|
Contents > Understanding Advanced
UNDELETE Process
After the cluster chain is defined, the final task is to read and
save the contents of the defined clusters to another place, verifying
their contents. With a chain of clusters and standard formulae, it is
possible to calculate each cluster offset from the beginning of the
drive. Formulae for calculating cluster offset vary, depending on file
system.
Starting from the calculated offset, copy a volume of data equal to
the size of the chain of clusters into a newly-created file.
To calculate the cluster offset in a FAT drive, we need to know:
- Boot sector size
- Number of FAT-supported copies
- Size of one copy of FAT
- Size of main root folder
- Number of sectors per cluster
- Number of bytes per sector
NTFS format defines a linear space and calculating the cluster
offset is simply a matter of multiplying the cluster number by the
cluster size.
Recovering Cluster Chain in FAT16
This section continues the examination of the deleted file
MyFile.txt from previous topics. By now we have chain of clusters
numbered 3, 4, 5 and 6 identified for recovering. Our cluster consists
of 64 sectors, sector size is 512 bytes, so cluster size is:
64*512 = 32,768 bytes = 32 Kb.
The first data sector is 535 (we have 1 boot sector, plus 2 copies
of FAT times 251 sectors each, plus root folder 32 sectors, total 534
occupied by system data sectors).
Clusters 0 and 1 do not exist, so the first data cluster is 2.
Cluster number 3 is next to cluster 2, i.e. it is located 64
sectors behind the first data sector (535 + 64 = 599).
Equal offset of 306,668 byte from the beginning of the drive
(0x4AE00).
With a help of low-level disk editor on the disk we can see our
data starting with offset 0x4AE00, or cluster 3, or sector 599:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0004AE00 47 55 49 20 6D 6F 64 65 20 53 65 74 75 70 20 68 GUI mode Setup h
0004AE10 61 73 20 73 74 61 72 74 65 64 2E 0D 0A 43 3A 5C as started...C:\
0004AE20 57 49 4E 4E 54 5C 44 72 69 76 65 72 20 43 61 63 WINNT\Driver Cac
Because the cluster chain is consecutive, all we need to do is copy
112,435 bytes starting from this place. If the cluster chain was not consecutive,
we would need to re-calculate the offset for each cluster and copy 3
times the value of 64*512 = 32768 bytes starting from each cluster
offset. The last cluster copy remainder, 14,131 bytes is calculated as
112,435 bytes - (3 * 32,768 bytes).
Recovering Cluster Chain in NTFS
In our example we just need to pick up 110 clusters starting from
the cluster 312555. Cluster size is 512 byte, so the offset of the
first cluster would be 512 * 312555 = 160028160 = 0x0989D600
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0989D600 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 ÐÏ.ࡱ.á........
0989D610 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 ........>...þÿ..
0989D620 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
0989D630 69 00 00 00 00 00 00 00 00 10 00 00 6B 00 00 00 i...........k...
0989D640 01 00 00 00 FE FF FF FF 00 00 00 00 6A 00 00 00 ....þÿÿÿ....j...
0989D650 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
In the above data, data recovery is complete when data has been
read from this point through 110 clusters (56320 bytes). This data is
copied to another location.
Previous <
Contents > Next
|
