk Hex Editor Disk Hex Editor uses a simple low level disk viewer which displays information in binary and text modes at the same time You can use this view to analyze the contents of data storage structure elements such as Hard disk drives Floppy drives Partitions Files Other objects To open any of these items in the editor select an item in Active UNDELETE Explorer tree pane or file pane and do one of the following In the command menu click Edit gt Open In Hex Editor Right click the item Click Open In Hex Editor from the context menu The Disk Hex Editor screen appears similar to the figure below Figure 2 5 Disk Hex Editor Disk Hex Editor File DSC00555 JPG bed Save T Revert All Ew Go to Offset gt offset 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 Name DSC00555 JPG 00000000 FF D8 FF E1 OF F9 45 78 69 66 00 00 49 49 2A 00 slliz6 mExif Type n a 00000010 08 00 00 00 OA OO OE 01 02 00 20 00 00 00 86 00 File System E 00000020 00 00 OF 01 02 00 05 00 00 00 A6 00 00 00 10 01 ie Cluster 0 00000030 02 00 OA OO OO OO AC OO 00 00 12 01 03 0001 00 EHE TOUS 3 00000040 00 00 01 00 00 1A 01 05 00 01 00 00 00 B6 00 EE E 00000050 00 00 1B
83. her bit marks the entry as a volume label Normally only the operating system controls the settings of these bits A FAT file has four attributes bits that can be turned on or off by the user archive file system file hidden file and read only file Filenames on FAT Volumes Beginning with Windows NT 3 5 files created or renamed on FAT volumes use the attribute bits to support long filenames in a way that does not interfere with how MS DOS or OS 2 accesses the volume Whenever a user creates a file with a long filename Windows creates an eight plus three name for the file In addition to this conventional entry Windows creates one or more secondary folder entries for the file one for each 13 characters in the long filename Each of these secondary folder entries stores a corresponding part of the long filename in Unicode Windows sets the volume read only system and hidden file attribute bits of the secondary folder entry to mark it as part of a long filename MS DOS and OS 2 generally ignore folder entries with all four of these attribute bits set so these entries are effectively invisible to these operating systems Instead MS DOS and OS 2 access the file by using the conventional eight plus three filename contained in the folder entry for the file 64 CHAPTER 7 DATA RECOVERY CONCEPTS i FAT32 Features Example of Folder Entries for the long filename Figure 7 4 below shows all of the folder entries for the file Thequi
84. i e 3clusters 32Kb 96Kb plus a little bit more We assumed that this file was not fragmented i e all clusters were located consecutively We need 4 clusters we found 4 free consecutive clusters so this assumption sounds reasonable although in real life it may be not true i Note In many cases data cannot be successfully recovered because the cluster chain cannot be defined This will occur when another file or folder is written on the same drive as the one where the deleted file is located Warning messages about this fact will be displayed while recovering data using Active UNDELETE Defining a Cluster Chain in NTFS When recovering in NTFS a part of DATA attributes called Data Runs provides the location of file clusters In most cases DATA attributes are stored in the Master File Table MFT record Finding the MFT record for a deleted file will most likely lead to the location of the cluster s chain In example below the DATA attribute is marked with a green color Data Runs inside the DATA attribute are marked as Bold Offset 0 1 2 3 4 5 6 7 8 9 A B C D RE F 00012580 2E 00 70 00 70 00 74 00 80 00 00 00 48 00 00 00 p p t His 00012590 01 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 Recovering the Chain of Clusters oo Nl 0 nan A Ww WN The File Recovery Process 91 000125A0 6D 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 m Rec diac 000125B0 00 DC 00 00 00 00 00 00 00 DC 00 00 00 00 0000 U
85. i nnne nennen 1 Data Recovery MOS s o RE eR ERR N URGERE E S 1 AcCTIVE UNDELETE EXPLORER Explorer Ov Wontene nee de fete ip aia e dL de eis 3 Navigation with Active UNDELETE Explorer esseeeeenene 3 Toolbar Commands conis ie Ue ce ngo ade ve de gue ER aee eee 5 Command Menu 4o petet eene tees de bet an iate 6 Explorer Tool VIEWS pite ee RO e On t que eee e Baa PR esp ERR nena 7 Application bogus iie ee itecto ieget ret aes 8 Properties VIGW o pede ttp ut b e EH de DER up ad ee 8 Seat Gh ned oed Uta did e edere du a HERI Ede ei REDE Rd Papae 9 IBI Sial ydizie to Sete 10 Dagom Drop ROCOVELY ER 11 Options Dialog BOX ent aii Eee ee ae ee nee ae tt 13 Symbols and Icons Used in the Explorer 14 Connecting to Active Remote Recovery Agent 16 UsiNG ACTIVE UNDELETE Outline of UNBEEETE SIepS ie oerte eet bhai e E aaas 17 Scanning Drives and Devices sssssssssssssssseeeneneeeen enne nnne nens 17 Scanning Drives for Deleted Files or Folders sssssseeee 18 Scanning Physical Devices for Partitions and Drives sssssssess 18 Searching for Deleted Files and Folders sssssssseseeeeeenenes 21 Simple Searclhi oett ei ep rap E piger d exuta terae uev ades 21 Advanced Search idit eA en nne nues 22 Recovering Files and Folders c cccecesecccceeeeeeceeeeeeeeceeeeeeseeeeeeeseeeaaeeeseseeaeeeesneeaeeeetnees 27 R
86. ile name index 5 The root folder Cluster bitmap Bitmap 6 A representation of the volume showing which clusters are in use Boot sector Boot 7 Includes the BPB used to mount the volume and additional bootstrap loader code used if the volume is bootable Bad cluster file BadClus 8 Contains bad clusters for the volume Security file Secure 9 Contains unique security descriptors for all files within a volume Upcase table Upcase 10 Converts lowercase characters to matching Unicode uppercase characters NTFS extension file Extend 11 Used for various optional extensions such as quotas reparse point data and object identifiers 12 15 Reserved for future use NTFS Multiple Data Streams NTFS supports multiple data streams where the stream name identifies a new data attribute on the file A handle can be opened to each data stream A data stream then is a unique set of file attributes Streams have separate opportunistic locks file locks and sizes but common permissions This feature enables you to manage data as a single unit The following is an example of an alternate stream myfile dat stream2 A library of files might exist where the files are defined as alternate streams as in the following example library filel file2 file3 A file can be associated with more than one application at a time such as Microsoft amp Word and Microsoft amp WordPad For instance a file structure like the following illustrates
87. ion is possible if we had used FDISK and not selected the correct active partition The Loader tries to pass control to the partition fails tries to boot again from other devices like the floppy If it fails to boot again an error message like Non System Disk or Disk Error appears Partition entry has been deleted If the partition entry has been deleted the next two partitions will move one line up in the partition table as below Physical Sector Cyl 0 Side 0 Sector 1 0000001B0 BO MOO drei re rS heave es 0000001C0 41 3F 06 FE 7F 64 7F 32 4E 00 A6 50 09 00 00 00 A d2N P 98 CHAPTER 7 DATA RECOVERY CONCEPTS 0000001D0 41 65 OF FE BF 4A 25 83 57 00 66 61 38 00 00 00 Ae J W fa8 0000001E0 00 00 00 00 00 00 00 00 0000000000000000 0000001F0 00 00 00 00 00 00 00 00 000000 00 00 00 55 AA U If we try to boot now the partition previous identified as second FAT partition becomes the first and the loader will try to boot from it If the operating system does not exist within the partition the same error messages appear Partition entry has been damaged To simulate this situation write zeros to the location of the first partition entry Physical Sector Cyl 0 Side 0 Sector 1 0000001B0 BOO goresen deryk 0000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee eee ee eee 0000001D0 41 3F 06 FE 7F 64 7F 32 4E 00 A6 50 09 00 00 00 A 02N 1P 00
88. ion of file clusters In most cases DATA attributes are stored in the Master File Table MFT record Finding the MFT record for a deleted file will most likely lead to the location of the cluster s chain In example below the DATA attribute is marked with a green color Data Runs inside the DATA attribute are marked as Bold Offset 0123456789 ABCDEF 00012580 2E 00 70 00 70 00 74 00 80 00 00 00 48 00 00 00 p p t _ H 00012590 01 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 000125A0 6D 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 m G 000125B0 00 DC00 00 00 00 00 00 00 DCO00 00 00 00 00 00 U U 000125C0 00 DC00 00 00 00 00 00 31 6E EBC404 00 00 00 U 1neA 000125D0 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 yyyy yG Decrypting Data Runs Decrypting data runs can be accomplished using the following steps First byte 0x31 shows how many bytes are allocated for the length of the run 0x1 in the example case and for the first cluster offset 0x3 in our case Take one byte Ox6E that points to the length of the run Pick up 3 bytes pointing to the start cluster offset OxEBC404 Changing bytes order we get first cluster of the file 312555 equals Ox04C4EB Starting from this cluster we need to pick up 110 clusters equals Ox6E Next byte 0x00 tells us that no more data runs exist Our file is not fragmented so we have the only one data run Lastly check to see if there
89. irection indicated When all disks have been selected and sequenced click Next gt to continue 3 Set Disk Array Geometry Figure 4 3 Disk Array Geometry amp Create Virtual Disk Array Wizard Virtual Disk Array Wizard 37 Disk Array geometry You can select the geometry settings for the Virtual Disk Array LBA Mode Number of Cylinders Number of Tracks per Cylinder Number of Sectors per Track Number of Bytes per Sector 255 1024 63 On this screen you can specify the final Disk Array geometry settings To use default values select Use default settings To set specific values select Specify custom settings Enter values for disk geometry in the appropriate fields When disk geometry settings are complete click Next to continue 4 Confirm Virtual Disk Array Creation Figure 4 4 Create Disk Array amp Create Virtual Disk Array Wizard Create Disk Array Creation of the Virtual Disk Array The following parameters selected to create a new Volume Volume Volume Type Volumes selected in order Hard Disk Drive 81h 37 2 GB Damaged Device Volume Geometry LBA Mode Yes Number of Cylinders 255 Number of Tracks per Cylinder 1024 On this screen verify the configuration information about the Disk Array to be created Click Back to change settin
