So far the articles in this guide have shown you how to make a Disk Editor boot disk and have discussed the basics
of disk clusters and long file names. Now it's time to put all this information together and actually recover a deleted file.
Restoring deleted files with Disk Editor is a four-step process. The four steps are:
1. Restore the filename (the DOS alias)
2. Locate the clusters used by the file
3. Recreate the necessary file allocation table entries
4. Recover the long file name if necessary
Before you can perform any of these actions, you must configure Disk Editor to work in Read/Write mode (it uses Read Only mode by default). Just remember what I said in an earlier story about working from a copy rather than from your original disk.
Switching Disk Editor into read/write mode is simple. To do so, select the Configuration command from Disk Editor's Tools menu. When the Configuration dialog box opens, deselect the Read Only check box, then click the Save button.
As you may recall, if a file uses a long filename, it is actually stored on the disk using its DOS alias. Therefore, your first step in the data recovery process is to examine the file allocation table through Disk Editor and locate the deleted file. If necessary, you can use Disk Editor's Object menu to switch drives.
Once you've found the deleted file you'd like to recover, place your cursor over the top of the sigma sign (the first character of the filename) and type the letter you want to use as the first character of the filename. If your keyboard is in insert mode, you will have to press the Delete key to get rid of the sigma sign. After correcting the filename, move your cursor down a line and you will notice that the ID column entry for the file will change from Erased to File, indicating that the file has been recovered.
However, keep in mind though that you have not recovered the file, only a directory entry.
How many disk clusters are used when recovering a deleted file?
Figuring out how many disk clusters a file uses is a critical skill for the next step. If you don't fully understand how to calculate cluster usage, you might want to review the article on clusters before continuing.
The next step is to figure out the starting cluster for a file that has been deleted. Fortunately, Disk Editor gives you this information. The number listed for the file in the Disk Editor's Cluster column is the file's starting cluster. Make note of this number.
Once the file that you are attempting to recover has been selected, choose the Cluster Chain command from the Link menu. You will now see a message indicating that changes have been made to a sector. These changes have to do with the filename that you changed. Click the Write button to make your change permanent.
At this point, select the Cluster command from the Object menu. You'll be asked to enter a cluster range. Enter the file's starting cluster into the field provided. You can calculate the ending cluster based on the file size and the length of each allocation unit. Enter the ending cluster number into the ending cluster field and click OK.
Recovering a deleted file: A closer look
Since this step is on the technical side, let's go through an example. In writing this article, I placed a file onto a floppy disk and then deleted it. The file was named DELTREE.EXE and had a file size of 19083 bytes. Since a floppy disk has an allocation unit size of 512 bytes, I divided the file size (19083 bytes) by 512 bytes, which equals 37 and change. Since you can only use whole clusters, I rounded the answer up to 38. The file's starting cluster was 1064, so I add 37 clusters to it (the 38th cluster is the starting cluster) and get an ending cluster of 1101.
Click OK, and the Disk Editor will display the clusters that you have selected. This gives you a chance to scroll through the clusters and see if they appear to be a part of your file. If the file contains binary data, the clusters will usually appear as hieroglyphics. But if the clusters are a part of a Word document or text file, they will often contain some usable text. The last cluster in the chain should contain a bunch of zeros at the end, indicating that only part of the cluster is being used by the file. You can interpret this as an end-of-file marker.
If you are confident that the clusters that you have chosen belong to the deleted file, select the Directory command from the Object menu to return to the directory. Select the file you want to recover, then select the Cluster Chain command from the Link menu. The beginning cluster is already filled in, so move to the next blank space and enter the next cluster number.
For example, in the situation above, the first cluster used by my deleted file was 1064. So I would enter 1065 into the first blank space, then repeat the process until all the file's clusters had been entered. Now move your cursor to the blank space after the last cluster. Select the Mark command off of the Edit menu, then select the Fill command. You'll be prompted as to what you would like to fill the cluster with. Select the End of File option and click OK. Finally, select the Write Changes command from the Edit menu to make your changes permanent. The file is now recovered.
In this case, the file I was recovering did not have a long file name. But if it had, I would have switched to Directory view and then selected the long file name. From there I would have selected the Attach LFN command from the Tools menu. If multiple directory entries are used to store an extremely long file name, you would start with the first part of the long file name, then perform the Attach LFN technique on the remaining portions of the long file name in sequence.
In our sample file recovery, all the file's clusters existed in sequence beginning at 1064 and ending at 1101. But in the real world, clusters belonging to a file may be scattered all over a hard disk due to fragmentation. If you suspect that a file you are trying to recover is fragmented, you'll need to recover the file using a file recovery utility other than Disk Editor. Disk Editor does not provide an easy method for recovering a fragmented file.
Now that I've explained how to manually recover a deleted file on a FAT file system, we'll examine data recovery for NTFS partitions in the next tip.
Data Recovery Techniques for Windows
- How to recover data
- How to create a boot disk to run Norton's Disk Editor
- How disk clusters size affects data recovery
- How long file names complicate data recovery
- How to recover deleted files on FAT via Disk Editor
- How data recovery for NTFS differs from FAT
- How to recover corrupt NTFS boot sectors
- Signature-based data recovery: A last ditch technique
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinComputing.com and other TechTarget sites.