smstroble Posted April 21, 2007 Posted April 21, 2007 I had an idea, since i'm kinda bored, i thought it would be cool to create a program for recovering deleted files (yes i know there are many out there but most look very questionable). So anyway i figured i would read the NTFS data in RAW and pick out deleted folders in the mess of data.. Well i dumped a portion of my disk to a txt file in raw $file = FileOpen("\\.\C:", 4) FileWrite( "D:\Test.txt", FileRead($file, 512*1000)) and i got a fair amount of very strange data CODE ëRNTFS ø ? ÿ ? ú`b && ö ¾Ñ ß L ú3Àм |û¸ÀØè ¸ À3ÛÆ èS h hjË$ ´Ís¹ÿÿñf¶Æ@f¶Ñâ?÷âÍÀíAf·Éf÷áf£ ôA»ªU$ ÍrûUªu öÁtþ Ãf`f¡ f f; : fj fPSfh > è³ÿ> a ´B$ ôÍfX[fXfXë-f3Òf· f÷ñþÂÊfÐfÁê÷6 Ö$ èÀä Ì¸Í À Àfÿ ÿ oÿfaà øè ûè ûëþ´ð¬< t ´» Íëòà A disk read error occurred NTLDR is missing NTLDR is compressed Press Ctrl+Alt+Del to restart that bit is right at the start CODE ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ÿÿÿ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × ÿÿÿÙ Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ÿÿÿÿÿÿô õ ö ÷ ø ù ú û ü ý þ ÿ ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s ÿÿÿu v w x y z { | } ~ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ ! " # $ % & ' ( ) * ÿÿÿ, - . / 0 1 2 3 ÿÿÿ5 6 7 8 9 : ; < = > ? @ A B C D E F ÿÿÿH I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º ÿÿÿ¼ ½ ¾ ¿ À Á ÿÿÿÃ Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß ÿÿÿá â ã ä å æ ç ÿÿÿé ê ë ì í î ï ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿö ÷ ø ù ú û ü ý þ ÿ ÿÿÿÿÿÿ ÿÿÿ ! " # $ % & ' ( ) * + , - . / 0 ÿÿÿº4 3 4 5 6 7 8 9 : ; < = > ? @ A B C D ÿÿÿF G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h ÿÿÿj k l m ÿÿÿo p q r s t u ÿÿÿw x y z { | } ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ ÿÿÿÁ Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ÿÿÿè é ê ÿÿÿì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ ÿÿÿ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c ÿÿÿe f g h i j k ÿÿÿÿÿÿÿÿÿÿÿÿp ÿÿÿr s ÿÿÿÿÿÿÿÿÿw x ÿÿÿz { | ÿÿÿ~ ÿÿÿÿÿÿ ÿÿÿÿÿÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª ÿÿÿ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ÿÿÿ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê ÿÿÿÌ Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ ! " # $ % & ' ( ) * + , - . / 0 ÿÿÿ2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | ÿÿÿ~ ÿÿÿ this is not far below it below that is data and i can recognize some text and ini files from by drive and i know where they are located (in the file structure) and their file names but i cant find the file names in the data. I figure i need to find and read the master file table but i have no clue where it is at and or how to read it. So if someone could point be in the direction of some helpful information that would be great. Thanks. MUHAHAHAHAHA
BrettF Posted April 21, 2007 Posted April 21, 2007 Wow smstroble! This sounds awesome! pity I can't help Vist my blog!UDFs: Opens The Default Mail Client | _LoginBox | Convert Reg to AU3 | BASS.au3 (BASS.dll) (Includes various BASS Libraries) | MultiLang.au3 (Multi-Language GUIs!)Example Scripts: Computer Info Telnet Server | "Secure" HTTP Server (Based on Manadar's Server)Software: AAMP- Advanced AutoIt Media Player | WorldCam | AYTU - Youtube Uploader Tutorials: Learning to Script with AutoIt V3Projects (Hardware + AutoIt): ArduinoUseful Links: AutoIt 1-2-3 | The AutoIt Downloads Section: | SciTE4AutoIt3 Full Version!
