Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!brutus.cs.uiuc.edu!ginosko!aplcen!haven!uvaarpa!mcnc!ncsuvx!shumv1!unkydave From: unkydave@shumv1.uucp (David Bank) Newsgroups: comp.sys.ibm.pc Subject: Re: Recovery of deleted files, help!!! Message-ID: <4331@ncsuvx.ncsu.edu> Date: 27 Oct 89 05:24:12 GMT References: <36440001@hpindwa.HP.COM> Sender: news@ncsuvx.ncsu.edu Reply-To: unkydave@shumv1.ncsu.edu (David Bank) Organization: NCSU Computing Center Lines: 85 In article <36440001@hpindwa.HP.COM> owenc@hpindwa.HP.COM (Owen Cheung) writes: > >A friend of mine accidentially deleted some important files from his floppy. >Does anybody know any way of recovering these files? I don't know how the >MS-DOS file system works, but some of the other file systems that I know >only marks a bit in the directory when a file is deleted. Thus, if someone >knows how the file directory is structured, it would be very easy to >reset that bit and recover that file. Does the MS-DOS file system works >the same way? Does anybody know any public domain or commercial programs >that can recover deleted files? Any help is appreciated. > > >Owen Relax. Help is as near as your corner software store. First things first. Slap a write-protect on that floppy until you get the recover software. Whatever you do, DO NOT write to it. Now, the following info comes straight from IBM's DOS Technical Reference Manual: All directory entries are 32 bytes long and have the following format: BYTES 0-7 - Represent the filename. The first byte indicates the status of the file, as delineated below 00h - Filename that is never used for performance reasons (limits the length of directory searches) 05h - Indicates that the first character of the filename actually has the E5h character E5h - The filename was used, but has been erased (aha!) 2Eh - The entry is for a directory. If the second byte is 2Eh, the cluster field contains the cluster # of the parent directory (0h if the parent directory is the root) Any other character - First byte of a filename BYTES 8-10 Indicate the filename extension. BYTE 11 - File attribute byte. You don't want me to Post all that info BYTES 12-21 - RESERVED FOR DOS (We're using it, but we won't tell you what for) BYTES 22-23 - Time and date of creation Now, when you tell DOS to "Erase" or "Delete" a file, it does not (as you know) actually destroy the data in the file. Instead, it changes the first character of the filename to E5 (hex) which tells DOS the file is deleted. It also marks the space in the FAT as unallocated and available for use. How do you recover this?? Well, NORTON UTILITIES offers several file recover tools in just about every version he's put out. PCTools does so as well. And I understand that Paul Mace puts in his $0.02. DOS's RECOVER.COM allegedly can recover deleted files, but I wouldn't trust it as far as I could throw a transfer truck. Use something you know'll work and not that pathetic utility. PC Magazine's DOS Powertools also offers an undelete utility. And I;d be surprised if there aren't a few out there in the public domain that work just as well. The biggest thing is that you not write to that disk AT ALL until you have recovered those files. Any writing you do can and will destroy data that was "erased" Slap a write-protect on that puppy, hurry down to your local dealer, grab Norton or PCTools or Paul Mace or DOS Powertools and scurry on back, read the instructions, and recover those files. The data's there if you haven't overwritten it. Oh, yeah...make some backups. :-) Ooopps...almost forgot. Run back down to the store and pay them and explain why you left in such a rush with their software package........ Unky Dave unkydave@shumv1.ncsu.edu