Scott Muellers Upgrading and Repairing Laptops, Second Edition

Although more and more laptops are equipped with rewritable CD-ROM drives and some new models also feature rewritable DVD drives , laptop users rarely perform backups of data, if at all. Sooner or later, though, you might be sorry if you don't make backups . Because of the way laptops work, data recovery can be more challenging with a laptop than with a desktop PC. In the following sections, I show you the methods you can use to recover data from a laptop.

Recovering lost data can be as simple as opening the Recycle Bin in Windows, or it might require spending hundreds of dollars on specialized data-recovery software or services. In the worst-case scenario, you might even need to send your system off to a data-recovery center. Several factors affect the degree of difficulty you can have in recovering your data:

  • How the data was deleted

  • What file system was used by the drive where the data was stored

  • What version of Windows you use

  • Whether you already have data-protection software installed on your system

  • Whether the data is stored on magnetic media or flash memory

  • Whether the drive has suffered physical damage to heads, platters, or its circuit board

The Windows Recycle Bin and File "Deletion"

The simplest data recovery of all takes place when you send files to the Windows Recycle Bin (a standard part of Windows since Windows 95). Pressing the Delete key when you have a file or group of files highlighted in Windows Explorer or My Computer, or clicking the Delete button, sends files to the Recycle Bin. Although Windows Explorer does not list any file(s) sent to the Recycle Bin in its normal location, the file is actually protected from being overwritten. By default, Windows 95 and newer versions reserve 10% of the disk space on each hard disk for the Recycle Bin (removable-media drives don't have a Recycle Bin). Therefore, a 20GB drive reserves about 2GB for its Recycle Bin. In this example, as long as less than 2GB of files have been sent to the Recycle Bin, Windows does protect a "deleted" file, allowing it to be recovered. However, once more than 2GB of files have been sent to the Recycle Bin, Windows allows the oldest files to be overwritten. Therefore, the quicker you realize that a file has been sent to the Recycle Bin, the more likely it is you can retrieve it (you can also increase the amount of space allotted for the Recycle Bin).

To retrieve a file from the Recycle Bin, open the Recycle Bin, select the file, right-click it, and select Restore. Windows lists the file in its original location and removes it from the Recycle Bin.

If you hold down the Shift key when you select Delete or press the Delete key, the Recycle Bin is bypassed. Retrieving lost data at this point requires third-party data-recovery software.

Recovering Files That Are Not in the Recycle Bin

Although the Recycle Bin is a useful first line of defense against data loss, it is quite limited. As you learned in the previous section, it can be bypassed when you select files for deletion. Also, files stored in the Recycle Bin will eventually be kicked out by newer deleted files. What's more, the Recycle Bin isn't used for files deleted from a command prompt or when an older version of a file is replaced by a newer version.

Products such as Norton Unerase (part of the Norton Utilities and Norton System Works) are necessary if you want to retrieve files that are not in the Recycle Bin. However, the effectiveness of Norton Unerase and how you should use it depends on the version of Windows you use and the file system used by your drives.

Norton Unerase and Norton Protected Recycle Bin (Windows 9x/Me)

With Windows 9x/Me, which use the FAT file system, it's not difficult to retrieve data from a drive that doesn't have Norton Utilities installed, although installing Norton Utilities before you start to delete files you might want to retrieve will make it even easier. You can run Norton Unerase from the bootable CD included in current versions, and you can run Unerase as a command-prompt program if you don't have it already installed and you need to retrieve erased data. You will need to provide the first letter of each file you want to unerase.

Use a Second Hard Drive for File Recovery

Do not install data-recovery (or any other) software to a drive you are attempting to retrieve data from because you might overwrite the data you are attempting to retrieve. If you are trying to recover data from your Windows startup drive and you cannot boot from the data-recovery program CD, you are better off installing another hard disk into your system, configuring it as a boot drive in the system BIOS, installing a working copy of Windows on it, booting from that drive, and installing your data-recovery software to that drive. Then, you need to connect your existing drive to your computer so you can retrieve lost data from it.

