March 18th, 2004, 01:02 PM
need info about info2-file in XP
Im a student trying to learn about the info2 file. This is what Iwant to do: find the info2 file after the recyle bin is emptied, I want to find it and recover that file. I run the freeware program Handy-Recover to find the info2 file with no success.
When I read about it, it says that the info2 file deletes the same time you empty the recycle bin.....but when I check in dos, after I have empty the recycle bin, the info2 file is still there (but it is empty)
And when the recycle bin is empited, if I drag a file to the recycle bin and after that empties, shouldn't the index number start att #0 again? mine just go on and on.like dc16, dc17...And where is the counting of the index number? can't find it in the info2 file and should it be there? If someone can explain this I would be happy!
March 18th, 2004, 03:42 PM
yes the info2 file is deleted after you empty the recycle bin. When you delete a file, the complete path and file name is stored in a hidden file called Info or Info2 in the Recycled folder. When you restore the file one more entry is made in the INFO2 file regarding this, but if you empty the recycle bin the file INFO2 is deleted (i am using win98). When you do empty the Recycle Bin the clusters that stored Books.txt(e.g. below) are not erased, but rather, the clusters are marked as free space in the FAT by adding the Hex value "E5h" in front of the file name.
it says that the info2 file deletes the same time you empty the recycle bin.....but when I check in dos, after I have empty the recycle bin, the info2 file is still there (but it is empty)
The deleted file is renamed according to the following syntax:
D<original drive letter of file><#>.<original extension>
New file name:
Dc1.txt = (C drive, second file deleted, a .txt file)
INFO file path:
New file name:
De7.doc = (E drive, eighth file deleted, a .doc file)
INFO file path:
E:\Winword\Letter to Rosemary.doc
Regarding recovering the files try reading this Recovering deleted files
I think the index of the info2 file sytarts with 0 every time you empty the recycle bin, the file gets deleted and when the next time it is created the index starts with 0.
hope it helps
March 18th, 2004, 04:02 PM
tnx for your reply and the links, I have read them but I don't get much wiser... when I run a recover program, shouldn't the deleted info2 file (if it is not overwritten) show up like: nfo2, where the first letter is gone cause it's unlinked?
March 18th, 2004, 06:12 PM
Correct me if wrong, you are saying that if a file is deleted then its first byte is changed to e5 , so if a file has a name "Test.txt". then after deletion its name should change to sometiong like "e5 + est.txt" as the first byte is replased with e5 right.?
Thats true When a file is created three things occur:
1. An entry is made into the File Allocation Table (FAT) to indicate where the actual data is stored in the Data Area. (A File Allocation Table is the means by which the operating system keeps track of where the pieces of a file are stored on a hard disk.)
2. A Directory entry is made to indicate file name, size, the link to the FAT and other information.
3. The data is written to the Data Area
When a file is deleted only two things occur:
1. The File Allocation Table entry for that particular file is zeroed out and shown as available for use by a new file. (A File Allocation Table is the means by which the operating system keeps track of where the pieces of a file are stored on a hard disk.)
2. The first character of the Directory Entry file name is changed to a special character. (E5 HEX)
3. Nothing is done to the Data Area. The data is untouched.
When a file is restored only two things need to be done:
1. The File Allocation Table entry for that particular file is linked to the particular location in the data area where the file data is stored.
2. The first character of the Directory Entry file name is changed to a legal character.
3. Nothing is done to the Data Area.
You have to have a deep knowledge of File System and computer forensics to do this though Check Out these links for understanding FAT and FAT
March 18th, 2004, 08:37 PM
"The first character of the Directory Entry file name is changed to a legal character."
How do data Recovery Softwares Guess the Name of the File then?
March 19th, 2004, 11:42 AM
Swordfish, tnx for the great links! I have to read more about this, I guess I thought I just could run my recovery program to find the deleted info2 file...
March 19th, 2004, 05:01 PM
So I guess what I need is a program that can search for the info2 file header.....anyone who knows such a freeware program?
March 19th, 2004, 05:18 PM
Don't be put off by the .tar.gz extension. I was on my Linux
March 19th, 2004, 05:49 PM
tnx for your reply, I have already tried that program, but I couldn't locate my deleted info2 file...
March 19th, 2004, 06:55 PM
I tried a few file recovery programs it seems that they detect all other deleted files But the files deletd by the System like i tried deleting the Temperary Internet File by clearing the History, and then run the File recovery program . No file was listed there. Similarly i Emptyed My recycle bin Deleting the info2 file then run the file recovery it wasn't there. I tried manually deleting the info2 file in the Recycled folder and when i run the file recovery program it was listed as "_NFO2" . it seems that these recovery softwares are not designed to recover the files deleted by the system itself. why don't you try programming one of your own -_- it would be a good learning experience.