90. is always zero on a FAT32 drive Additionally the A BF BPB BigSectorsPerFat and A BF BPB BigSectorsPerFatHi members of the updated BPB provide equivalent information for FAT32 media BPB FAT32 The BPB for FAT32 drives is an extended version of the FAT16 FAT12 BPB It contains identical information to a standard BPB but also includes several extra fields for FAT32 specific information This structure is implemented in Windows OEM Service Release 2 and later A BF BPB STRUC A BF BPB BytesPerSector DW A BF BPB SectorsPerCluster DB A BF BPB ReservedSectors DW A BF BPB NumberOfFATs DB A BF BPB RootEntries DW A BF BPB TotalSectors DW A BF BPB MediaDescriptor DB A BF BPB SectorsPerFAT DW o 66 CHAPTER 7 DATA RECOVERY CONCEPTS A_BF_BPB_SectorsPerTrack A_BF_BPB_Heads DW DW 2 A_BF_BPB_HiddenSectors DW A_BF_BPB_HiddenSectorsHigh DW A_BF_BPB_BigTotalSectors DW A_BF_BPB_BigTotalSectorsHigh DW A BF BPB BigSectorsPerFat DW A BF BPB BigSectorsPerFatHi DW A BF BPB ExtFlags DW A BF BPB FS Version DW A BF BPB RootDirStrtClus DW A BF BPB RootDirStrtClusHi A BF BPB FSInfoSec DW DW A BF BPB BkUpBootSec DW A BF BPB Reserved DW 6DUP A BF BPB ENDS Table 7 5 BPB Members Member Name Description A BF BPB BytesPerSector The number of bytes per sector A BF BPB SectorsPerCluster The number of sectors per cluster A BF BPB Reser
91. itional behavior not present in the underlying file system Reparse points are used by many of the new storage features in Windows 2000 including volume mount points Volume Mount Points Volume mount points are new to NTFS Based on reparse points volume mount points allow administrators to graft access to the root of one local volume onto the folder structure of another local volume Sparse Files Sparse files allow programs to create very large files but consume disk space only as needed Distributed Link Tracking NTFS provides a link tracking service that maintains the integrity of shortcuts to files as well as OLE links within compound documents For more detailed information see resource kits on Microsoft s web site http www microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN http msdn microsoft com Table 7 11 describes the boot sector of a volume formatted with NTFS When you format an NTFS volume the format program allocates the first 16 sectors for the boot sector and the bootstrap code Table 7 11 NTFS Boot Sector Byte Offset Field Length Field Name 0x00 3 bytes Jump Instruction 0x03 LONGLONG OEM ID 0x0B 25 bytes BPB 0x24 48 bytes Extended BPB 0x54 426 bytes Bootstrap Code 0x01FE WORD End of Sector Marker On NTFS volumes the data fields that follow the BPB form an extended BPB The data in these fields enables Ntldr NT loader program to find the master
92. ive FAT but are only meaningful if bit 8 is set This member can contain a combination of the following values The FAT File System 67 Member Name Description Value Description BGBPB F ActiveFATMsk Mask for low four bits OOOFh BGBPB F NoFATMirror Mask indicating FAT 0080h mirroring state If set FAT mirroring is disabled If clear FAT mirroring is enabled Bits 4 6 and 8 15 are reserved A BF BPB FS Version The file system version number of the FAT32 drive The high byte represents the major version and the low byte represents the minor version A BF BPB RootDirStrtClus The cluster number of the first cluster in the FAT32 drive s root directory A BF BPB RootDirStrtClusHi The high word of the FAT32 starting cluster number A BF BPB FSInfoSec The sector number of the file system information sector The file system info sector contains a BIGFATBOOTFSINFO structure This member is set to OFFFFh if there is no FSINFO sector Otherwise this value must be non zero and less than the reserved sector count A BF BPB BkUpBootSec The sector number of the backup boot sector This member is set to OFFFFh if there is no backup boot sector Otherwise this value must be non zero and less than the reserved sector count A BF BPB Reserved Reserved member BIGFATBOOTFSINFO FAT32 Contains information about the file system on a FAT32 volume This structure is implemented in Windows OEM Service Release 2 and l
93. l Select one of the following scanning methods to perform scan Simple scan D Simple scan is fast and sufficient scan method It performs as default scanning method if no other specified Advanced scan D Select this method to use advanced scanning methods This method takes more time than Simple Scan but has greater chance to discover lost data X Show this dialog next time Cancel Select one of the local drive scan methods to start scanning Alternately click Cancel to abandon the scan If you want to skip this step in the process next time clear the Show this dialog next time check box The scan method will default to Simple Scan Another way to begin the scan is to click Actions gt Scan in command toolbar and select Simple Scan or Advanced Scan A third method is to click Scan in the toolbar To change the Scan button default command use the drop down arrow on the right side of the button To begin scanning you may also right click any drive item Click Drive Scan from the context menu and Simple Scan or Advanced Scan When the scan process starts you can view a progress bar in the Status Bar area that indicates the scanning progress has begun In the Application Log view new entries describe the scanning process events as they happen During the scanning process the Stop button becomes available and can be used to terminate the scan process at any time After the local drive scan completes yo
94. ld is 512 OxOD BYTE 0x08 Sectors Per Cluster The number of sectors in a cluster The default cluster size for a volume depends on the volume size and the file system OxOE WORD 0x0100 Reserved Sectors The number of sectors from the Partition Boot Sector to the start of the first file allocation table including the Partition Boot Sector The minimum value is 1 If the value is greater than 1 it means that the bootstrap code is too long to fit completely in the Partition Boot Sector 0x10 BYTE 0x02 Number of file allocation tables FATs The number of copies of the file allocation table on the volume Typically the value of this field is 2 0x11 WORD 0x0002 Root Entries The total number of file name entries that can be stored in the root folder of the volume One entry is always used as a Volume Label Files with long filenames use up multiple entries per file Therefore the largest number of files in the root folder is typically 511 but you will run out of entries sooner if you use long filenames 0x13 WORD 0x0000 Small Sectors The number of sectors on the volume if the number fits in 16 bits 65535 For volumes larger than 65536 sectors this field has a value of 0 and the Large Sectors field is used instead File Allocation System Byte Offset Field Length Sample Value The FAT File System 61 Description 0x15 BYTE OxF8 Media Type Provides information about the media being used
95. le 0003EE60 E5 4D 00 79 00 46 00 69 00 6C 00 OF 00 BA 65 00 aM y F i l e 0003EE70 2E 00 74 00 78 00 74 00 00 00 00 00 FF FF FF FF t x t yyyy 0003EE80 E5 59 46 49 4C 45 20 20 54 58 54 20 00 C3 D6 93 aYFILE TXT AO 0003EE90 56 2B 56 2B 00 00 EE 93 56 2B 03 00 33 B7 01 00 V V4 i V 3 We can calculate size of the deleted file based on root entry structure Last four bytes are 33 B7 01 00 and converting them to decimal value changing bytes order we get 112435 bytes Previous 2 bytes 03 00 are the number of the first cluster of the deleted file Repeating for them the conversion operation we get number 03 this is the start cluster of the file What we can see in the File Allocation Table at this moment Offset 0 12 3 4 5 6 7 8 9 AB CD EF 00000200 F8 FF FF FF FF FF 00 00 00 00 00 00 00 00 08 00 oyyyyy 00000210 09 00 0A 00 0B 00 OC 00 OD OO FF FF 00 00 00 00 Yy 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ssss sss ss sss Zeros And it is good in our case it means that these clusters are free i e most likely our file was not overwritten by another file s data Now we have chain of clusters 3 4 5 6 and we are ready to recover it Some explanations We started looking from offset 6 because each cluster entry in FAT16 takes 2 bytes our file starts from 3rd cluster i e 3 2 6 We considered 4 clusters because cluster size on our drive is 32 Kb our file size is 112 435 bytes
96. meters even if duplicate boot sector is not found i e perform virtual partition recovery and give the user virtual access to the data on the drive to be able to copy them to the safer location For the operating system to boot properly system files are required to be safe In case of Windows 95 98 ME these files are msdos sys config sys autoexec bat system ini system dat user dat etc In case of Windows NT 2000 XP these files are NTLDR ntdetect com boot ini located at the root folder of the bootable volume Registry files i e SAM SECURITY SYSTEM and SOFTWARE etc If these files have been deleted corrupted or damaged by a virus Windows will be unable to boot You ll see error messages like NTLDR is missing The next step in the recovery process is to check the existence and safety of system files you won t able to check them all but you must check at least NTLDR ntdetect com boot ini which cause most problems To do it in Windows 95 98 ME boot in Command Prompt mode or from a bootable floppy and check the system files in the command line or with a help of third party recovery software To do it in Windows NT 2000 XP use the Emergency Repair Process Recovery Console or third party recovery software Emergency Repair Process To proceed with Emergency Repair Process you need an Emergency Repair Disk ERD It is recommended to create an ERD after you install and customize Windows To
97. n i Create Disk Image Wizard x Disk Image area selection A Sen Define the area to be stored as a Disk Image by moving the bar sides or typing the exact sector values into the appropriate text boxes FL 017 A 0 Last Sector 2880 Start at sector End at sector 205 i 2548 You can make a Disk Image of an entire disk or part of a disk On this wizard page specify the area size in one of two ways In the picker control area click and drag the edges of the selected area until the desired area is covered Enter the Start at sector and End at sector numbers of the desired area After completing this page press Next gt to proceed 40 CHAPTER 4 ACTIVE UNDELETE WIZARDS 3 Confirm Disk Image Creation Figure 4 7 Creation of Disk Image amp Create Disk Image Wizard AX Creation of Disk Image Verify you selections before start creation process boc The Wizard is ready to create Disk Image of FL 017 A starting from 205 sector to 2548 sector and save it as C Temp disk images A disk image dim Press Next to initiate Disk Image Creation Process This may take several minutes depending on the size of disk selected On this screen verify the configuration information about the Disk Image to be created Click Back to change settings if they are not correct Click Next to create the Disk Image You can watch the progress as the Disk Image i
98. n application You can keep the window open or minimize it If running it minimized you can access the application at any time through an icon in the System Tray area 44 CHAPTER 5 AcrivE o UNDELETE NETWORK EDITION Using Active o To start the application from the Windows click the Start button click All Remote Recovery Programs gt LSoft Tech gt Remote Recovery Agent Agent The Remote Recovery Agent Log View window appears Figure 5 2 Log View 4 Remote Recovery Agent File View Help TEx Event Date Time Descrip our 1 Information September 09 14 51 00 September 09 14 48 47 1 Information September 09 14 48 47 gt IN September 09 14 48 47 our September 09 14 48 42 1 Information September 09 14 48 22 1 Information September 09 14 48 22 gt IN September 09 14 48 22 our September 09 14 48 03 f Information September 09 14 48 02 gt IN September 09 14 48 02 1 Information 1 Information September 09 14 47 46 September 09 14 47 45 September 09 14 47 29 27 Connected Request complete Copying _11086 JPG to d Temp lrecovered 11086 JPG RECOVERY Request received Request complete Copying Help zip to d Temp yecovered Help zip RECOVERY Request received Request complete A Request received Remote Recovery Agent has been Connected Remote Recovery Agent status has been changed Start listening on the port 59137 In this Log Vi