Because laptops generally don't accommodate a second internal hard disk drive, you might need to purchase an external drive enclosure for 2.5-inch drives (available from many vendors ), install your original drive in that enclosure, and connect the drive to the system. Alternatively, you could use a special data cable normally used for migrating data from an old drive to a new drive; these cables are sold by companies that sell laptop hard disk upgrade kits. Contact the data-recovery software vendor to verify that its software can work with external drives. If possible, install a new drive in your laptop that is large enough (at least 20GB or more) so that you have several gigabytes of free space on it for storing recovered data.

You could also connect your laptop hard disk to a desktop PC with a 2.5 inchto3.5 inch hard drive adapter (around $1015; available from various sources) and use the desktop PC's original drive to perform data recovery. However, note that BIOS differences on some systems could prevent a PC from being able to access data on a drive prepared with another computer.

However, if you have already installed Norton Utilities, you probably have the Norton Protected Recycle Bin on your desktop in place of the regular Recycle Bin. Compared to the Windows standard-model Recycle Bin, the Norton Protected Recycle Bin protects files that have been replaced with newer versions and files that were deleted from a command prompt. To retrieve a file stored in the Norton Protected Recycle Bin, open it, select the file you want to retrieve, right-click it, and select Retrieve to put it back in its original location.

Alternatively, you can start the Norton Unerase Wizard from the Norton Utilities menu. You can search for recently deleted files (these files are stored in the Recycle Bin), all protected files on local drives (also stored in the Recycle Bin), and any recoverable files on local drives. When you select the last option, you can narrow down the search with wildcards or file types and then specify which drives to search. You will need to supply the first letter of the filename for files that were not stored in the Recycle Bin, and you can also see which files were deleted by a particular program. To undelete a file with the Norton Unerase Wizard, select the file, provide the first letter of the filename if necessary, click Quick View to view the file (if your file viewer supports the file format), and click Recover to restore the file to its original location.

With Windows 9x/Me, you can search both hard and removable-media (floppy, flash memory) drives for lost files, although the Recycle Bin works only for hard drives.

Norton Unerase and Norton Protected Recycle Bin (Windows 2000/XP)

Norton Unerase and the Norton Protected Recycle Bin work in a similar fashion with Windows 2000/XP as with Windows 9x/Me, but with a significant exception: the Unerase Wizard can search only hard drives. Removable-media drives are not supported.

Tip

If you want to use the Norton Unerase Wizard to retrieve data from a floppy drive and you don't have Windows 9x/Me installed on your system, start your computer with the Norton bootable CD and run Unerase from the CD startup menu.

If you have a dual-boot system that can run Windows 9x/Me and Windows 2000/XP and you also want to use the Norton Unerase Wizard with Zip, USB, and flash memory devices, start the computer with Windows 9x/Me, install Norton Utilities or System Works under Windows 9x/Me, and start your computer with Windows 9x/Me if you need to search removable-media drives for lost data.

Alternatives to Norton Unerase

V-Com's System Suite 4.0 (previously sold by Ontrack) is an integrated utility suite that offers an undelete feature similar in many ways to Norton Unerase. However, System Suite's FileUndeleter works with removable-media drives as well as hard drives under all supported versions of Windows, including Windows XP.

Although it's not an automatic tool, you can use Norton's Disk Editor ( DISKEDIT.COM ) to retrieve lost data from hard, floppy, and most types of removable-media drives under any file system and most operating systems, including Linux. See "Using Norton Disk Editor" later in this chapter.

Undeleting Files in NTFS

If your laptop computer uses Windows 2000 or Windows XP, it likely uses the NTFS file system. Because the file structure of NTFS is much more complex than any FAT file system version, and some files might be compressed using NTFS's built-in compression, you should use an NTFS-specific file undeletion program to attempt to recover deleted files from an NTFS drive. For example, you should use a version of Norton Utilities or Norton System Works made especially for NTFS, such as the 2002 and later versions. Also, you should enable the Norton Protection feature, which stores deleted files for a specified period of time before purging them from the system. Using Norton Protection greatly enhances Norton Unerase's ability to recover deleted files.

If you need to recover deleted files and have not already installed an undelete program such as Norton Utilities or Norton System Works' Norton Unerase, you should consider a standalone file-recovery program, such as one of the following:

  • Active Undelete This series of products also works with flash memory cards. You can get more information and a free demo from www.active-undelete.com.

  • Restorer 2000 Available in FAT, NTFS, and Professional versions. You can get more information and a free demo from www.bitmart.net/r2k.shtml.

  • Ontrack EasyRecovery More information and a free demo are available from www.ontrack.com.

Tip

Some file-undelete products for NTFS can only undelete files created by the currently logged-in user, whereas others require the administrator to be logged in. Check the documentation for details, particularly if you are trying to undelete files from a system with more than one user .

Retrieving Data from Partitioned and Formatted Drives

When a hard disk, floppy disk, or removable-media drive has been formatted, its file allocation table (FAT), which is used by programs such as Norton Unerase and V-Com System Suite's FileUndeleter to determine the location of files, is lost. If a hard drive has been repartitioned with FDISK or another partitioning program (such as Windows 2000/XP's Disk Management), the original file system and partition information is lost (as is the FAT).

In such cases, more powerful data-recovery tools must be used to retrieve data. To retrieve data from an accidentally formatted drive, you have two options:

  • Use a program that can unformat the drive.

  • Use a program that can bypass the newly created file allocation table (FAT) and read disk sectors directly to discover and retrieve data.

To retrieve data from a drive that has been partitioned, you must use a program that can read disk sectors directly.

Although you could use Norton Unformat if your laptop drive uses the FAT or FAT32 file system (the file systems used by Windows 9x/Me), I can't recommend this method of data recovery anymore for the following reasons:

  • Norton Unformat works best if the Norton Image program has been used to create a copy of the file allocations tables and root directory. If the image file is out of date, Unformat might fail; if the image file is not present, Unformat cannot restore the root directory, and the actual names of folders in the root directory will be replaced by sequentially numbered folder names .

  • Norton Unformat cannot copy restored files to another drive or folder; it restores data back to the same drive and partition. If Unformat uses an out-of-date file created by Norton Image to determine where data is located, it could overwrite valid data on the drive being unformatted.

Instead of using Norton Unformat, I recommend using programs that retrieve lost data to another drive.

Retrieving Lost Data to Another Drive

Many products are on the market today that can retrieve lost data to another drive, whether the data loss was due to accidental formatting or disk partitioning. One of the best and most comprehensive is the EasyRecovery product line from OnTrack Data Recovery Services, a division of Kroll Ontrack, Inc. The EasyRecovery Version 6 product line includes the following products:

  • EasyRecovery DataRecovery 6.0 Recovers data from accidentally formatted or deleted hard, floppy, and removable-media drives and repairs damaged or corrupted Zip and Microsoft Word files. Local and network folders can be used for recovered files.

  • EasyRecovery FileRepair 6.0 Repairs and recovers data from damaged or corrupted Zip and Microsoft Office (Word, Excel, Access, PowerPoint and Outlook) files. Local and network folders can be used for recovered files.

  • EasyRecovery Professional 6.0 Combines the features of DataRecovery and FileRecovery and adds additional features, such as file type search, RawRecovery, and user-defined partition parameters, to help recover data from more severe forms of file system corruption and accidental partitioning. A free trial version that displays files that can be recovered (and repairs and recovers Zip files at no charge) can be downloaded from the Ontrack Web site (www.ontrack.com).

  • EasyRecovery Lite 6.0 A reduced-feature version of EasyRecovery Professional that retrieves up to 25 files per session.

An earlier version (5.x) of EasyRecovery DataRecovery Lite, which can recover up to 50 files, is included as part of V-Com's System Suite 4.0 (previously sold by Ontrack; go to www.v-com.com).

When you start EasyRecovery Professional, you can choose from several recovery methods:

  • DeletedRecovery Recovers deleted files

  • FormatRecovery Recovers files from accidentally formatted drives

  • RawRecovery Recovers files with direct sector reads using file signaturematching technology

  • AdvancedRecovery Recovers data from deleted or corrupted partitions

In each case, you need to specify another drive to receive the retrieved data. This read-only method preserves the contents of the original drive and allows you to use a different data-recovery method if the first method doesn't recover the desired files.

