views:

120

answers:

2

Years ago I read a tutorial about the Windows DEBUG command.

The article also described how the tool could be used to restore a deleted file.

Could anyone give me a hint on how that was done?

+1  A: 

It was probably used on a FAT based system where deleting a file amounted to marking the file as deleted in a table. Clearing that mark undeleted the file (of course, the contents might have been overwritten in the mean time).

The same principle still applies in the case of NTFS, but I do not know if it is possible to alter NTFS structures this way without getting into trouble.

Sinan Ünür
Yes, this sounds like what I vaguely remember. I changed one byte (E5?) somewhere and the file appeared again. But if I have to reinstall XP on FAT I will give up my little experiment :)
vobject
+1  A: 

With debug you could read and write directly from the hard drive. It was a very complicated and risky procedure.

Basically, what you had to do is find the boot record to locate the file allocation table (FAT) that you needed to restore you file from. Then, you would locate the file's first cluster on the drive as well as the size of the file from the file entries. Once you knew the first block and size, you would hope that the file was not fragmented or overwritten and could simply extract the information there.

There was also an undelete application that could do that automatically for you.

Today, all this can be done using ::CreateFile() on the volume path \\.\C: and using the handle to ::ReadFile() directly from the volume. The success rate is especially high if you know exactly what the file header looks like, you can then very easily search drive sector by sector for that specific header and hope the file is not fragmented or overwritten. Then you can simply read the information directly from the drive and dump it into a new file. There is no need to fiddle with the file system.

If the file was fragmented prior to deletion, it's probably gone for good because you no longer have the information to locate all the file's parts, except maybe the first cluster.

Coincoin