Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: undelete files using a hex-editor

  1. #1

    undelete files using a hex-editor

    how can i undelete files on a disk using a hex-editor?

    i'm searching google for it al day now, but haven't found any good tutorials or anything...

    i've read somewhere before that windows changes the first couple of characters of the filename into something, and therefore the file is marked as "overwritable", so when i know how to undo this, i could undelete files using only a hex-editor, and that's exactly what i want to learn!

    does anybody know something more about this, or perhaps a link to a tutorial???

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    http://www.antionline.com/showthread...hreadid=251428

    Towards the bottom of the tutorial is a section on tools for data recovery.

    Another interesting method: http://www.antionline.com/showthread...hreadid=247295

    You could use a hex editor, but I think that would be doing it the hard way. There are applications that look for data with no header information, and shows you where to look.

    Do a search for Data Recovery Tutorials if this isn't enough.

  3. #3
    thanks for reacting, but like i said, i want to do it with a hex editor, i've got dozens of tools to recover data, but i want to know how they work, so i can do it manually.

    i just want to learn.

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Then you are going to have to learn how the recycle bin works, and exactly what bits it removes in order that the space be freed up...

    And learning how to code in hexadecimal? Maybe.

    Good luck with that. Sounds fun.

  5. #5
    that's the problem , the way i mean is that you can even restore data from any other OS as well.
    i.e.: when you have an empty disk, which wasn't empty the time before, and you'll use a hex-editor on it, you can find traces of what was on it.

    and as for coding in hex, yes i want to learn that, so if you got a good link for a tutorial, please let me know :P

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    In a FAT filesystem, assuming the directory entry has not been overwritten, you can simply change the 1st character of the filename back to what it was.

    Of course the FAT won't be correctly updated, so better run scandisk afterwards in order to fix it. The old DOS "undelete" program (Shipped with DOS 5+ AFAICR) does this and fixes the FAT too.

    It's got no way of knowing if the clusters have been reused since the file was deleted, so file corruption may occur. And if the clusters are part of another file, it breaks too.

    Under no circumstances run a disk hex editor while windows is running - do this in DOS ONLY

    All of this applies to FAT filesystem only. It's totally different in NTFS (/ext2 /ext3/ reiser /xfs etc)
    Slarty

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    you can simply change the 1st character of the filename back to what it was.
    Which wouldn't be so bad if you knew what the character was in the first place....I imagine it could take awhile to just guess it..

    Thanks slarty, that was helpful to me also...

  8. #8
    does it matter anything what the first character was groovicus?
    i.e.: telefone.exe works just as well when it's called felefone.exe.
    but i'll go and check it out on a fat table....

  9. #9
    Member
    Join Date
    Nov 2003
    Posts
    88
    I'm not to sure about how to undelete files using a hex-editor even though I've heard it works.
    However this is a small program which I use myself. I find it extremely usefull in retreaving files
    -HDD

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Used to be, back in good old DOS/FAT that the first character of a deleted file was changed to a "?" in the FAT IIRC.... All you had to do was change it back to any character other than "?" and the file was all relinked as long as no overwrite had taken place.

    That's why the "?" is an unusable character in a file name because if you put it at the beginning of the name the file would automatically "delete" itself.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •