Re: [OT] undeleting on FAT32

To: debian-user@lists.debian.org
Subject: Re: [OT] undeleting on FAT32
From: Craig Dickson <crdic@pacbell.net>
Date: Fri, 22 Nov 2002 10:36:20 -0800
Message-id: <[🔎] 20021122183620.GA21810@linux700.localnet>
In-reply-to: <[🔎] 20021122130641.A11496@sccs.swarthmore.edu>
References: <[🔎] F123LQrsutplhR1PDGN00001f47@hotmail.com> <[🔎] 20021122005815.1b7af88a.newsuser@famdijkstra.org> <[🔎] 20021122032404.A11191@sccs.swarthmore.edu> <[🔎] 20021122160113.GA18725@linux700.localnet> <[🔎] 20021122130641.A11496@sccs.swarthmore.edu>

sean finney wrote:

> On Fri, Nov 22, 2002 at 08:01:13AM -0800, Craig Dickson wrote:
> > For that sort of thing, if the file is fragmented, you're probably more
> > or less out of luck. What you'd probably want to do is build a map of
> > the unallocated clusters on the partition, starting with the first
> > cluster of the file (which you can still get from its directory entry).
> 
> okay, i really know nothing about the inner workings of fat32...  how
> would i do both of these things?

If you still have a Windows machine and the file really matters that
much to you, the simplest approach would be to pick up a copy of Norton
Utilities and use the UnErase wizard. No guarantees, but that's probably
the best way to go.

Failing that, you need a program that will let you look at individual
sectors on the hard disk. Read up on the FAT filesystem's structure.
Short version: at the start of the partition, there is a boot sector
followed by two copies of the FAT (File Allocation Table). Following the
FAT is the data area, which consists of clusters; each cluster is a
fixed- size group of sectors (the sectors-per-cluster value is contained
in the boot sector). Each entry in the FAT is either a constant, the
value of which I forget, that means "this cluster is unallocated", or
the index of the next cluster in that file. So the way you find all of a
file that hasn't been deleted is to get the first cluster number (C1)
from the file's directory entry, then get the second cluster number (C2)
by looking at index C1 in the FAT, and so on until you get to a FAT
entry containing the "end of file" constant (the value of which I also
forget -- it's been about ten years since I had a reason to care).

What I'm suggesting here is that you get a list of all the cluster
indices for which the corresponding FAT entry says "unallocated", then
look up the deleted file's directory entry to get its first cluster
number. Figure out how many clusters the file should occupy (its size in
bytes should still be in the directory entry, I think). Look at the
clusters on disk one by one, starting with the first cluster of the file
and then moving on to subsequent unallocated clusters. If they look like
they might be part of your file, append their contents to a new file
that you create on another partition. If you're lucky, at the end of
this process you'll have your file back. But quite possibly you won't,
because there's no guarantee that you've accurately chosen all the right
sectors if the file was fragmented.

Craig

Reply to:

Follow-Ups:
- RE: [OT] undeleting on FAT32
  - From: "Charlie Reiman" <creiman@kefta.com>

References:
- Re: [OT] undeleting on FAT32
  - From: "Joshua Thomas" <work_thomas@hotmail.com>
- Re: [OT] undeleting on FAT32
  - From: Tim Dijkstra <newsuser@famdijkstra.org>
- Re: [OT] undeleting on FAT32
  - From: sean finney <seanius@seanius.net>
- Re: [OT] undeleting on FAT32
  - From: Craig Dickson <crdic@pacbell.net>
- Re: [OT] undeleting on FAT32
  - From: sean finney <seanius@seanius.net>

Prev by Date: Re: dhcpd and pppoe and name servers
Next by Date: VT82C686B Sound Problem
Previous by thread: Re: [OT] undeleting on FAT32
Next by thread: RE: [OT] undeleting on FAT32
Index(es):
- Date
- Thread