Using the Norton Disk Editor


In my PC Hardware (Upgrading and Repairing) and Data Recovery/Computer Forensics seminars , I frequently use the Norton Disk Editoran often-neglected program that's part of the Norton Utilities and Norton SystemWorksto explore drives . I also use Disk Editor to retrieve lost data. Because Disk Editor is a manual tool, it can sometimes be useful even when friendlier automatic programs don't work correctly or are unavailable. For example, in physical sector mode, Disk Editor can be used with any drive regardless of what file system was used, since at that level it is working underneath the OS. Additionally, because Disk Editor displays the structure of your drive in a way other programs don't, it's a perfect tool for learning more about disk drive structures as well as recovering lost data. This section discusses two of the simpler procedures you can perform with Disk Editor:

  • Undeleting a file on a floppy disk

  • Copying a deleted file on a hard disk to a different drive

If you have Norton SystemWorks, SystemWorks Professional, or Norton Utilities for Windows, you have Norton Disk Editor. To determine whether it's installed on your system, look in the Norton Utilities folder under the Program Files folder for the following files: DISKEDIT.EXE and DISKEDIT.HLP .

If you don't find these files on your hard disk, you can run them directly from the Norton installation CD. If you have SystemWorks or SystemWorks Professional, look for the CD folder called \NU to locate these files.

Disk Edit is a command prompt program designed primarily to access FAT-based file systems such as FAT12 (floppy disks), FAT16 (MS-DOS and early Windows 95 hard disks), and FAT32 (Windows 95B/Windows 98/Me hard disks). You can use Disk Edit with Windows NT, Windows 2000, and Windows XP if you prepared the hard disks with the FAT16 or FAT32 file systems. Disk Edit will also work on NTFS volumes ; however, in that case it can only be used in physical sector mode.

I strongly recommend that you first use Disk Editor with floppy disks you have prepared with noncritical files before you use it with a hard disk or vital files. Because Disk Editor is a completely manual program, the opportunities for error are high.

The Disk Edit files can easily fit on a floppy disk, but if you are new to the program, you might want to put them on a different drive from one you will be examining or repairing. Never copy Disk Edit files (or any other data recovery program) to a drive that contains data you are trying to recover because the files might overwrite the data area and destroy the files you want to retrieve. For example, if you are planning to examine or repair floppy disks, create a folder on your hard disk called Disk Edit and copy the files to that folder.

You can use Disk Editor without a mouse by using keyboard commands, but if you want to use it with a mouse, you can do so if your mouse attaches to the serial or PS/2 mouse ports (USB mice generally don't work from the command prompt, but if your USB mouse has a PS/2 mouse port adapter, you can use it by plugging the mouse and adapter into the PS/2 port). You must load an MS-DOS mouse driver (usually MOUSE.COM) for your mouse before you start Disk Editor. If you have a Logitech mouse, you can download an MS-DOS mouse driver from the Logitech website. If you have a Microsoft mouse, Microsoft doesn't provide MS-DOS drivers you can download, but you can get them from the following website:

http://www.bootdisk.com/readme.htm#mouse

For other mice, try the Microsoft or Logitech drivers, or contact the vendor for drivers. Keep in mind that scroll wheels and other buttons won't work with an MS-DOS driver. I recommend you copy your mouse driver to the same folder in which Disk Editor is located.

Using Disk Editor to Examine a Drive

To start Disk Editor:

1.
Boot the computer to a command prompt (not Windows); Disk Editor needs exclusive access to the drives you plan to examine. If you use Windows 9x, press F8 or Ctrl to bring up the startup menu and select Safe Mode Command Prompt, or use the Windows 9x/Me Emergency Startup disk (make one with Add/Remove Programs). If you use Windows 2000 or XP, insert a blank floppy disk into drive A:, right-click drive A: in My Computer, and select Format. Select the Create an MS-DOS Startup Disk option and use this disk to start your computer.