99. nd what Enter text along with wildcards or expressions that represent patterns to quickly locate a file Use the same type of search pattern that you use when searching for files or folders in Windows The asterisk symbol in a pattern means that at this place can be zero or any number of any type of symbol The table below illustrates some examples Table 3 2 Search Pattern Examples Pattern Results of Search All files on the drive or in the folder txt All files with txt extension my All files starting with My MyFile txt Only files named MyFile txt A description of each of the Search Options groups follows Advanced Settings This group provides many standard search options to help you increase the accuracy of your search A description of the options follows Look in Select the drives or folders to search from a drop down list of pre defined scopes 24 CHAPTER 3 USING ACTIVE UNDELETE File Type This list contains file extensions and icons for the applications associated with them If no extensions are listed all files in the directories listed in the Look in drop down list are searched Recursive Search in subdirectories Search includes root directory and all subfolders Clear this check box to search only the root directory of the drive Case Sensitive Search Search reports only files or folders that match the combination of uppercase and lowercase characters in the Find what box Se
100. ns our recently deleted file My Presentation ppt Below MFT record number 57 is displayed Offset 00012400 00012410 00012420 00012430 00012440 00012450 00012460 00012470 00012480 00012490 000124A0 000124B0 000124CO 000124D0 000124E0 000124F0 00012500 00012510 00012520 00012530 00012540 00012550 00012560 00012570 00012580 00012590 000125A0 000125B0 0123456789 ABCDEF 46 49 4C 45 2A 00 03 00 9C 74 21 03 00 00 00 00 47 00 02 00 30 00 00 00 D801 00 00 00 04 00 00 00 00 00 00 00 00 00 00 05 00 03 00 00 00 00 00 10 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 20 53 DDA318 F1 C101 00 30 2B D848 E9 C001 CO BF20 A018 FI C101 20 53 DDA318 F1 C101 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 78 00 00 00 00 00 00 00 00 00 03 00 5A 00 00 00 18 00 01 00 05 00 00 00 00 00 05 00 20 53 DDA318 F1 C101 20 53 DDA318 FI C101 20 53 DDA318 F1 C101 20 53 DDA318 FI C101 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 0C 02 4D 00 59 00 50 00 52 00 45 00 53 00 7E 00 31 00 2E 00 50 00 50 00 54 00 69 00 6F 00 6E 00 30 00 00 00 80 00 00 00 00 00 00 00 00 00 02 00 68 00 00 00 18 00 01 00 05 00 00 00 00 00 05 00 20 53 DDA318 F1 C101 20 53 DDA318 F1 C101 20 53 DDA318 F1 C101 20 53 DDA318 F1 C101 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 13 00 4D 00 79 00 20 00 50 00 72 00 65 00 73 00
101. ny one of the following If Properties View is active select any item and view its properties If Properties View is not active select any item in the Explorer From the Command menu toolbar click View gt Properties Right click any item in the Explorer Click Properties from the context menu Search i Explorer Tool Views 9 With any item selected click the Property View tab in Active UNDELETE Explorer As long as the Property View tab is active selecting another item automatically displays information about it in Property view The Search Results view is using for review search result after performing the search under selected context Figure 2 4 Search Results Search Results for Files and Folders im WO NAME GF res 354076 PG Healthy SO 27B 01 26 0406 amp 51PM 12 10 03 10 39 AM 03 13 0400 00 G 1364076 PG 354935 JPG Healthy OMS 01 26 0405 5 PM 12 12 03 10 32AM 03 9 0400 00 G 364935 FG 390g9o009l DSC 0170c Mesthy 5S amp 3XB 03 03 080 amp c14PM 12 30 0309 43AM 03 03 0400 00 G TESTING DSC 0170 copy pg DSC 0170 c Healthy S6 3KB 03 03 040 amp t1SPM 12 30 0309 43 AM 03 03 0400 00 G PE Backups eubfoiderDSC 0170 copy jos Feind jog Healthy 2 20X amp 01 22 0403 20PM 04 24 0306 42 AM 03 03 0400 00 G View Folder Friend ios Gabor ipa Reser 187 B QURDA 025 230308 22AM 01 0659 00 00 u Gi Nem Folder Yaban ipa Total tem s
102. of all attribute records that do not fit in the MFT record File Name A repeatable attribute for both long and short file names The long name of the file can be up to 255 Unicode characters The short name is the 8 3 case insensitive name for the file Additional names or hard links required by POSIX can be included as additional file name attributes Security Descriptor Describes who owns the file and who can access it Attribute Type The NTFS File System 79 Description Data Contains file data NTFS allows multiple data attributes per file Each file typically has one unnamed data attribute A file can also have one or more named data attributes each using a particular syntax Object ID A volume unique file identifier Used by the distributed link tracking service Not all files have object identifiers Logged Tool Stream Similar to a data stream but operations are logged to the NTFS log file just like NTFS metadata changes This is used by EFS Reparse Point Used for volume mount points They are also used by Installable File System IFS filter drivers to mark certain files as special to that driver Index Root Used to implement folders and other indexes Index Allocation Used to implement folders and other indexes Bitmap Used to implement folders and other indexes Volume Information Used only in the Volume system file Contains the volume version Volume
103. ol and ownership privileges that are important for the integrity of critical data While folders shared on a Windows NT computer are assigned particular permissions NTFS files and folders can have permissions assigned whether they are shared or not NTFS is the only file system on Windows NT that allows you to assign permissions to individual files The NTFS file system has a simple yet very powerful design Basically everything on the volume is a file and everything in a file is an attribute from the data attribute to the security attribute to the file name attribute Every sector on an NTFS volume that is allocated belongs to some file Even the file system metadata information that describes the file system itself is part of a file What s New in NTFS5 Windows 2000 Encryption The Encrypting File System EFS provides the core file encryption technology used to store encrypted files on NTFS volumes EFS keeps files safe from intruders who might gain unauthorized physical access to sensitive stored data for example by stealing a portable computer or external disk drive 74 CHAPTER 7 DATA RECOVERY CONCEPTS NTFS Partition Boot Sector Disk Quotas Windows 2000 supports disk quotas for NTFS volumes You can use disk quotas to monitor and limit disk space use Reparse Points Reparse points are new file system objects in NTFS that can be applied to NTFS files or folders A file or folder that contains a reparse point acquires add
104. ols to provide visual cues about the status of drives devices folders and other items Explorer toolbar provides a quick way to execute frequently used commands as well as a standard command menu Navigation with To use Active UNDELETE Explorer efficiently read the following section Active UNDELETE about the main display screen Explorer The Explorer main screen is divided into three areas Tool Views Tree Pane File Panes 4 CHAPTER 2 ACTIVE UNDELETE EXPLORER The figure below helps illustrate the three areas Figure 2 1 Active UNERASER Main Screen Toolbar File Pane oe Fie Sem ete ewe tm teem omm a 2 wie ne Tv wrs smo e 27177 wer n tone Ke FEET f 1 TETTETETT Tree Pane Tool Views A description of these areas follows Tree Pane The two main folders in this tree are named Local Drives and Local Devices Local Drives All logical drives recognized by the operating system You can perform these tasks Browse the accessible logical drive tree for a specific drive location Scan logical drives for deleted or damaged areas Create a local drive Disk Image Local Devices All physical devices attached to the system Here you can perform these tasks Browse accessible physical devices for a specific device Scan a device using one of the three available scan methods Create a device Disk Image Browse the hierarchical structure of devices partitions drives
105. or Exit the application Figure 5 4 Remote Recovery Agent Context Menu 46 CHAPTER 5 ACTIVE UNDELETE NETWORK EDITION Active Remote Recovery Agent Options The Active Remote Recovery Agent Properties dialog allows you to specify following settings Port Number The number of the communication port reserved for the TCP connection between Active Remote Recovery Agent and Active UNDELETE After applying changes Active Remote Recovery Agent is restarted immediately Enable Active Remote Recovery Agent at Start With this check box selected Active Remote Recovery Agent allows connection with Active UNDELETE as soon as the PC starts Use password for connection validation With this check box selected the connection request from the client is password protected and validated against the matching password entered in Active Remote Recovery Agent UNDERSTANDING ADVANCED UNDELETE PROCESS This chapter describes various processes of the application Overview The process to undelete a file consists of scanning a drive or folder to discover deleted entries as listed in the Root Folder File Allocation Table or Master File Table NT File System Once a deleted entry has been found a chain of file clusters is defined for recovery and then the contents of these clusters is written to the newly created file Different file systems maintain their own specific logical data structures however basically each file system
106. or value for extended partitions Part_NumSectors The 1 based number of sectors in the partition The NTFS File System 73 The NTFS File System The Windows NT file system NTFS provides a combination of performance reliability and compatibility not found in the FAT file system It is designed to quickly perform standard file operations such as read write and search and even advanced operations such as file system recovery on very large hard disks Formatting a volume with the NTFS file system results in the creation of several system files and the Master File Table MFT which contains information about all the files and folders on the NTFS volume The first information on an NTFS volume is the Partition Boot Sector which starts at sector 0 and can be up to 16 sectors long The first file on an NTFS volume is the Master File Table MFT The following figure illustrates the layout of an NTFS volume when formatting has finished Figure 7 5 Formatted NTFS Volume partition boat taster File Table system file area filez sector This chapter covers information about NTFS Topics covered are listed below NTFS Partition Boot Sector NTFS Master File Table MFT NTFS File Types NTFS Data Integrity and Recoverability The NTFS file system includes security features required for file servers and high end personal computers in a corporate environment The NTFS file system also supports data access contr