Generator Posted April 21, 2007 Posted April 21, 2007 I had an idea, since i'm kinda bored, i thought it would be cool to create a program for recovering deleted files (yes i know there are many out there but most look very questionable). So anyway i figured i would read the NTFS data in RAW and pick out deleted folders in the mess of data.. Well i dumped a portion of my disk to a txt file in raw $file = FileOpen("\\.\C:", 4) FileWrite( "D:\Test.txt", FileRead($file, 512*1000)) and i got a fair amount of very strange data CODE ëRNTFS ø ? ÿ ? ú`b && ö ¾Ñ ß L ú3Àм |û¸ÀØè ¸ À3ÛÆ èS h hjË$ ´Ís¹ÿÿñf¶Æ@f¶Ñâ?÷âÍÀíAf·Éf÷áf£ ôA»ªU$ ÍrûUªu öÁtþ Ãf`f¡ f f; : fj fPSfh > è³ÿ> a ´B$ ôÍfX[fXfXë-f3Òf· f÷ñþÂÊfÐfÁê÷6 Ö$ èÀä Ì¸Í À Àfÿ ÿ oÿfaà øè ûè ûëþ´ð¬< t ´» Íëòà A disk read error occurred NTLDR is missing NTLDR is compressed Press Ctrl+Alt+Del to restart that bit is right at the start CODE ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ÿÿÿ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × ÿÿÿÙ Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ÿÿÿÿÿÿô õ ö ÷ ø ù ú û ü ý þ ÿ ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s ÿÿÿu v w x y z { | } ~ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ ! " # $ % & ' ( ) * ÿÿÿ, - . / 0 1 2 3 ÿÿÿ5 6 7 8 9 : ; < = > ? @ A B C D E F ÿÿÿH I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º ÿÿÿ¼ ½ ¾ ¿ À Á ÿÿÿÃ Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß ÿÿÿá â ã ä å æ ç ÿÿÿé ê ë ì í î ï ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿö ÷ ø ù ú û ü ý þ ÿ ÿÿÿÿÿÿ ÿÿÿ ! " # $ % & ' ( ) * + , - . / 0 ÿÿÿº4 3 4 5 6 7 8 9 : ; < = > ? @ A B C D ÿÿÿF G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h ÿÿÿj k l m ÿÿÿo p q r s t u ÿÿÿw x y z { | } ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ ÿÿÿÁ Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ÿÿÿè é ê ÿÿÿì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ ÿÿÿ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c ÿÿÿe f g h i j k ÿÿÿÿÿÿÿÿÿÿÿÿp ÿÿÿr s ÿÿÿÿÿÿÿÿÿw x ÿÿÿz { | ÿÿÿ~ ÿÿÿÿÿÿ ÿÿÿÿÿÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª ÿÿÿ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ÿÿÿ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê ÿÿÿÌ Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ ! " # $ % & ' ( ) * + , - . / 0 ÿÿÿ2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | ÿÿÿ~ ÿÿÿ this is not far below it below that is data and i can recognize some text and ini files from by drive and i know where they are located (in the file structure) and their file names but i cant find the file names in the data. I figure i need to find and read the master file table but i have no clue where it is at and or how to read it. So if someone could point be in the direction of some helpful information that would be great. Thanks.I think what happens is the data cannot be displayed as plain text.
