Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: need info about info2-file in XP

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    10

    Question need info about info2-file in XP

    Im a student trying to learn about the info2 file. This is what Iwant to do: find the info2 file after the recyle bin is emptied, I want to find it and recover that file. I run the freeware program Handy-Recover to find the info2 file with no success.

    When I read about it, it says that the info2 file deletes the same time you empty the recycle bin.....but when I check in dos, after I have empty the recycle bin, the info2 file is still there (but it is empty)

    And when the recycle bin is empited, if I drag a file to the recycle bin and after that empties, shouldn't the index number start att #0 again? mine just go on and on.like dc16, dc17...And where is the counting of the index number? can't find it in the info2 file and should it be there? If someone can explain this I would be happy!

  2. #2
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    hi

    it says that the info2 file deletes the same time you empty the recycle bin.....but when I check in dos, after I have empty the recycle bin, the info2 file is still there (but it is empty)
    yes the info2 file is deleted after you empty the recycle bin. When you delete a file, the complete path and file name is stored in a hidden file called Info or Info2 in the Recycled folder. When you restore the file one more entry is made in the INFO2 file regarding this, but if you empty the recycle bin the file INFO2 is deleted (i am using win98). When you do empty the Recycle Bin the clusters that stored Books.txt(e.g. below) are not erased, but rather, the clusters are marked as free space in the FAT by adding the Hex value "E5h" in front of the file name.

    The deleted file is renamed according to the following syntax:

    D<original drive letter of file><#>.<original extension>

    Examples:
    New file name:

    Dc1.txt = (C drive, second file deleted, a .txt file)

    INFO file path:

    C:\Windows\Desktop\Books.txt

    New file name:

    De7.doc = (E drive, eighth file deleted, a .doc file)

    INFO file path:

    E:\Winword\Letter to Rosemary.doc


    Regarding recovering the files try reading this Recovering deleted files

    [edit]
    I think the index of the info2 file sytarts with 0 every time you empty the recycle bin, the file gets deleted and when the next time it is created the index starts with 0.
    hope it helps

    --Good Luck--

  3. #3
    Junior Member
    Join Date
    Mar 2004
    Posts
    10
    hi,

    tnx for your reply and the links, I have read them but I don't get much wiser... when I run a recover program, shouldn't the deleted info2 file (if it is not overwritten) show up like: nfo2, where the first letter is gone cause it's unlinked?

  4. #4
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    Correct me if wrong, you are saying that if a file is deleted then its first byte is changed to e5 , so if a file has a name "Test.txt". then after deletion its name should change to sometiong like "e5 + est.txt" as the first byte is replased with e5 right.?

    Thats true When a file is created three things occur:

    1. An entry is made into the File Allocation Table (FAT) to indicate where the actual data is stored in the Data Area. (A File Allocation Table is the means by which the operating system keeps track of where the pieces of a file are stored on a hard disk.)

    2. A Directory entry is made to indicate file name, size, the link to the FAT and other information.

    3. The data is written to the Data Area

    When a file is deleted only two things occur:

    1. The File Allocation Table entry for that particular file is zeroed out and shown as available for use by a new file. (A File Allocation Table is the means by which the operating system keeps track of where the pieces of a file are stored on a hard disk.)

    2. The first character of the Directory Entry file name is changed to a special character. (E5 HEX)

    3. Nothing is done to the Data Area. The data is untouched.


    When a file is restored only two things need to be done:

    1. The File Allocation Table entry for that particular file is linked to the particular location in the data area where the file data is stored.

    2. The first character of the Directory Entry file name is changed to a legal character.

    3. Nothing is done to the Data Area.


    You have to have a deep knowledge of File System and computer forensics to do this though Check Out these links for understanding FAT and FAT

  5. #5
    "The first character of the Directory Entry file name is changed to a legal character."

    How do data Recovery Softwares Guess the Name of the File then?

  6. #6
    Junior Member
    Join Date
    Mar 2004
    Posts
    10
    Swordfish, tnx for the great links! I have to read more about this, I guess I thought I just could run my recovery program to find the deleted info2 file...

  7. #7
    Junior Member
    Join Date
    Mar 2004
    Posts
    10
    So I guess what I need is a program that can search for the info2 file header.....anyone who knows such a freeware program?

    tnx

  8. #8
    Member
    Join Date
    Nov 2003
    Posts
    88
    http://www.antionline.com/showthread...098#post727098

    Don't be put off by the .tar.gz extension. I was on my Linux
    -HDD

  9. #9
    Junior Member
    Join Date
    Mar 2004
    Posts
    10
    HDD,

    tnx for your reply, I have already tried that program, but I couldn't locate my deleted info2 file...

  10. #10
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    I tried a few file recovery programs it seems that they detect all other deleted files But the files deletd by the System like i tried deleting the Temperary Internet File by clearing the History, and then run the File recovery program . No file was listed there. Similarly i Emptyed My recycle bin Deleting the info2 file then run the file recovery it wasn't there. I tried manually deleting the info2 file in the Recycled folder and when i run the file recovery program it was listed as "_NFO2" . it seems that these recovery softwares are not designed to recover the files deleted by the system itself. why don't you try programming one of your own -_- it would be a good learning experience.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •