porear

Member
  • Content count

    49
  • Joined

  • Last visited

Community Reputation

0 Neutral

About porear

Contact Methods

  • Website URL
    http://paddyo.awardspace.com/
  1. Hey guys! Just popped back over to the old thread today and found this new sub forum. Thanks very much for the mention jaclaz, you deserve much kudos for your insight and suggestions to point people in the right directions of attack. I have missed playing with this issue, but life continues to get more unpredictable... we had a baby, moved, and now are expecting again, so are looking to move once again. Not much time to tinker! Thanks to all those who started this, and have carried it on to what looks like an excellently successful fruition.
  2. Hey guys! Sorry for a slightly OT post, just wanted to say hi and I am excited by your success. I have not been on here in a while, the new little man in our house has obviously changed our lives quite a bit. I am looking forward to finding some time to try out the ilko_t method, thanks very much to you and cdob, and of course jaclaz, who has been an excellent mentor in this whole process.
  3. Happy New Year! Just dropping a quick note to say I'm still here and still have not abandoned this, but my time will be spotty for a bit. The wife is nesting, so I have quite a few home projects in progress, and I've also changed job assignments at work. Will contribute again as soon as possible.
  4. I have been out of town and this "hobby" has been overtaken by enjoying time with family However, certainly not abandoned, will be back in January as well. Your findings are consistent with the Microsoft FAT spec http://www.microsoft.com/whdc/system/platf...are/fatgen.mspx FAT12 and FAT16 have a fixed root directory size, while FAT32 does not. I had assumed that this root directory limit would be enforced by the OS, and you would not be allowed to place more than the maximum entries in the root on FAT12 and FAT16. Maybe that is not the case. The answer is probably in the spec, which I'll look over more when I can. In the mean time, have a wonderful Christmas and Happy New Year!!
  5. Sorry I've been unavailable for a few days. Thanks for the links jaclaz, I will give the tools a shot. I'll try to make sure they have the basic functionality needed, as well as try to test their relative performance (speed).
  6. What version of dsfok do you have? I thought it was possible to start from an offset - I am using #4b. From the readme I've been researching to learn more about the FAT and directory structure on disk. Here are some good references. You may have found the same or very similar. http://home.teleport.com/~brainy/fat16.htm http://www.mcmillan.cx/fat.html From what I gather, there is no central master table for entries other than the root. The rest are spread out over the disk. The FAT has a single entry for every cluster in the data section on the disk. The entry in the FAT for each cluster indicates whether the cluster has data, is unused, or is the last cluster for a file. Directories are just a special file on disk with the table structure discussed in the second link above. An entry in the table points to the first block of data in the directory. From the references, as I (think I) understand, FAT entries in these ranges mean the following 0000h available cluster 0002h-FFEFh next cluster (or first?) in file FFF0h-FFF6h reserved cluster FFF7h bad cluster FFF8h-FFFF last cluster in file If this is correct, we would need to parse the FAT, and look for all entries in the 0002h-FFEFh range that follow an entry that is NOT in the 0002h-FFEFh range. These entries will point to the first cluster of each file. The first byte in these clusters should be the first letter of each file name that will need to be backed up and restored. (This needs to be verified) I also believe that for the situation to be this simple, we are assuming that files have no fragmentation and are completely contiguous. If not, we would have to follow the trail of the "next cluster" entries and where they point for the next piece of a file until we encounter a "last cluster" entry. I hope that helps and perhaps provided something you didn't already know. I also hope it is all correct! Idea: Maybe comparing before/after FATs will help identify pointers to the files that have been deleted, so that we only back up those that are necessary instead of all. Update: Here is the FAT spec from Microsoft. Have not looked at it in depth yet but looks like it should answer all our questions. The pages are titled FAT32 but cover FAT12 and FAT16 as well. http://www.microsoft.com/whdc/system/platf...are/fatgen.mspx
  7. Wow that's fast, worked great. Output attached in two parts, the file was over the posting limit. Also, just out of curiousity, I used dsfo to make an image of the first 700MB of the stick to my hard drive. Restoring the image takes only a few minutes (less than 5) but this method requires an additional 700M of storage. I am sure it would have taken considerably longer had the backup image also been on the stick, and of course twice as much space on the stick would be used. Not the preferable way to go.
  8. Progress. uuuuuuuggggggh I was using the wrong version of findpart - I had the DOS version. I've been able to run the batch, the first part for finding the FATs and ROOT seems to work fine. The directory entries part of the code did not work for me, I have not began to troubleshoot yet. My output is attached. Thanks!
  9. Hello, ilko_t. Welcome and thanks for the efforts. Sorry I've had a short lapse on this, life's been busy - we're expecting a baby! Thanks for the code jaclaz. My batch script skills are lacking what is required for this task. I had been considering throwing together some pseudo-code for what was needed, but looks like you have it covered. The basic idea is to traverse the FAT and record the on-disk address pointed to of the first byte of each file entry (the first character of each file name). I tried the batch, but was unable to get it to work for me. I know I am most probably not using it properly I do have FindPart in the same directory as savesect.cmd. I ran the batch from a command line in Windows. I tried both Physical disk 1 (my hard disk) and Physical disk 2 (USB stick), with output redirected to 1.txt and 2.txt respectively. These files are attached, as are the screen outputs for each run in screen1.txt and screen2.txt. I tried also booting to DOS on the stick and running the batch there. I'm using DOS 7.1 from Win98, and COMMAND.COM does not recognize .cmd files. I changed it to a .bat, but it still won't run. It skips accepting input when asking for "YES" to confirm reading the boot disk, and immediately displays "LABEL NOT FOUND". I am assuming this is from a GOTO LABEL in the batch script. I've played with imaging the USB drive, then using gsar to search the image for the file names to provide the offset addresses. It works, but it finds 3 occurrences of each so we'd have to determine which is the one we want. It takes about 30 secs per file, which is actually pretty fast, but will take over a day for all 3000 files. This only has to be done once, but it's still extremely inefficient. A batch to process a list of all the file names would be needed too. Since the files are on disk in alphabetical order, the search could be shortened by starting subsequent searches at the sector where the last match occurred. Unfortuantely, gsar does not accept a file offset from which to begin a search. I am sure other utilities could be found that would. screen1.txt screen2.txt 1.txt 2.txt
  10. I had seen (and even downloaded) RFD but passed it over. Maybe I need to look at it more carefully. It looks like it isn't free. EDIT The 1.4 version is free. You are right, we could regenerate from the XP installation back to the disk. Another option might be to simply have a second copy of all the deleted files on the disk and copy them back over each time, but I was hoping to avoid fragmentation. The deleted files total about 144 MB, which still take some time to copy on a USB, but it isn't unbearable. So far the closest I have found to what I have been looking for is NT_SS mentioned previously My best hits have come when searching for "physical disk search" and "hard disk forensics" This search for disk offsets only has to occur once, so (as you also have ascertained) we still have flexibility for the environment the search runs in. Even a GUI app that spits out a text report would do the trick... UPDATE: I took your suggestion of chainloading IO.SYS on the stick in GRUB. I was able to run Scaven! Not sure yet how fast it is. The main limitation with this approach is that the input file of search strings can only be 512 bytes - and our list is 40K. It could be split into 70 separate files and run by batch, but this seems a bit impractical.
  11. Maybe not for you! hehe Very well done, sir. Works perfectly. I made a couple of very minor tweaks. IF NOT %counter%==8 set filename=%filename%#&goto :Loop1 I believe the #s actually need to be spaces (0x20). This next one threw me for a while. It was very strange, but the batch file made it through most of the directory then crashed. Turns out it didn't like the file "notepad.ch_" because when it parsed the name, it was literally translating the first three letters "not" as a NOT. I used some quotes and its works great. IF NOT "%filelen%"=="%filename%" SET length=%counter% &goto :loop1 I have been looking at Tiny Hexer scripting capabilities, and unless I am mistaken, "search" does not seem to be a scriptable function It is available in WinHex scripting capabilities, but not in the free version. We really just need a way now to obtain the hex offset of all of the file name locations. It still seems like with that additional piece of data this would be a suitable task for a batch that employs dsfi. We would not even need to rewrite the entire file name, only go to the offset where each name is located and rewrite the first 'å' byte. I found a tool that sounded suited for this at http://pjwalczak.com/scaven/index.php but alas it wouldn't see my USB disk, and the input file is limited to 512 bytes (our list is 26K). I've written the author but wouldn't consider this a very probable solution. This tool, NT_SS is even more perfect, but carries a $50 tag. Its functionality is exactly what I am seeking. http://www.dmares.com/maresware/html/nt_ss.htm I am attaching replace.txt. It has the deleted name on disk, the first character that was replaced for each name, the original name on disk, and the original file names. replace.txt
  12. That sounds way too easy - now where is the fun in that? Just kidding. The problem I have had with that type of approach has always been that once the text mode setup has finished loading (the part that is on the floppies) that I cannot get the installation to continue since it asks for the CD. This occurs even if I have the CD tag files on whatever medium I am trying to install from. I am sure this could be solved, I just have not yet been able to do it. Regarding the Tiny Hexer approach, I think it is possible, but it will require another step: the file names on the disk are in 8.3 format, so to search for them, our match list will first have to be modified. Looking at the installation files, I do not believe any have names longer than 8 characters, but some have less. On disk, these shorter names are padded with spaces (0x20) at the end, e.g. boot.ini becomes BOOT INI (four spaces between boot and ini) Unfortunately some of the shorter deleted files have the same name with different extensions, so we cannot just search for åclui, we must search for åCLUI CH_ (three spaces in between for all of these) åCLUI DL_ åCLUI HL_ Simple enough, just another step.
  13. Possible idea: Tiny Hexer at http://www.mirkes.de/en/home.php It's free, it's scriptable. Maybe there is a (scriptable) way to feed it the text file listing of file names, search for the location of each of the file names on the disk, and record these locations in the text file with the names. Then... create a batch or script file to use dsfi to restore the first character of each file name after deletion based on the text file created above. What do you think?
  14. hehe and I as well. As a tip, I have found that the term "file system snapshot" is turning up some interesting results, but have not gotten in too deep yet. This might not actually be that hard to do. I know the 3,025 files in question that are deleted and could make the database easily. This database would contain only the filenames and not their locations, so a complete search would have to happen for each file. My only concern would be that if gsar searches the entire disk each time to make each replacement, this may be impractical for the time required. A more targeted approach that would use the FAT information to go straight to the file would use a fraction of this time.
  15. uuuuuuuughhhhhh too much food. Hello, Puggsley and LLXX. I've been trying to determine what happens during a file deletion. Not only is the FAT altered, but one byte per file (I am assuming the first) is overwritten as well. It appears that this is the first character of the file name that must be manually supplied for most undelete methods. Experiment: I imaged through the end of my FAT tables (img1), then imaged the whole stick (img2). I deleted 3 files, restored the FAT from its image (img1), then re-imaged the entire stick again (img3). Comparing the two whole-disk images (img2 and img3) resulted in 3 differences found, in attached REPORT.TXT. The 42, 47, and 47 that were overwritten should correspond respectively to b, g, and g in the filenames bootlace.com, grldr.mbr, and grub.exe. So, for successful automatic undelete, the first character of all file names must be saved prior to deletion and then restored. I am assuming this is what "delete tracking" in the old DOS undelete did. http://free-backup.info/file-recovery-usin...s-undelete.html This would be perfect, unfortunately it requires a DOS 5.22 to DOS 6.0 environment to run. I've been looking but have not come across a similar tool that works in our XP Setup environment. From http://www.computerhope.com/undelete.htm I hope we're not digressing too much here to chase this as a solution to the file move issue, especially since this was already "Plan B" Although my talents are limited in this area, I might look at what it would take to try to write something that approximates the undelete "tracker". I ahd thought that although it complicates things, maybe we could alternatively boot to DOS, XP Setup, then DOS again and use the existing undelete with tracking. However, the tracking has to be running when a file is deleted for it to be added to teh tracking file. Report.txt