107. original partition entry we would have a new one and everything would work fine except that later on we could recall that we had some important data on the original partition If you ve created MBR Partition Table Volume Sectors backup before the problem for example Active Partition Recovery and Active UNERASER can do this you can virtually restore it back and look for your data in case if it has not been overwritten with new data yet Some advanced recovery tools also have an ability to scan the disk surface and try to reconstruct previously deleted partition information from the remnants of information i e perform virtual partition recovery However there is no guarantee that you can recover anything Partition Boot Sector is Damaged The Partition Recovery Process 99 The Partition Boot Sector contains information which the file system uses to access the volume On personal computers the Master Boot Record uses the Partition Boot Sector on the system partition to load the operating system kernel files Partition Boot Sector is the first sector of the Partition For our first NTFS partition we have boot sector Physical Sector Cyl 0 Side 1 Sector 1 000000000 EB 5B 90 4E 54 46 53 20 20 20 20 00 02 01 00 00 e NTFS 000000010 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 0000000 Ou V PAA ERS us 000000020 00 00 00 00 80 00 80 00 3F 32 4E 00 00 00 00 00 eism e TAN aco Ws 000000030 5B 43 01 00 00 00 00 00 1F 19 2
108. partition Scan every sector Select this check box for the most complete scan of the device Every sector is scanned for partition signatures If you have chosen a Low Level Scan a similar dialog box appears There are only two options to configure Start at sector End at sector If the device you are scanning is large scan part of it for a quicker report Confirm accepting detected partition With this check box selected each time the scan detects a new partition a confirmation screen appears After you have configured the scan click OK to perform scan or click Cancel to exit without scanning 5 When the scan process starts you can view a progress bar in the Status Bar area that indicates the scanning progress has begun Searching for Deleted Files and Folders 21 In the Application Log view new entries describe the scanning process events as they happen During the scanning process the Stop button becomes available and can be used to terminate the scan process at any time After the device scan completes you can view the content of scanned device in the File Pane or in the Tree Pane of Active UNDELETE Explorer Figure 3 4 Local Device Tree After Scan lg Hardware Devices LOCAL E1 amp 22 Floppy Disk 00h Bg eo Primary FAT12 J Ts FLOP14 A H Local Disk 80h H Local Disk 81h B Local Disk 82h 1 85 Primary NTFS E1 Extended H E NTFS B Span 81h 1233 H E Primary FAT32 H Q Span 81h
109. peration does not complete Data Integrity and Recoverability with NTFS NTFS is a recoverable file system that guarantees the consistency of the volume by using standard transaction logging and recovery techniques In the event of a disk failure NTFS restores consistency by running a recovery procedure that accesses information stored in a log file The NTFS recovery procedure is exact guaranteeing that the volume is restored to a consistent state Transaction logging requires a very small amount of overhead NTFS ensures the integrity of all NTFS volumes by automatically performing disk recovery operations the first time a program accesses an NTFS volume after the computer is restarted following a failure NTFS also uses a technique called cluster remapping to minimize the effects of a bad sector on an NTFS volume Important If either the master boot record MBR or boot sector is corrupted you might not be able to access data on the volume Recovering Data with NTFS NTFS views each I O operation that modifies a system file on the NTFS volume as a transaction and manages each one as an integral unit Once started the transaction is either completed or in the event of a disk failure rolled back 84 CHAPTER 7 DATA RECOVERY CONCEPTS such as when the NTFS volume is returned to the state it was in before the transaction was initiated To ensure that a transaction can be completed or rolled back NTFS records th
110. physical partition recovery is not possible for example partition boot sector is dead and is commonly used by recovery software This process is almost impossible to implement manually Active UNDELETE software implements this approach Note If your computer has two operating systems and you choose to start in Windows 95 98 or ME these operating systems cannot see partitions that are formatted for NTFS This is normal operation for these operating systems To view NTFS partitions you must be in a Windows NT 2000 XP environment Other Partition Recovery Topics These topics related to the recovery of partitions apply to any file system MBR is Damaged Partition is Deleted or Partition Table is Damaged Partition Boot Sector is Damaged Missing or Corrupted System Files For these topics the following disk layout will be used Figure 7 9 Example Disk Info x Disk Administrator Partition Tools View Options Help Eme EJ Disk 0 C H D E 4 NTFS FAT FAT NTFS 4605 MB 2502MB 298MB 102MB 102MB x L Primary partition Li Logical drive Free space in extended partition 1500 MB The figure shows a system with two primary partitions C NTFS and H FAT and one extended partition having two logical drives D FAT and E NTFS The Master Boot Record MBR will be created when you create the first partition on the hard disk It is very important data structure on the disk The Master Boot Record contains the Parti
111. portant on NTFS for example that a duplicate of the boot sector is located on the disk Boot Sector for FAT looks different however its BPB contains parameters similar to the above mentioned There is no extra copy of this sector stored anywhere so recovery on FAT is not as convenient as it is on NTFS What Will Happen if Partition Boot Sector is Damaged or Bad Unreadable To simulate this scenario we fill up several lines of the Partition Boot Sector with zeros 000000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 GO 000000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000040 00 00 00 00 00 00 00 00 0000000000000000 000000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000060 8E DO BC 00 7C FB B8 CO 07 8E D8 C7 06 54 00 00 Z u A Z0C T If we try to boot we ll see Non System Disk or Disk Error After we fail to load from it and from floppy partition becomes unbootable Because a normally functioning system relies on the boot sector to access a volume it is highly recommended that you run disk scanning tools such as Chkdsk regularly as well as back up all of your data files to protect against data loss in case you lose access to the volume Tools like Active Partition Recovery and Ac
112. ps the cluster containing the bad sector and allocates a new cluster for the data If the error occurred during a read NTFS returns a read error to the calling program and the data is lost If the error occurs during a write NTFS writes the data to the new cluster and no data is lost NTFS puts the address of the cluster containing the bad sector in its bad cluster file so the bad sector is not reused Important Cluster remapping is not a backup alternative Once errors are detected the disk should be monitored closely and replaced if the defect list grows This type of error is displayed in the Event Log The File Recovery Process 85 The File Recovery Process The file recovery process can be briefly described as drive or folder scanning to find deleted entries in Root Folder FAT or Master File Table NTFS then for the particular deleted entry defining clusters chain to be recovered and then copying contents of these clusters to the newly created file Different file systems maintain their own specific logical data structures however basically each file system Has a list or catalog of file entries so we can iterate through this list and entries marked as deleted Keeps for each entry a list of data clusters so we can try to find out set of clusters composing the file After finding out the proper file entry and assembling set of clusters composing the file read and copy these clusters to another location Step by S
113. r plus 2 copies of FAT times 251 sectors each plus root folder 32 sectors total 534 occupied by system data sectors Clusters 0 and 1 do not exist so the first data cluster is 2 Cluster number 3 is next to cluster 2 i e it is located 64 sectors behind the first data sector 535 64 599 Equal offset of 306 668 byte from the beginning of the drive Ox4AE00 With a help of low level disk editor on the disk we can see our data starting with offset Ox4AE00 or cluster 3 or sector 599 Offset 0123456789 ABCDEF 0004AE00 47 55 49 20 6D6F 64 65 20 53 65 74 75 70 20 68 GUI mode Setup h 0004AE10 61 73 20 73 74 61 72 74 65 64 2E 0D0A 43 3A5C as started C 0004AE20 57 49 4E 4E 54 5C 44 72 69 76 65 72 20 43 61 63 WINNT Driver Cac Because the cluster chain is consecutive all we need to do is copy 112 435 bytes starting from this place If the cluster chain was not consecutive we would need to re calculate the offset for each cluster and copy 3 times the value of 64 512 32768 bytes starting from each cluster offset The last cluster copy remainder 14 131 bytes is calculated as 112 435 bytes 3 32 768 bytes Recovering Cluster Chain in NTFS In our example we just need to pick up 110 clusters starting from the cluster 312555 56 CHAPTER 6 UNDERSTANDING ADVANCED UNDELETE PROCESS Cluster size is 512 byte so the offset of the first cluster would be 512 312555 160028160 0x0989D600 Offset 0989D600 0989D610 0989
114. r gives an overview of Active UNDELETE application Overview of the Application What s New in Active UNDELETE Starting Active UNDELETE Data Recovery Tips Active UNDELETE is a powerful application designed to restore accidentally deleted files and folders located on existing drives and even on deleted or damaged partitions With version 5 1 LSoft Technologies introduces a new generation of Data Recovery software with enhanced scanning and restoring features as well as Restoring damaged or deleted files and folders Creating Disk Image files and restoring from Disk Image Searching for deleted files using Advanced Search options Recovering data from damaged RAID system drives Recovering remotly using Active Remote Recovery Agent Editing disk content with Hex Disk Editor and much more Getting Started With the User Guide To take full advantage of Active UNDELETE it is helpful to understand what this application can do for you Here are some of the topics covered in this guide Recovering Files and Folders Creating and Opening Disk Images Using Advanced Search Using Active Remote Recovery Agent Active UNDELETE works in the Microsoft Windows environment After the program has been installed use Microsoft Start gt All Programs to open Active UNDELETE Read the next chapter for details about the Active UNDELETE Explorer PROTECT THE DRIVE LOCATION WHERE YOU HAVE ACCIDENTALLY DELETED FILES Any progr
