January 30th, 2004, 01:58 PM
undelete files using a hex-editor
how can i undelete files on a disk using a hex-editor?
i'm searching google for it al day now, but haven't found any good tutorials or anything...
i've read somewhere before that windows changes the first couple of characters of the filename into something, and therefore the file is marked as "overwritable", so when i know how to undo this, i could undelete files using only a hex-editor, and that's exactly what i want to learn!
does anybody know something more about this, or perhaps a link to a tutorial???
January 30th, 2004, 02:21 PM
Towards the bottom of the tutorial is a section on tools for data recovery.
Another interesting method: http://www.antionline.com/showthread...hreadid=247295
You could use a hex editor, but I think that would be doing it the hard way. There are applications that look for data with no header information, and shows you where to look.
Do a search for Data Recovery Tutorials if this isn't enough.
January 30th, 2004, 09:40 PM
thanks for reacting, but like i said, i want to do it with a hex editor, i've got dozens of tools to recover data, but i want to know how they work, so i can do it manually.
i just want to learn.
January 30th, 2004, 10:00 PM
Then you are going to have to learn how the recycle bin works, and exactly what bits it removes in order that the space be freed up...
And learning how to code in hexadecimal? Maybe.
Good luck with that. Sounds fun.
January 31st, 2004, 11:27 AM
that's the problem , the way i mean is that you can even restore data from any other OS as well.
i.e.: when you have an empty disk, which wasn't empty the time before, and you'll use a hex-editor on it, you can find traces of what was on it.
and as for coding in hex, yes i want to learn that, so if you got a good link for a tutorial, please let me know :P
January 31st, 2004, 11:52 AM
In a FAT filesystem, assuming the directory entry has not been overwritten, you can simply change the 1st character of the filename back to what it was.
Of course the FAT won't be correctly updated, so better run scandisk afterwards in order to fix it. The old DOS "undelete" program (Shipped with DOS 5+ AFAICR) does this and fixes the FAT too.
It's got no way of knowing if the clusters have been reused since the file was deleted, so file corruption may occur. And if the clusters are part of another file, it breaks too.
Under no circumstances run a disk hex editor while windows is running - do this in DOS ONLY
All of this applies to FAT filesystem only. It's totally different in NTFS (/ext2 /ext3/ reiser /xfs etc)
January 31st, 2004, 02:10 PM
Which wouldn't be so bad if you knew what the character was in the first place....I imagine it could take awhile to just guess it..
you can simply change the 1st character of the filename back to what it was.
Thanks slarty, that was helpful to me also...
January 31st, 2004, 02:50 PM
does it matter anything what the first character was groovicus?
i.e.: telefone.exe works just as well when it's called felefone.exe.
but i'll go and check it out on a fat table....
January 31st, 2004, 03:06 PM
I'm not to sure about how to undelete files using a hex-editor even though I've heard it works.
However this is a small program which I use myself. I find it extremely usefull in retreaving files
January 31st, 2004, 04:53 PM
Used to be, back in good old DOS/FAT that the first character of a deleted file was changed to a "?" in the FAT IIRC.... All you had to do was change it back to any character other than "?" and the file was all relinked as long as no overwrite had taken place.
That's why the "?" is an unusable character in a file name because if you put it at the beginning of the name the file would automatically "delete" itself.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides