I am trying to recover deleted files in NTFS and FAT filesystems through reading hard diski in C++.NET. I understand to achieve this one needs to access the master file table. But so far i havent been able to do that. Can anybody help me in this regard?
At least some versions of FAT are documented, and all the information you need about every version is out there somewhere, but
there’s nothing documented about NTFS, and lots of what out there is either out of date or has always been incorrect. Also, just to
state the obvious - if you’re going to mess around with the MFT, for example, and don’t really, really know what you’re doing, an
effort to recover deleted files might very well leave you more files to recover.
Why are you doing this? If the answer is for your own personal use or learning and the system you’re using has nothing on it that
you need, then all is well, as it will be a enjoyable challenge. Otherwise, unless you mean using some user mode API that I don’t
know about or something like that, my advice would be to most definitely not not do this.
mm
xxxxx@hotmail.com wrote:
I am trying to recover deleted files in NTFS and FAT filesystems through reading hard diski in C++.NET. I understand to achieve this one needs to access the master file table. But so far i havent been able to do that. Can anybody help me in this regard?
All versions of FAT are documented in fatgen103.docx. ExFat appears to be
FAT in name only since it supports transactions. I have not looked at it
and don’t know for sure, but AFAIK it is not documented.
You are very correct about NTFS, especially with the addition of
transactions. Trying to ‘fix’ a currently mounted NTFS system would be a
real major task unless you have source code access. Even with such access
it will take a long time to understand the code and the variations including
transactions, encryption, and compression.
WinHex is very useful in looking at the raw data of volumes.
“Martin O’Brien” wrote in message
news:xxxxx@ntfsd…
> At least some versions of FAT are documented, and all the information you
> need about every version is out there somewhere, but there’s nothing
> documented about NTFS, and lots of what out there is either out of date or
> has always been incorrect. Also, just to state the obvious - if you’re
> going to mess around with the MFT, for example, and don’t really, really
> know what you’re doing, an effort to recover deleted files might very well
> leave you more files to recover.
>
> Why are you doing this? If the answer is for your own personal use or
> learning and the system you’re using has nothing on it that you need, then
> all is well, as it will be a enjoyable challenge. Otherwise, unless you
> mean using some user mode API that I don’t know about or something like
> that, my advice would be to most definitely not not do this.
>
> mm
>
> xxxxx@hotmail.com wrote:
>> I am trying to recover deleted files in NTFS and FAT filesystems through
>> reading hard diski in C++.NET. I understand to achieve this one needs to
>> access the master file table. But so far i havent been able to do that.
>> Can anybody help me in this regard?
>
i need it for my project work n i need to do it urgently so please if anyone can help me with it
You need to tell whoever is driving the urgent need that it’s not going to happen. I’m not trying to be downer or needlessly
critical and no doubt this was not the answer that you’re looking for, but it’s the best advice I can give you, in my opinion.
Whatever the consequences are, they will not improve with the passage of time, unless you can find someone out there who has already
done this, is willing to share it, and that satisfies whatever legal/ethical issues you might fancy. I’ve participated on these
lists for about three years, and as best as I can recall, I’ve never seen any question about anything to do with NTFS internals
answered with anything other that something that boils down to ‘don’t do this’ or just ‘no.’ The information is out there, and I’m
sure you don’t realize that you’re doing this, but basically what you’re asking is for the true handful of people who actually do
work like this (successfully) to handover work that they earn a living with, and that assumes that they are legally allowed to do
so, which they almost certainly are not.
I’m not clear on whether you are a student or not, but if you are, there’s no way you’ll believe this right now, but despite what
everyone around you with a bunch of letters after their name constantly threatens you with, doing poorly in anything in particular
is of no consequence whatsoever in the big picture, at least in the US; I don’t know how the rest of the world works in this area.
Also, if you’re a student, go to the prof and explain the problem, and ask what he/she thinks you should do - that will get you a C
(again in the US).
If you’re not a student or what I said doesn’t apply to where your from, I’m very sorry, but there is no scenario which I can think
of that will work out better by not telling someone that this will not work. If you are unwilling to do that, then I would tell you
to look at the source code for the Linux NTFS driver, because it’s pretty much you’re only option that I know of at least, and it
won’t even get you in the ballpark because of the time constraint. If this seems like a good idea, think for a minute about the
fact that you can’t seem to find the FAT information yourself either. I don’t mean to be a dick, but you’re not doing yourself any
favors, in my opinion, by not being realistic about that.
Good luck,
mm
xxxxx@hotmail.com wrote:
i need it for my project work n i need to do it urgently so please if anyone can help me with it
> All versions of FAT are documented in fatgen103.docx.
…which contradicts in some details to actual FASTFAT code.
FASTFAT is the ultimate knowledge on FAT.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Can you supply specifics? I suspect there may be variations such as the
values loaded into the partition table’s CHS info, but mostly I have found
them to be the same. I did use the FASTFAT code along with fatgen103.doc
and earlier versions when I was working on such projects or for my personal
information. The primary documentation for FAT has always been the MS-DOS
source code since that is where it originated. The NT variation allowing
4GB FAT16 and a couple of other things including LFNs were very late in the
DOS (Windows 9x) era. Today any formats must be compatible with Windows,
but I have seen some interesting variations used to support flash memory
cards. Their primary objective was to maintain cluster to flash block
alignment to decrease wear on the flash memory which has a limited lifetime.
“Maxim S. Shatskih” wrote in message
news:xxxxx@ntfsd…
>> All versions of FAT are documented in fatgen103.docx.
>
> …which contradicts in some details to actual FASTFAT code.
>
> FASTFAT is the ultimate knowledge on FAT.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>