115. r s will be written This path will be remembered as a default path for use during the next UNDELETE session The default path can be changed in the Options dialog box If you cannot enter the target location path in this field you may browse to the destination Click the browse button to the right of the path field Recovery options Silent Directory creation With this option selected directories and subdirectories are created with no confirmation dialog Replace invalid file name characters With this option on you will be able to edit file names that contain invalid characters during the recovery process Examples of invalid characters are lt gt Allow recovering to the same drive containing original data With this option selected you may write recovered files on the same drive as the source data 28 CHAPTER 3 USING ACTIVE UNDELETE Recovering Encrypted Files We strongly recommend that you DO NOT USE this options unless absolutely necessary Active UNDELETE allows you to recover encrypted files in the same way as any other files To successfully recover encrypted files there are few prerequisites You must have administration rights on the machine or at least have owner rights on file you going to recover The target destination folder where the recovered file will be written should be located on an NTFS drive If for some reason you cannot use an NTFS drive you can save the recovered file
116. r understand the flow of the recovery process Figure 2 2 Application Log y Warning March 19 13 47 28 Recovery of file DSCO0555 JPG has been cancelled by user b Debug March 19 13 47 20 Opening Recovery dialog ly Debug March 19 13 47 20 Command cal onRecovery Information March 19 13 47 11 KERNEL SetEvnt DRIVE SCAN COMPLETED FOUND 73740 RECORDS Md informatbon March 19 13 47 09 KERNEL SetEvnt Chedang J Information March 19 13 46 49 KERNEL SetEvnt Scanning C J Information March 19 13 46 49 KERNEL SetEvnt DRIVE SCAN STARTED ON C d Debug March 19 13 46 48 Command cali OnScan The toolbar buttons are provided for convenience Save Log Save the application log contents in a text file You will be prompted for a path to save this file Clear Log Remove all notes from the Application Log view and start with a clean pane Properties View displays detailed information about the selected item Figure 2 3 Properties View Properties View PAREA General ID 46589 Parent ID 40822 Name OSC00S55 PG Type Fie Full Path C Temp PSC00555 JPG Created Date 07 10 03 08 57 AM Modified Date 07 10 03 09 09 AM Accessed Deleted Date 03 05 04 07 09 PM Size 819 X8 Size on disk 839680 bytes Attributes ReadOnly No Hidden No Archive Yes System No Compressed No Encrypted No Status Recover Healthy To display the Properties View of any item in Active UNDELETE Explorer do a
117. r use When creating a Disk Image it stores in at least two files one is the Configuration file and the second is the actual image body file If you decide to save a disk image split into chunks then the image body files can be as many in number as is required to save all the data In the example below we create a hard drive Disk Image sized 7 84 Gb with options to split it into 1Gb chunks Below is the list of files created Mylmage dim Local Drive Image configuration file Mylmage 000 1 441 Kb First chunk of image body Mylmage 001 1 441 Kb Second chunk of image body Mylmage 002 1 071 Kb Last chunk of image body i Other Active UNDELETE Tools 31 Creating Disk Images Follow these steps to create a Disk Image From the Active UNDELETE Explorer select the drive device or partition for which you want to create an image Start the Create Disk Image wizard by doing one of the following On the toolbar click Create Disk Image In the command toolbar click Tools gt Create Disk Image Right click the selected drive and click Create Disk Image in the context menu Follow the instructions of the wizard as they appear Note Configuration file for Disk Images has DIM extension by default Important The Target Location for the Disk Images must always be on a drive other than the drive for which you are creating the image Important File systems FAT16 and FAT32 do not support file sizes larger than 2Gb
118. ration of the MFT structure Figure 7 6 MFT Structure Extent Master File Table Extent Log file record Small file record Large file record Small directory record The master file table allocates a certain amount of space for each file record The attributes of a file are written to the allocated space in the MFT Small files and directories typically 1500 bytes or smaller such as the file illustrated in next figure can entirely be contained within the master file table record Figure 7 7 MFT Record for a Small File or Directory Standard File or Security information directory descriptor name Data or index This design makes file access very fast Consider for example the FAT file system which uses a file allocation table to list the names and addresses of 78 CHAPTER 7 DATA RECOVERY CONCEPTS NTFS File Types each file FAT directory entries contain an index into the file allocation table When you want to view a file FAT first reads the file allocation table and assures that it exists Then FAT retrieves the file by searching the chain of allocation units assigned to the file With NTFS as soon as you look up the file it s there for you to use Directory records are housed within the master file table just like file records Instead of data directories contain index information Small directory records reside entirely within the MFT structure Large directories are organized into B trees having records with pointers to
119. resses is kept From the deleted file entry a set of clusters that make up the file can be located After finding the deleted file entry and assembling the associated set of clusters the data from them can be read and copied to another location It is important to note however that not every deleted file can be recovered To be successful it is important to try every method available The UNDELETE process is very straight forward Follow these steps 1 Scan Assess the status of all contents 2 Search Find files for recovery 3 Recover Write deleted or damaged file to a new location The remainder of this chapter contains detail about each of these steps Scanning Drives and Devices The first step in UNDELETING files and folders is to scan the physical devices or hard drives A scan is done to establish the status of partitions drives files and folders Any accessible local drive displayed in the Active UNDELETE Explorer can be scanned for deleted files or folders 18 CHAPTER 3 USING ACTIVE UNDELETE Scanning Drives for Deleted Files or Folders Scanning Physical Devices for Partitions and Drives To perform a drive scan do the following 1 Select the Local Drive tree by clicking on Local Drive tab in Active UNDELETE Explorer Select any drive item in the Local Drives tree If this drive has not been scanned before the dialog box Select Drive Scan Mode appears Figure 3 1 Select Drive Scan Mode x
120. s A sector is the smallest physical storage unit on a disk and is almost always 512 bytes 0 5 kB in size The figure below shows a hard disk with two platters Figure 7 1 Parts of a Hard Drive Main spindle Platter 1 has sides 0 1 Arm for head 1 Head stack assembly Head 2 Arm for Tracking Alignment head head 3 The structure of older hard drives i e prior to Windows 95 will refer to a cylinder head sector notation A cylinder is formed while all drive heads are in the same position on the disk The tracks stacked on top of each other form a cylinder This scheme is slowly being eliminated with modern hard drives All new disks use a translation factor to make their actual hardware layout appear 58 CHAPTER 7 DATA RECOVERY CONCEPTS Sectors and Clusters continuous as this is the way that operating systems from Windows 95 onward like to work To the operating system of a computer tracks are logical rather than physical in structure and are established when the disk is low level formatted Tracks are numbered starting at 0 the outermost edge of the disk and going up to the highest numbered track typically 1 023 close to the center Similarly there are 1 024 cylinders numbered from 0 to 1 023 on a hard disk The stack of platters rotate at a constant speed The drive head while positioned close to the center of the disk reads from a surface that is passing by more slowly than the surface at t
121. s created You can cancel the process any time by clicking Cancel Open Disk Image Wizard Using this wizard you can open a previously created Disk Image Follow the steps Enter Disk Image Configuration File Figure 4 8 Disk Image Configuration File amp Open Disk Image Wizard Disk Image Configuration file Specify the appropriate Disk Image configuration file To open Disk Image specify its path and click Next If you want to compose your own Disk Image from previously created Disk Image chunks proceed to the next screen Disk Image Configuration file name C XTempdisk images A disk image dim 2 UUN NE NL Open Disk Image Wizard 41 In this step enter the name of the Disk Image configuration file to be opened You can skip this step by clicking Next gt This will ignore the configuration file information and allow you to compose the disk image manualy in the Step 2 screen Click the Browse button to open the Browse for File dialog box If using a configuration file after it has been identified click Next to continue Set Disk Image Files Figure 4 9 Disk Image Chunks Composer i Open Disk Image Wizard x x Disk Image Chunks composer A Create the sequence of Disk Image chunks yn You can compose Disk Image as a sequence of custom chunks Disk Image Label A Disk Image Type Logical Drive Physical Device List of Disk Imag
122. sed copy of the SOFTWARE is installed may make a second copy for his or her exclusive use on a portable computer Under no other circumstances may the SOFTWARE be operated at the same time on more than the number of computers for which you have paid a separate license fee You may not duplicate the SOFTWARE in whole or in part except that you may make one copy of the SOFTWARE for backup or archival purposes You may terminate this license at any time by destroying the original and all copies of the SOFTWARE in whatever form You may permanently transfer all of your rights under this EULA provided you transfer all copies of the SOFTWARE including copies of all prior versions if the SOFTWARE is an upgrade and retain none and the recipient agrees to the terms of this EULA 3 RESTRICTIONS You may not reverse engineer decompile or disassemble the SOFTWARE except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation You may not rent lease or lend the SOFTWARE You may permanently transfer all of your rights under this EULA provided the recipient agrees to the terms of this EULA You may not use the SOFTWARE to perform any unauthorized transfer of information e g transfer of files in violation of a copyright or for any illegal purpose 4 SUPPORT SERVICES Active Data Recovery Software may provide you with support services related to the SOFTWARE Use of Support Services is governed by the A