2.
Change to the folder containing your mouse driver and Disk Editor.

3.
Type MOUSE (if your mouse driver is called MOUSE.COM or MOUSE.EXE; otherwise , substitute the correct name if it's called something else). Then press Enter to load the mouse driver.

4.
Type DISKEDIT and press Enter to start the program. If you don't specify a drive, Disk Editor scans the drive on which it's installed. If you are using it to work with a floppy disk, enter the command DISKEDIT A: to direct it to scan your floppy disk. Disk Editor scans your drive to determine the location of files and folders on the disk.

5.
The first time you run Disk Editor, a prompt appears to remind you that Disk Editor runs in read-only mode until you change its configuration through the Tools menu. Click OK to continue.

After Disk Editor has started, you can switch to the drive you want to examine or recover data from. To change to a different drive, follow these steps:

1.
Press Alt+O to open the Object menu.

2.
Select Drive.

3.
Select the drive you want to examine from the Logical Disks menu.

4.
The disk structure is scanned and displayed in the Disk Editor window.

Disk Editor normally starts in Directory mode, but you can change it to other modes with the View menu. When you view a drive containing data in Directory mode, you will see a listing similar to the one shown in Figure 11.1.

Figure 11.1. The Norton Disk Editor directory view of a typical floppy disk.

The Name column lists the names of the directory entries, and the .EXT column lists the file/folder extensions (if any). The ID column lists the type of directory entry, including

  • Dir. A directory (folder).

  • File. A data file.

  • LFN. A portion of a Windows long filename. Windows stores the start of the LFN before the actual filename. If the LFN is longer than 13 characters , one or more additional directory entries is used to store the rest of the LFN. The next three columns list the file size , date, and time.

The Cluster column indicates the cluster in which the first portion of the file is located. Drives are divided into clusters or allocation units when they are formatted, and a cluster (allocation unit) is the smallest unit that can be used to store a file. Cluster sizes vary with the size of the drive and the file system used to format the drive.

The letters A, R, S, H, D , and V refer to attributes for each directory entry. A (archive) means the file hasn't been backed up since it was last modified. R is used to indicate that the directory entry is readonly, and S indicates that the directory entry has the System attribute. H indicates that the directory entry has the Hidden attribute, whereas D indicates that the entry is a directory. Finally, V is the attribute for an LFN entry.

The file VERISI~1.GIF (highlighted in black near the bottom of Figure 11.1) is interesting for several reasons. The tilde ( ~ ) and number at the end of the filename indicate that the file was created with a 32-bit version of Windows. 32-bit versions of Windows (Windows 9x/Me, 2000, and XP) allow the user to save a file with a long (more than eight characters) filename (plus the three-character file extension such as .EXE, .BMP , or .GIF ). In addition, long filenames can have spaces and other characters not allowed by earlier versions of Windows and MS-DOS. The process used by various versions of Windows to create LFN entries is discussed in Chapter 10, in the section called "VFAT and Long Filenames."

When you view the file in Windows Explorer or My Computer, you see the long filename. To see the DOS alias name within the Windows GUI, right-click the file and select Properties from My Computer or Windows Explorer. Or, you can use the DIR command in a command-prompt window. The LFN is stored as one or more separate directory entries just before the DOS alias name. Because the actual long name for VERISI~1.GIF ( Verisignsealtrans.gif ) is 21 characters, two additional directory entries are required to store the long filename (each directory entry can store up to 13 characters of an LFN), as shown in Figure 11.1.

Determining the Number of Clusters Used by a File

As discussed earlier in this chapter, an area of the disk called the file allocation table stores the starting location of the file and each additional cluster used to store the file. VERISI~1.GIF starts at cluster 632. Clusters are the smallest disk structures used to store files, and they vary in size depending on the file system used to create the disk on which the files are stored and on the size of the drive. In this case, the file is stored on a 1.44MB floppy disk, which has a cluster size of 512 bytes (one sector). The cluster size of the drive is very important to know if you want to retrieve data using Disk Editor.

To determine the cluster size of a drive, you can open a command-prompt window and run CHKDSK C: to display the allocation unit size (cluster size) and other statistics about the specified drive.

To determine how many clusters are used to store a file, look at the size of the file and compare it to the cluster size of the drive on which it's stored. The file VERISI~1.GIF contains 6,006 bytes. Because this file is stored on a floppy disk that has a cluster size of 512 bytes, the file must occupy several clusters. How many clusters does it occupy? To determine this, divide the file size by the number of clusters and round the result up to the next whole number. The math is shown in Table 11.2.

Table 11.2. Determining the Number of Clusters Used by a File

File Size (FS) of VERISI~1.GIF

Cluster Size (CS)

Result of (FS) Divided by (CS) Equals (CR)

(CR) Rounded Up to Next Whole Number

6,006

512

11.73046875

12


From these calculations, you can see that VERISI~1.GIF uses 12 clusters on the floppy disk; it would use fewer clusters on a FAT16 or FAT32 hard disk (the exact number depends on the file system and size of the hard disk). The more clusters a file contains, the greater the risk is that some of its data area could be overwritten by newer data if the file is deleted. Consequently, if you need to undelete a file that was not sent to the Windows Recycle Bin or was deleted from a removable-media drive or floppy drive (these types of drives don't support the Recycle Bin), the sooner you attempt to undelete the file, the more likely it is that you can retrieve the data.

The normal directory display in Norton Disk Editor shows the starting cluster (632) for VERISI~1.GIF . If a file is stored on a drive with a lot of empty space, the remainder of the clusters will probably immediately follow the first twoa badly fragmented drive might use noncontiguous clusters to store the rest of the file. Because performing data recovery when the clusters are contiguous is much easier, I strongly recommend that you defragment your drives frequently.

To see the remainder of the clusters used by a file, move the cursor to the file, press Alt+L or click the Link menu, and select Cluster Chain (FAT); you can also press Ctrl+T to go directly to this view. The screen changes to show the clusters as listed in the FAT for this file, as shown in Figure 11.2. The clusters used by the file are highlighted in red, and the filename is shown at the bottom of the screen. The symbol <EOF> stands for end of file , indicating the last cluster in the file.

Figure 11.2. The FAT view of VERISI~1.GIF . All its clusters are contiguous.

How the Operating System Marks a File When It Is Deleted

If a file ( VERISI~1.GIF , in this example) is deleted, the following changes happen to the disk where the file is stored, as shown in Figure 11.3:

  • The default directory view shows that the first character of the filename ( V ) has been replaced with a s (lowercase sigma) character.

  • There are now two new types of entries in the ID column for this file and its associated LFN:

    • Erased. An erased file

    • Del LFN. An LFN belonging to an erased file

Figure 11.3. The Directory view after VERISI~1.GIF has been deleted.

Note also that the beginning cluster (632) is still shown in the Cluster column.

Zeroes have also replaced the entries for the cluster locations after the beginning cluster in the FAT. This indicates to the operating system that these clusters are now available for reuse. Thus, if an undelete process is not started immediately, some or all of the clusters could be overwritten by new data. Because the file in question is a GIF graphics file, the loss of even one cluster will destroy the file.

As you can see from analyzing the file-deletion process, the undelete process involves four steps:

  • Restoring the original filename

  • Locating the clusters used by the file

  • Re-creating the FAT entries for the file

  • Relinking the LFN entries for the file to the file

Of these four, the most critical are locating the clusters used by the file and re-creating the FAT entries for the file. However, if the file is a program file, restoring the original name is a must for proper program operation ( assuming the program can't be reloaded), and restoring the LFN entries enables a Windows user accustomed to long filenames to more easily use the file.

If you want to make these changes to the original disk, Disk Editor must be configured to work in Read-Write mode.

To change to Read-Write mode, follow these steps:

1.
Press Alt+T to open the Tools menu.

2.
Press N to open the Configuration dialog box.

3.
Press the spacebar to clear the check mark in the Read Only option box.

4.
Press the Tab key until the Save box is highlighted.

5.
Press Enter to save the changes and return to the main display.

Caution

As a precaution, I recommend that you use DISKCOPY to make an exact sector-by-sector copy of a floppy disk before you perform data recovery on it, and you should work with the copy of the disk, not the original. By working with a copy, you keep the original safe from any problems you might have; plus, you can make another copy if you need to.


After you change to Read-Write mode, Disk Editor stays in this mode and uses Read-Write mode every time you use it. To change back to Read-Only mode, repeat the previously listed steps but check the Read-Only box. If you are using Disk Editor in Read-Write mode, you will see the message Drive x is Locked when you scan a drive.

Undeleting an Erased File

After you have configured Disk Editor to work in Read-Write mode, you can use it to undelete a file.

To recover an erased file, follow this procedure:

1.
To change to the folder containing the erased file, highlight the folder containing the erased file and press Enter. In this example, you will recover the erased file VERISI~1.GIF .

2.
Place the cursor under the lowercase sigma symbol and enter a letter to rename the file.

3.
If the keyboard is in Insert mode, the lowercase sigma will move to the right; press the Delete key to delete this symbol.

4.
This restores the filename, but even though the ID changes from Erased to File, this does not complete the file-retrieval process. You must now find the rest of the clusters used by the file. To the right of the filename, the first cluster used by the file is listed.

5.
To go to the next cluster used by the file, press Ctrl+T to open the Cluster Chain command. Because you changed the name of the file, you are prompted to write the changes to the disk before you can continue. Press W or click Write to save the changes and continue.

6.
Disk Editor moves to the first cluster used by the deleted file. Instead of cluster numbers , as shown earlier in Figure 11.2, each cluster contains a zero (0). Because this file uses 12 clusters, there should be 12 contiguous clusters that have been zeroed out if the file is unfragmented.

7.
To determine whether these are the correct clusters for the file, press Alt+O or click Object to open the Object menu. Press C to open the Cluster dialog box (or press Alt+C to go to the Cluster dialog box). Enter the starting cluster number ( 632 in this example) and the ending cluster number ( 644 in this example). Click OK to display these clusters.

Disk Editor automatically switches to the best view for the specified object, and in this case, the best view is the Hex view (see Figure 11.4). Note that the first entry in cluster 632 is GIF89a (as shown in the right column). Because the deleted file is a GIF file, this is what we expected. Also, a GIF file is a binary graphics file, so the rest of the information in the specified sectors should not be human-readable . Note that the end of the file is indicated by a series of 0s in several disk sectors before another file starts.

Figure 11.4. The start and end of the file VERISI~1.GIF .

Because the area occupied by the empty clusters (632644) contains binary data starting with GIF89a, you can feel confident that these clusters contain the data you need.

8.
To return to the FAT to fill in the cluster numbers for the file, open the Object menu and select Directory. The current directory is selected, so click OK.

9.
Move the cursor down to the entry for VERISI~1.GIF , open the Link menu, and click Cluster Chain (FAT). The Cluster Chain refers to the clusters after the initial cluster (632); enter 633 in the first empty field, and continue until you enter 643 and place the cursor in the last empty field. This field needs to have the <EOF> marker placed in it to indicate the end of the file. Press Alt+E to open the Edit menu and select Mark (or press Ctrl+B). Open the Edit menu again and select Fill. Then, select End of File from the menu and click OK. Refer to Figure 11.2 to see how the FAT looks after these changes have been made.

10.
To save the changes to the FAT, open the Edit menu again and select Write. When prompted to save the changes, click Write; then click Rescan the Disk.

11.
To return to Directory view, open the Object menu and select Directory. Click OK.

12.
The LFN entries directly above the VERISI~1.GIF file are still listed as Del LFN. To reconnect them to VERISI~1.GIF , select the first one ( verisignsealt ), open the Tools menu (press Alt+T), and select Attach LFN. Click Yes when prompted. Repeat the process for rans.gif .

