Spelunking the places where files are not
Fred Cisin
cisin at xenosoft.com
Mon Mar 8 13:56:46 CST 2021
On Mon, 8 Mar 2021, John Foust via cctalk wrote:
> I'm familiar with the various undelete tools for Windows and Linux.
> Such tools may not exist or make sense for older file systems.
Windows/MS-DOS was certainly not unique nor original in marking file
primary directory entries (FPDE) as deleted, without removing all traces.
CP/M, for instance maintains most of the FPDE. Look in the directory
sectors for entries starting with 00 or E5.
UCSD P-System is easy, until the disk has been CRUNCH'ed.
> Entire files would be great to find, but I suspect interesting
> fragments may be more likely.
AS Chuck pointed out, when a file does not fill the remaining space in the
last block that is allocated to it, that space MIGHT contaian residual
content from previous use. Yes, the OS will usually write complete
sectors (may or may not contain unused portion of sector buffer content!),
and overwrite the rest of the last SECTOR, but it is unlikely to clear out
the unused sectors in that last block.
> Running a Windows-based tool like Recuva on a hard drive leads
> to such a firehose of fragments if you choose the deep scan that
> examines all unused blocks. I've only tried the free version.
> Does the pro version give you a way to exclude all the dozens
> of OS file types that are probably not the user-made files
> that you want?
I'd recommend a two stage process. Make files out of all of those
fragments. THEN, use other tools to select which of those fragments
contain the type of content that you are looking for. On something as
small as a floppy, of course, a human is cost effective.
> And for the archaic disk formats, it would be good to have
> platform-specific methods of identifying fragments to guess
> their file type beyond executable and ASCII. Older run-length
> compression image formats may be more possible to recover than
> today's block-compressed images.
PROJECT: Create a program that will take a list of files, and partial
files, and for each one, identify the file type, and attempt to display
the content. There are thousands of file formats to implement.
Knowledge of those file formats, and especially their headers, is
essential.
Obviously, file headers and beginnings of files may be easier to identify
than random pieces from the middle.
For example, in MS-DOS/Windoze, a file that starts with "MZ" (Mark
Zbikowski) is almost always an .EXE file.
Fortunately, most of the older file formats were simpler, and word
processing files had lots of text strings in them.
--
Grumpy Ol' Fred cisin at xenosoft.com
More information about the cctech
mailing list