123. ssage saying that the sector is unreadable In this case recovery software is unable to help you to bring the hard drive back to the working condition i e physical partition recovery is not possible The only thing that can be done is to scan and search for partitions i e perform virtual partition recovery When something is found display the data save it to another location Software like Active File Recovery Active UNERASER for DOS will help you here The information about primary partitions and extended partition is contained in the Partition Table a 64 byte data structure located in the same sector as the Master Boot Record cylinder 0 head 0 sector 1 The Partition Table conforms to a standard layout which is independent of the operating system The last two bytes in the sector are a signature word for the sector and are always Ox55AA The Partition Recovery Process 97 For our disk layout we have Partition Table Physical Sector Cyl 0 Side 0 Sector 1 0000001B0 80 Ol iik env 0000001C0 01 00 07 FE 7F 3E 3F 00 00 00 40 32 4E 00 00 00 veu 2227 ceed 2M ee 0000001D0 41 3F 06 FE 7F 64 7F 32 4E 00 A6 50 09 00 00 00 A d2N P 0000001E0 41 65 OF FE BF 4A 25 83 57 00 66 61 38 00 00 00 Ae J W fa8 0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ee U We can see three existing entries and one empty entry Partition 1 offset 0x01BE 446 Partition 2 offset Ox01CE 462 Partition 3 offset
124. t been overwritten with other data The fewer write operations that have been performed on the drive where deleted file used to reside the more chances that the space occupied by data clusters of the deleted file have not been used for other data storage 48 CHAPTER 6 UNDERSTANDING ADVANCED UNDELETE PROCESS In general here s what to do immediately after data loss 1 PROTECT THE DRIVE LOCATION WHERE YOU HAVE ACCIDENTALLY DELETED FILES Any program that writes data to the disk even the installation of data recovery software can spoil your sensitive data 2 DO NOT SAVE DATA ONTO THE SAME DRIVE THAT YOU FOUND ERASED DATA WHICH YOU ARE TRYING TO RECOVER While saving recovered data onto the same drive where sensitive data was located you can spoil the process of recovering by overwriting table records for this and other deleted entries It is better to save data onto another logical removable network or floppy drive The rest of this chapter contains step by step examples on these topics Disk Scanning Defining the Chain of Clusters Recovering the Chain of Clusters Disk Scanning Overview 49 Disk Scanning is the process of low level assessment of all entries in the Root Folders on FAT12 FAT16 FAT32 or in Master File Table MFT on NTFS NTFS5 The objective is to find and display deleted entries In spite of different file and folder entry structure in the different file systems both of them have common file attributes as
125. t computer to get access to its file structure After establishing the connection you can navigate through drives and folders of the remote computer in the same way that it works for a local computer Active Remote Recovery Agent Overview Active Remote Recovery Agent provides a unique ability to let the Active UNDELETE application remotely scan search recover and perform other operations Figure 5 1 Remote Recovery Agent i Remote Recovery Agent 3 E E E x File View Help Event Date Time Description e our September 09 14 51 00 Request complete 1 Information September 09 14 48 47 Copying _11086 JPG to d Temp yecovered _11086 JPG f Information September 09 14 48 47 RECOVERY gt IN September 09 14 48 47 Request received e our September 09 14 48 42 Request complete 1 Information September 09 14 48 22 Copying Help zip to d Temp yecovered Help zip f Information September 09 14 48 22 RECOVERY gt IN September 09 14 48 22 Request received our September 09 14 48 03 Request complete 1 Information September 09 14 48 02 A gt IN September 09 14 48 02 Request received 1 Information September 09 14 47 46 Remote Recovery Agent has been Connected 1 Information September 09 14 47 45 Remote Recovery Agent status has been changed September 09 14 47 29 Start listening on the port 59137 x bb Connected Active Remote Recovery Agent is simple to use Run it as a
126. tary notices which appear on and in the SOFTWARE 7 DISCLAIMER OF WARRANTY Active Data Recovery Software expressly disclaims any warranty for the SOFTWARE THE SOFTWARE AND ANY RELATED DOCUMENTATION IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OR MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT THE ENTIRE RISK ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE REMAINS WITH YOU 8 LIMITATION OF LIABILITY IN NO EVENT SHALL ACTIVE DATA RECOVERY SOFTWARE OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY CONSEQUENTIAL SPECIAL INCIDENTAL OR INDIRECT DAMAGES OF ANY KIND ARISING OUT OF THE DELIVERY PERFORMANCE OR USE OF THE SOFTWARE EVEN IF ACTIVE DATA RECOVERY SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ANY EVENT ACTIVE DATA RECOVERY SOFTWARE S ENTIRE LIABILITY UNDER ANY PROVOSION OF THIS EULA SHALL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT Active Data Recovery Software reserves all rights not expressly granted here Active Data Recovery Software is a registered business name of LSoft Technologies Inc Contents GETTING STARTED WITH ACTIVE UNDELETE Overview of the Application c cccecccceseeeeceeeeeceeeeeeeaeeceeeeeceaaeeeeeeeeesaeeeseaaeseceeesiaaeeneneees 1 What s New in Active Q UNDELETE eee nnnm emnes 1 Starting Active UNDELETE sesesssssseseeeeenenenen nennen AEE Ee
127. te Deleted entries are marked differently depending on the file system For example in FAT any deleted entry file or folder has been marked with ASCII symbol 229 OxE5 that becomes first symbol of the structure entry On NTFS deleted entry has a special attribute in file header that points whether the file has been deleted or not Example of scanning a folder on FAT16 Existing folder MyFolder entry long entry and short entry 0003EE20 41 4D 00 79 00 46 00 6F 00 6C 00 OF 00 09 64 00 AMA F 0 1 2 d 0003EE30 65 00 72 00 00 00 FF FF FF FF 00 00 FF FF FF FF e r YYYY YYYY 0003EE40 4D 59 46 4F 4C 44 45 52 20 20 20 10 00 4A C4 93 MYFOLDER JA 0003EE50 56 2B 56 2B 00 00 C5 93 56 2B 02 00 00 00 00 00 MENGE LANDE LS cease 6 Deleted file MyFile txt entry long entry and short entry 0003EE60 E5 4D 00 79 00 46 00 69 00 6C 00 OF 00 BA 65 00 0003EE70 2E 00 74 00 78 00 74 00 00 00 00 00 FF FF FF FF 0003EE80 E5 59 46 49 4C 45 20 20 54 58 54 20 00 C3 D6 93 0003EE90 56 2B 56 2B 00 00 EE 93 56 2B 03 00 33 B7 01 00 aM y F i l 6 etx t yyyy aYFILE TXT AO MUN EU i a E Vs Existing file Setuplog txt entry the only short entry 0003EEAO0 53 45 54 55 50 4C 4F 47 54 58 54 20 18 8C F7 93 0003EEBO 56 2B 56 2B 00 00 03 14 47 2B 07 00 8D 33 03 00 0003EECO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0003EEDO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SETUPLOGTXT MENSES S V Gi T3 Offset 0 I 2 3 4 5 7 8 9 A B C D E F
128. temporarily on a FAT drive and complete the recovery procedure later using a special utility named Recover encrypted files using FAT as described below Recover encrypted files using FAT In most cases you can recover encrypted NTFS files the same way as other files on any NTFS partitioned drive In some scenarios however you must write recovered encrypted files only on FAT partitions In this case encrypted files remain unreadable and the recovered file is written to a FAT partition is temporary with an efs extension To complete the recovery procedure you must write this temporary file to any NTFS partition using the Restore Encrypted File dialog box Figure 3 11 Restore Encrypted File Restore encrypted fle To comlete recovery of encrypted file you are to copy decrypt it from FAT to NTFS drive Temporary recovered on FAT encrypted file e MyDocument doc efs Destination file on NTFS drive to restore to Here you point to the temporary stored encrypted file and indicate the destination file name and location where the restored encrypted file will be written Click OK to complete the process Other Active UNDELETE Tools 29 Other Active UNDELETE Tools File Preview Save Hardware Diagnostic File This section describes some other tools and utilities that are complimentary to Active UNDELETE They are listed below File Preview Save Hardware Diagnostic File Disk Image Creator Virtual Drive Creator
129. tep with examples Disk Scanning Defining the Chain of Clusters Recovering the Chain of Clusters Not every deleted file can be recovered however there are some assumptions that are common to all deleted files First we assume that the file entry still exists it has not been overwritten with other data The fewer files that have been created on the drive where the deleted file was resided increases the chances that space for the deleted file entry has not been used for other entries Second we assume that the file entry is more or less safe to point to the proper place where file clusters are located In some cases it has been noticed in Windows XP on large FAT32 volumes the operating system damages file entries right after deletion so that the first data cluster becomes invalid and further entry restoration is not possible Third we assume that the file data clusters are safe not overwritten with other data The fewer write operations events on the drive where deleted file resided the more chances that the space occupied by data clusters of the deleted file has not been used for other data storage General Advice After Data Loss DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING YOUR IMPORTANT DATA THAT YOU HAVE JUST DELETED ACCIDENTALLY Even data recovery software installation can spoil your sensitive data If the data is really important to you and you do not have another logical drive to install software to take the whole
130. th public key technology to protect files and ensure that only the owner of a file can access it Users of EFS are issued a digital certificate with a public key and a private key pair EFS 82 CHAPTER 7 DATA RECOVERY CONCEPTS uses the key set for the user who is logged on to the local computer where the private key is stored Users work with encrypted files and folders just as they do with any other files and folders Encryption is transparent to the user who encrypted the file the system automatically decrypts the file or folder when the user accesses When the file is saved encryption is reapplied However intruders who try to access the encrypted files or folders receive an Access denied message if they try to open copy move or rename the encrypted file or folder To encrypt or decrypt a folder or file set the encryption attribute for folders and files just as you set any other attribute If you encrypt a folder all files and subfolders created in the encrypted folder are automatically encrypted It is recommended that you encrypt at the folder level NTFS Sparse Files Windows 2000 only A sparse file has an attribute that causes the I O subsystem to allocate only meaningful nonzero data Nonzero data is allocated on disk and non meaningful data large strings of data composed of zeros is not When a sparse file is read allocated data is returned as it was stored non allocated data is returned by default as zeros