13.
To verify that the file has been undeleted successfully, exit Disk Editor and open the file in a compatible program. If you have correctly located the clusters and linked them, the file will open.

As you can see, this is a long process, but it is essentially the same process that a program such as Norton UnErase performs automatically. However, Disk Editor can perform these tasks on all types of disks that use FAT file systems, including those that use non-DOS operating systems; it's a favorite of advanced Linux users.

Retrieving a File from a Hard Disk or Flash Memory Card

What should you do if you need to retrieve an erased file from the hard disk or a flash memory card? It's safer to write the retrieved file to another disk (preferably a floppy disk if the file is small enough) or to a different drive letter on the hard disk. You can also perform this task with Disk Editor.

Tip

If you want to recover data from a hard disk and copy the data to another location, set Disk Editor back to its default Read-Only mode to avoid making any accidental changes to the hard disk. If you use Disk Editor in a multitasking environment such as Windows, it defaults to Read-Only mode.


The process of locating the file is the same as that described earlier:

1.
Determine the cluster (allocation unit) size of the drive on which the file is located.

2.
Run Disk Editor to view the name of the erased file and determine which clusters contain the file data.

However, you don't need to restore the filename because you will be copying the file to another drive.

The clusters will be copied to another file, so it's helpful to use the Object menu to look at the clusters and ensure that they contain the necessary data. To view the data stored in the cluster range, open the Object menu, select Cluster, and enter the range of clusters that the cluster chain command indicates should contain the data. In some cases, the first cluster of a particular file indicates the file type. For example, a GIF file has GIF89a at the start of the file, whereas a WordPerfect document has WPC at the start of the file.

Tip

Use Norton Disk Editor to view the starting and ending clusters of various types of files you create before you try to recover those types of files. This is particularly important if you want to recover files from formatted media. You might consider creating a database of the hex characters found at the beginning and ending of the major file types you want to recover.


If you are trying to recover a file that contains text, such as a Microsoft Word or WordPerfect file, you can switch Disk Edit into different view modes. To see text, press F3 to switch to Text view. However, to determine where a file starts or ends, use Hex mode (press F2 to switch to this mode). Figure 11.5 shows the start of a Microsoft Word file in Text format and the end of the file in Hex format.

Figure 11.5. Scrolling through an erased file with Disk Editor.

To copy the contents of these clusters to a file safely, you should specify the sectors that contain the file. The top of the Disk Editor display shows the sector number as well as the cluster number. For example, the file shown in Figure 11.5 starts at cluster 75207, which is also sector 608470. The end of the file is located in sector 608503.

To write these sectors to a new file, do the following:

1.
Open the Object menu.

2.
Select Sector.

3.
Specify the starting and ending sectors.

4.
Click OK.

5.
Scroll through the sectors to verify that they contain the correct data.

6.
Open the Tools menu.

7.
Click Write Object To.

8.
Click To a File.

9.
Click the drive on which you want to write the data.

10.
Specify a DOS-type filename (8 characters plus a 3-character extension); you can rename the file to a long filename after you exit Disk Edit.

11.
Click OK, and then click Yes to write the file. A status bar appears as the sectors are copied to the file.

12.
Exit Disk Edit and open the file in a compatible program. If the file contains the correct data, you're finished. If not, you might have specified incorrect sectors or the file might be fragmented.

Norton Disk Editor is a powerful tool you can use to explore drives and retrieve lost data. However, your best data recovery technique is to avoid the need for data recovery. Think before you delete files or format a drive, and make backups of important files. That way, you won't need to recover lost data very often.




Upgrading and Repairing Microsoft Windows
Upgrading and Repairing Microsoft Windows (2nd Edition)
ISBN: 0789736950
EAN: 2147483647
Year: 2005
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net