smstroble Posted April 22, 2007 Author Posted April 22, 2007 (edited) Any data can bee seen in plain text as far as i know, though it wont be of any use because it was not meant to be text. Though often some more information can be gotten from HEX because pretty much anything that is not standard ASCII is shown as a square or a blank spot. Give me a minute writing a program to parse some of it into hex for you guys to look at. Edited April 22, 2007 by smstroble MUHAHAHAHAHA
smstroble Posted April 22, 2007 Author Posted April 22, 2007 (edited) ok got some HEX, its everything from the start into a little bit of stange area which is shown rather well in the screen shot attached.HEX_Start_of_drive.txt Edited April 22, 2007 by smstroble MUHAHAHAHAHA
Generator Posted April 22, 2007 Posted April 22, 2007 Any data can bee seen in plain text as far as i know, though it wont be of any use because it was not meant to be text. Though often some more information can be gotten from HEX because pretty much anything that is not standard ASCII is shown as a square or a blank spot.Give me a minute writing a program to parse some of it into hex for you guys to look at.What I meant was the data was not suppose to be shown as plain text, of course you can view anything with notepad but it won't show anything helpful.Sidenote: I am not good at this but maybe you can look up some method in google and see how it works.
smstroble Posted April 22, 2007 Author Posted April 22, 2007 (edited) I have been looking around Google for a couple hours now, i starting to think that this may be way over my ability's. I'm having trouble finding anything on the NTFS file system other than in general how its setup nothing specific enough to work with, i think I'm going to have to look at the source of another undelete program but that hasn't been terribly easy to find either.EDIT: Ha! I think I found something http://www.ntfs.com/disk-scan.htm Edited April 22, 2007 by smstroble MUHAHAHAHAHA
Confuzzled Posted April 22, 2007 Posted April 22, 2007 You are going to have to peek quite low down in the NTFS subroutines to get to where you want. For a bit of background, why not get one of the older versions of Norton utilities for DOS (over 10 years old) and read how the partitions table, boot file sector, FAT table and directory/folder structures are constructed for a FAT system and work your way up from there. As additional useful reading, you may find open source code for drivers that mount NTFS drives under Linux. Somehow I strongly suspect AutoIT is not the appropriate language to be using to do this type of work. As you knowledge increases, you will come to understand why...
smstroble Posted April 22, 2007 Author Posted April 22, 2007 (edited) Thanks for the advice, looks like this is going to take a lot of work, sounds like a project for this summer, along with learning C++. Even if autoit is not a good language for this i think it would still be interesting to make one in autoit, if possible, even if it was slow as can be. Edited April 22, 2007 by smstroble MUHAHAHAHAHA
gingerbloke Posted November 9, 2009 Posted November 9, 2009 smstroble, Just seen your post whilst browsing, hope you have not given up with your project cos your on the right tracks This Text: ------------------------------------------------------------------------------------------------- ëRNTFS ø ? ÿ ? ú`b && ö ¾Ñ ß L ú3Àм |û¸ÀØè ¸ À3ÛÆ èS h hjË$ ´Ís¹ÿÿñf¶Æ@f¶Ñâ?÷âÍÀíAf·Éf÷áf£ ôA»ªU$ ÍrûUªu öÁtþ Ãf`f¡ f f; : fj fPSfh > è³ÿ> a ´B$ ôÍfX[fXfXë-f3Òf· f÷ñþÂÊfÐfÁê÷6 Ö$ èÀä Ì¸Í À Àfÿ ÿ oÿfaà øè ûè ûëþ´ð¬< t ´» Íëòà A disk read error occurred NTLDR is missing NTLDR is compressed Press Ctrl+Alt+Del to restart ------------------------------------------------------------------------------------------------- Is the start of your drive identifying the File format as NTFS and later giving text error messages that it may need to display . The information in between is all machine code and you are right that it is best viewed in HEX. Without going into to much detail (it gets boring after a bit) for doing data recovery you either need to search for a given file types Signature (ie Jpeg = YoYa, exe = MZ) and then extract that data to another file or, if your intention is to a corrupted drive then you read the Master File Table and work out where the Partition locations are and write that data back to the drive. If you have a look on Data Recovery Books or Forensic Forums they are a great help. Question: Have you worked out how to write the data back to the drive at the location it was copied from? Gingerbloke
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now