131. the first available location on the volume The starting cluster number is the address of the first cluster used by the file Each cluster contains a pointer to the next cluster in the file or an indication OxFFFF that this cluster is the end of the file These links and end of file indicators are shown below Figure 7 3 Example of File Allocation Table puen pa 0 1 2 3 4 L1 0003 0004 FFFF a 3 This illustration shows three files The file File1 txt is a file that is large enough to use three clusters The second file File2 txt is a fragmented file that also requires three clusters A small file File3 txt fits completely in one cluster In each case the folder structure points to the first cluster of the file For more detailed information see resource kits on Microsoft s web site http Awww microsoft com windows reskits webresources default asp or Microsoft Developers Network MSDN http msdn microsoft com The root folder contains an entry for each file and folder on the root The only difference between the root folder and other folders is that the root folder is ona specified location on the disk and has a fixed size 512 entries for a hard disk number of entries on a floppy disk depends on the size of the disk See Folder Structure topic for details about folder organization For more detailed information see resource kits on Microsoft s web site http Awww microsoft com windows reskits webresources default
132. ties of context item Refresh Reload active Explorer tree Tool gp Create Disk Start Create Disk Image wizard for context Image item Eg Open Disk Image Start Open Disk Image wizard Restore Open Restore Encrypted dialog Encrypted sb Options Shows the application Options dialog Help Contents Open application help documentation at start page Help Online Open local online help documentation Technical Support Go to technical support web page Active Open Active UNDELETE web home UNDELETE page Online Active Open Active UNDELETE web page with UNDELETE latest support updates Upgrades i About Open application help documentation at start page Explorer Tool Views Active UNDELETE Explorer Tool Views give you the ability to see additional information about navigated items observe data flow and get access to most advanced features of Active UNDELETE Access Explorer Tool Views by selecting tabs at the bottom of the Explorer window The tabs are labelled as follows Application Log Properties View Search Disk HEX Editor Drag n Drop Recovery Detailed descriptions about each Explorer Tool View window appears below 8 CHAPTER 2 ACTIVE UNDELETE EXPLORER Application Log Properties View This log screen monitors each action taken by the application and displays messages notifications and other service information Use the messages in this screen to observe and furthe
133. tion Table for the disk and a small amount of executable code for the boot start The location is always the first sector on the disk The Partition Recovery Process 95 The first 446 0x1BE bytes are MBR itself the next 64 bytes are the Partition Table the last two bytes in the sector are a signature word for the sector and are always 0x55AA Blank Screen on Startup For our disk layout we have MBR Physical Sector Cyl 0 Side 0 Sector 1 000000000 33 CO 8E DO BC 00 7C FB 50 07 50 1F FC BE 1B 7C 3AZ2 uP P u 000000010 BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04 PW a oHE t 000000020 38 2C 7C 09 75 15 83 C6 10 E2 F5 CD 18 8B 14 8B 8 u aoI 000000030 EE 83 C6 10 49 74 16 38 2C 74 F6 BE 10 07 4E AC 1 1t 8 tOo N 7 000000040 3C 00 74 FA BB 07 00 B4 OE CD 10 EB F2 89 46 25 tu I eo amp F 000000050 96 8A 46 04 B4 06 3C 0E 74 11 B4 OB 3C OC 74 05 HSE Ss Pe ka basa Gets 000000060 3A C4 75 2B 40 C6 46 25 06 75 24 BB AA 55 50 B4 Au F uS UP 000000070 41 CD 13 58 72 16 81 FB 55 AA 75 10 F6 Cl 01 74 AI Xr uU u oA t 000000080 OB 8A EO 88 56 24 C7 06 Al 06 EB 1E 88 66 04 BF Sa V C e 000000090 OA 00 B8 01 02 8B DC 33 C9 83 FF 05 7F 03 8B 4E 222 UGE y N 0000000A0 25 03 4E 02 CD 13 72 29 BE 46 07 81 3E FE 7D 55 S N I r F 2 U 0000000580 AA 74 5A 83 EF 05 7F DA 85 F6 75 83 BE 27 07 EB tZ2 i U 0u e 0000000C0 8A 98 91 52 99 03 46 08 13 56 OA E8 12 00 5A EB S RM F V e Z2e 0000000D0 DS 4F 7
134. tition Recovery Process 93 The Partition Recovery Process System Boot Process In some cases the first indication of a problem with hard drive data is a refusal of the machine to perform a bootstrap startup For the machine to be able to start properly the following conditions must apply Master Boot Record MBR exists and is safe Partition Table exists and contains at least one active partition If the above is in place executable code in the MBR selects an active partition and passes control there so it can start loading the standard files COMMAND COM NTLDR depending on the file system type on that partition If these files are missing or corrupted it will be impossible for the operating system to boot if you have ever seen the famous NTLDR is missing error you understand the situation When using Active UNDELETE the recovery software accesses the damaged drive at a low level bypassing the standard system boot process this is the same as if you instructed the computer to boot from another hard drive Once the computer is running in this recovery environment it will help you to see all other files and directories on the drive and allow you to copy data toa safe place on another drive Partition Visibility A more serious situation exists if your computer will start and cannot see a drive partition or physical drive see Note below For the partition or physical drive to be visible to the Operating System t
135. tive UNERASER allow you to create a backup of the MBR Partition Table and Volume Boot Sectors so that if for some reason the system fails to boot you can restore your partition information and have access to files and folders on that partition What if This Sector is Damaged If we do have backup of the whole disk or MBR Boot Sectors we can try to restore it from there If we do not have backup in case of NTFS we could try to locate a duplicate of Partition Boot Sector and get information from there If duplicate boot sector is not found only virtual partition recovery might be possible if we can determine critical partition parameters such as Sectors per Cluster etc Can Fix NTFS Boot Sector Using Standard Windows NT 2000 XP Tools On NTFS a copy of the boot sector is stored in the middle or at the end of the Volume You can boot from startup floppy disks or CD ROM choose the Repair option during setup and run Recovery Console When you are logged on you can run the FIXBOOT command to try to fix boot sector Can Recovery Software Help in This Situation It can backup MBR Partition Table and Boot Sectors and restore them in case of damage Missing or Corrupted System Files The Partition Recovery Process 101 It can try to find out duplicate boot sector on the drive and re create the original one or perform virtual data recovery based on found partition parameters Some advanced techniques allow assuming drive para
136. to click Scan in the toolbar To change the Scan button default command use the drop down arrow on the right side of the button To begin scanning you may also right click any drive item Click Drive Scan from the context menu and Advanced Scan or Low Level Scan 20 CHAPTER 3 USING ACTIVE UNDELETE 4 For Advanced Scan the Advanced Device Scan definition dialog box appears Figure 3 3 Advanced Device Scan Advanced Device Scan for Hard Disk Drive 81h fo og Define area to scan by moving the boundaries in sectors 0 Last Sector 78156224 Start at sector End at sector 7135363 66162941 Scan options Scan for partitions Any FATI2 x FAT16 x FAT32 _ NTFS x Confirm accepting detected partition X Skip detected partition area and continue scannig behind it Scan every sector A description of the options follows Start at sector End at sector If the device you are scanning is large scan part of it for a quicker report Scan Options Scan for partitions Specify which type or types of partition File System is about to be scanned Select Any to detect all types of partitions Confirm accepting detected partition With this check box selected each time the scan detects a new partition a confirmation screen appears Skip detected partition area With this check box selected a newly detected partition area is not scanned at all The scanning process continues at a point after the new
137. u can view the content of scanned drive in the File Pane of Active UNDELETE Explorer You need to scan physical devices for missing or damaged partitions and hard drives There are two types of devices scanning Advanced Device Scan Scanning Drives and Devices 19 Low Level Scan To scan device using one of these methods follow these steps Open the local device tree by clicking the Local Devices folder in Active UNDELETE Explorer Select a physical device that you wish to scan If this device has not been scanned before the dialog box Select Device Scan Mode appears Figure 3 2 Select Device Scan Mode xl Select one of the following scanning methods to perform scan Advanced scan D Select this method to use advanced scanning methods This method takes more time than Simple Scan but has greater chance to discover lost data Low level scan Ly Low Level scan uses the most scrupulous methods to perform the scan and is much more time consuming than Simple and Advanced scans X Show this dialog next time Cancel Select one of the device scan methods to start scanning Alternately click Cancel to abandon the scan If you want to skip this step in the process next time clear the Show this dialog next time check box The scan method will default to Advanced Scan Another way to begin the scan is to click Actions gt Scan in the command toolbar and select Advanced Scan or Low Level Scan A third method is
138. ual to the size of the chain of clusters into a newly created file To calculate the cluster offset in a FAT drive we need to know Boot sector size Number of FAT supported copies Size of one copy of FAT Size of main root folder Number of sectors per cluster Number of bytes per sector NTFS format defines a linear space and calculating the cluster offset is simply a matter of multiplying the cluster number by the cluster size Recovering Cluster Chain in FAT16 This section continues the examination of the deleted file MyFile txt from previous topics By now we have chain of clusters numbered 3 4 5 and 6 identified for recovering Our cluster consists of 64 sectors sector size is 512 bytes so cluster size is 64 512 32 768 bytes 32 Kb The first data sector is 535 we have 1 boot sector plus 2 copies of FAT times 251 sectors each plus root folder 32 sectors total 534 occupied by system data sectors 92 CHAPTER 7 DATA RECOVERY CONCEPTS Clusters 0 and 1 do not exist so the first data cluster is 2 Cluster number 3 is next to cluster 2 i e it is located 64 sectors behind the first data sector 535 64 599 Equal offset of 306 668 byte from the beginning of the drive Ox4AE00 With a help of low level disk editor on the disk we can see our data starting with offset Ox4AE00 or cluster 3 or sector 599 Offset QV Ae 2s BS WM b 6 i 8 9 AB CD E F 0004AE00 47 55 49 20 6D 6F 64 65 20 53 65 74 75 70 20 68 GUI mo
139. vedSectors The number of reserved sectors beginning with sector 0 A BF BPB NumberOfFATs The number of File Allocation Tables A BF BPB RootEntries This member is ignored on FAT32 drives A BF BPB TotalSectors The size of the partition in sectors A BF BPB MediaDescriptor The media descriptor Values in this member are identical to standard BPB A BF BPB SectorsPerFAT The number of sectors per FAT i Note This member will always be zero in a FAT32 BPB Use the values from A BF BPB BigSectorsPerFat and A BF BPB BigSectorsPerFatHi for FAT32 media A BF BPB SectorsPerTrack The number of sectors per track A BF BPB Heads The number of read write heads on the drive A BF BPB HiddenSectors The number of hidden sectors on the drive A BF BPB HiddenSectorsHigh The high word of the hidden sectors value A BF BPB BigTotalSectors The total number of sectors on the FAT32 drive A BF BPB BigTotalSectorsHigh The high word of the FAT32 total sectors value A BF BPB BigSectorsPerFat The number of sectors per FAT on the FAT32 drive A BF BPB BigSectorsPerFatHi The high word of the FAT32 sectors per FAT value A BF BPBExtFlags Flags describing the drive Bit 8 of this value indicates whether or not information written to the active FAT will be written to all copies of the FAT The low 4 bits of this value contain the 0 based FAT number of the Act
140. virus for example we will overwrite the first 16 bytes with zeros as shown below 000000000 00 00 00 00 00 00 00 00 O00 00 00 00 00 00 00 00 000000010 BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04 PW a oHE We have effectively destroyed the MBR at this point When we try to restart the computer we see the hardware testing procedures and then a blank screen without any messages This blank screen confirms that the piece of code at the beginning of the MBR could not be executed properly Error messages cannot be displayed because the MBR cannot be run If we boot from a system floppy however we can see a hard drive FAT partition and the files on it We are able to perform standard operations like file copy program execution and so on This is possible because only the first part of the MBR has been damaged The partition table is safe and we can access our drives when we boot from the operating system installed on the other drive Operating System Not Found In this next scenario we explore what will happen if the sector signature last word 0x55AA has been removed or damaged 96 CHAPTER 7 DATA RECOVERY CONCEPTS Partition is Deleted or Partition Table is Damaged To explore this scenario we write zeros to the location of sector signature as shown below Physical Sector Cyl 0 Side 0 Sector 1 0000001E0 41 65 OF FE BF 4A 25 83 57 00 66 61 38 00 00 00 Ae J W fa8 0000001F0 00 00 00 00 00 00 00
141. w Edit Content Select this check box to allow editing mode in the editor By default this option is unchecked and you can only review the content Data Inspector The Data Inspector displays whatever is currently under the cursor It does so in ten different formats This may help you interpret data as displayed in Disk Hex Editor The Data inspector window disappears when you click on another area in the explorer and appears again when you return to the Disk Hex Editor File Cluster Chain To help navigate through the content of open files file cluster information is displayed at the left side of the editor under the object description You can select any cluster in this list jump immediately to that cluster or simply scroll through the list to view selected cluster content Use this view to organize the list of files and folders you want to recover Select files or folders in the file pane and drag them to the Drag n Drop Recovery pane Figure 2 6 Drag n Drop Recovery Drag n Drop Recovery Check All Recover Checked v Name Status Size Created Modified Acces DSC00555 JPG Healthy 819KB 07 10 0308 57 AM 07 10 0309 09 AM 03 05 El Copy of DSC Healthy 819KB 07 10 03 08 55AM 07 10 03 08 56 AM 03 05 L3 applog txt Healthy 788 bytes 03 08 0407 22PM 03 08 0407 36 PM X 03 08 File s 3 Folder s 0 Checked 0 Files appear here as a list of potential items waiting for UNDELETE recovery Various asp
142. x Recursive search in subdirectories Case sensitive search Search among deleted only Search among existing only Search GI Look for on New Volume K With file size within p bus infinity With Accessed Date Range 12 31 2099 23 59 Recursive search in subdirectories Search Cancel Searching for Deleted Files and Folders 23 Use Advanced Search to specify search criteria and filter the results so that a smaller number of more appropriate files appears in the Search Results view Advanced Search criteria can be set in four groups of options Advanced Settings Date Criteria Size Criteria Attributes Advanced Settings is the default screen in this dialog box To select one of the other groups click one of them If any of the group is modified not default settings there will be a green check mark on the left side of the item in the list To set group values to default state double click on that item A search summary appears at the bottom of the dialog box and gives detailed information about all options selected To initiate a search with the options selected press Search If any files or folders can be found with specified search options they appear in the Search Results view If the drive or drives you want to search has not been scanned before the application scans the drive before searching To leave this dialog box without starting the search process press Cancel Fi
143. xtdpb next free DD endif DPB ENDS Table 7 8 DBP Members Member Name a Description dpb_drive The drive number 0 A 1 B and so on dpb_unit Specifies the unit number The device driver uses the unit number to distinguish the specified drive from the other drives it supports dpb_sector_size The size of each sector in bytes dpb_cluster_mask The number of sectors per cluster minus 1 dpb_cluster_shift The number of sectors per cluster expressed as a power of 2 dpb_first_fat The sector number of the first sector containing the file allocation table FAT dpb_fat_count The number of FATs on the drive dpb_root_entries The number of entries in the root directory dpb_first_sector The sector number of the first sector in the first cluster CHAPTER 7 DATA RECOVERY CONCEPTS Member Name Description dpb_max_cluster The number of clusters on the drive plus 1 This member is undefined for FAT32 drives dpb_fat_size The number of sectors occupied by each FAT The value of zero indicates a FAT32 drive Use the value in extdpb_fat_size instead dpb_dir_sector The sector number of the first sector containing the root directory This member is undefined for FAT32 drives dpb_reserved2 Reserved member Do not use dpb_media Specifies the media descriptor for the medium in the specified drive reserved Reserved member
144. ystem to allocate sectors to store the file s data For example if the file size is 800 bytes two 512 k sectors are allocated for the file A cluster is typically the same size as a sector These two sectors with 800 bytes of data are called two clusters They are called clusters because the space is reserved for the data contents This process protects the stored data from being over written Later if data is appended to the file and its size grows to 1600 bytes another two clusters are allocated storing the entire file within four clusters If contiguous clusters are not available clusters that are adjacent to each other on the disk the second two clusters may be written elsewhere on the same disk or within the same cylinder or on a different cylinder wherever the file system finds two sectors available A file stored in this non contiguous manner is considered to be fragmented Fragmentation can slow down system performance if the file system must direct the drive heads to several different addresses to find all the data in the file you want to read The extra time for the heads to travel to a number of addresses causes a delay before the entire file is retrieved The FAT File System 59 Cluster size can be changed to optimize file storage A larger cluster size reduces the potential for fragmentation but increases the likelihood that clusters will have unused space Using clusters larger than one sector reduces fragmentation and reduc
145. yy 00000210 09 00 A000 OB 00 0C 00 0D 00 FF FF 00 00 00 00 yy 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Zeros And it is good in our case it means that these clusters are free i e most likely our file was not overwritten by another file s data Now we have chain of clusters 3 4 5 6 and we are ready to recover it Some explanations 54 CHAPTER 6 UNDERSTANDING ADVANCED UNDELETE PROCESS Recovering the Chain of Clusters oo l Oc Un A Ww WY We started looking from offset 6 because each cluster entry in FAT16 takes 2 bytes our file starts from 3rd cluster i e 3 2 6 We considered 4 clusters because cluster size on our drive is 32 Kb our file size is 112 435 bytes i e 3clusters 32Kb 96Kb plus a little bit more We assumed that this file was not fragmented i e all clusters were located consecutively We need 4 clusters we found 4 free consecutive clusters so this assumption sounds reasonable although in real life it may be not true Note In many cases data cannot be successfully recovered because the cluster chain cannot be defined This will occur when another file or folder is written on the same drive as the one where the deleted file is located Warning messages about this fact will be displayed while recovering data using Active UNDELETE Defining a Cluster Chain in NTFS When recovering in NTFS a part of DATA attributes called Data Runs provides the locat
146. ze Criteria Search Options Use Size Criteria Advanced Settigs Find what Use Date Criteria T mu Use Size Criteria Size criteria Use Attributes Any Large more than 1 MB Small less than 100 KB Specify size KB From Medium less than 1 MB To r Search summary Look for on New Volume K With file size within 0 bytes infinity leq EDS ud 12 31 1969 19 00 12 31 2999 23 59 Recursive search in subdirectories 2 Seach Cancel The options for this dialog box appear below Any Size Criteria is ignored Small Less than 100KB Search reports on files ranging from zero to 99Kb Medium Less than 1MB Search reports on files ranging from zero to 999Kb Large More than 1 Mb Search reports on files ranging from 1Mb to unlimited size Specify size Kb Use fields to specify file size boundaries and narrow your search 26 CHAPTER 3 USING ACTIVE UNDELETE Use Attributes Criteria The figure below shows the Use Attributes Criteria group Figure 3 9 Search Options Use Attributes Search Options Use Attributes E i xj Advanced Settigs Find what Use Date Criteria u Use Size Criteria r File or Folder Attributes Use Attributes Oy Selected Attributes only Read Only Archive x Hidden x Compressed x Directory C Temporary x Normal Sparse System C Encrypted MFT C R
Download Pdf Manuals
Related Search