Which options are best for data recovery? Table 15.1 shows the results of various data-loss scenarios and recovery options when EasyRecovery Professional 6 was used to recover data from a 19GB logical drive formatted with the NTFS file system on Windows XP.

Table 15.1. Data Recovery Options and Results with EasyRecovery Professional 6

Type of Data Loss

Data Recovery Method

Data Recoverable?

Details

Notes

Deleted folder

DeletedRecovery

Yes

All files recovered.

All long file and folder names preserved.

Formatted drive (full format)

FormatRecovery

Yes

All files recovered.

New folders created to store recovered files; long file names preserved for files and folders beneath the root folder level.

Logical drive names deleted with Disk Management

AdvancedRecovery

Yes

All files and folders recovered.

All long file and folder preserved.

Formatted drive with new data copied to it

FormatRecovery

Partial

Files and folders not overwritten were recovered.

Long file and folder names preserved.

Formatted, repartitioned drive, reformatted as FAT32 (117MB Disk 1)

AdvancedRecovery

No

Could not locate any files to recover.

 
 

RawRecovery

Partial

Nonfragmented files recovered.

Original directory structure and filenames lost; each file type stored in a separate folder and files numbered sequentially.

Formatted, repartitioned drive, formatted as NTFS (18.8GB Disk 2)

AdvancedRecovery

No

Could not locate any files to recover.

 
 

RawRecovery

Partial

Nonfragmented files recovered.

Original directory structure and filenames lost; each file type stored in a separate folder and files numbered sequentially.

As Table 15.1 makes clear, as long as the data areas of a drive are not overwritten, complete data recovery is usually possible, even if the drive has been formatted or repartitioned. Therefore, it's critical to react quickly if you suspect you have partitioned or formatted a drive containing valuable data. The longer you wait to recover data, the less data will be available for recovery. Note also that if you must use a sector-by-sector search for data (a process called RawRecovery by Ontrack), your original folder structure and long filenames will not be saved. You will need to re-create the desired directory structure and rename the files after you recover thema very tedious process.

Tip

If you use EasyRecovery Professional or EasyRecovery DataRecovery to repair damaged Zip or Microsoft Office files, use the Properties menu to select a location for repaired files (the original location or another drive/folder). By default, repaired Outlook files are copied to a different folder, whereas other file types are repaired in place, unless you specify a different location.

As you can see from this example, dedicated data-recovery programs such as Ontrack EasyRecovery Professional are very powerful. However, they are also very expensive. If you have Norton Utilities or Norton System Works and don't mind taking some time to learn about disk structures, you can perform data recovery yourself with the Norton Disk Editor.

Using the Norton Disk Editor

In my upgrading and repairing seminars , I use the Norton Disk Editoran often-neglected program that's part of the Norton Utilities and Norton System Worksto explore drives. I also use Disk Editor to retrieve "lost" data. Because Disk Editor is a manual tool, it can sometimes be useful even when friendlier automatic programs don't work or are not available. For example, Disk Editor can be used with any drive that uses FAT, including Linux. Also, because Disk Editor displays the structure of your drive in a way other programs don't, it's a perfect tool for learning more about disk drive structures as well as recovering "lost" data. In this section, I'll discuss two of the simpler procedures you can perform with Disk Editor: undeleting a file on a floppy disk and copying a deleted file on a hard disk to a different drive.

If you have Norton System Works, System Works Professional, or Norton Utilities for Windows, you have Norton Disk Editor. To determine whether it's installed on your system, look in the Program Files\Norton Utilities folder for the files DISKEDIT.EXE and DISKEDIT.HLP .

If you don't find these files on your hard disk, you can run them directly from the Norton installation CD. If you have System Works or System Works Professional, look for the CD folder called \NU to locate these files. If you have trouble locating them, remember you can always use the Windows Search function to search for them.

DISKEDIT is a DOS-based program, and it is designed to access FAT-based file systems such as FAT12 (floppy disks), FAT16 (MS-DOS and early Windows 95 hard disks), and FAT32 (Windows 95B and Windows 98/Me hard disks). You can use DISKEDIT with Windows NT, Windows 2000, and Windows XP only if you've prepared the hard disks with the FAT16 or FAT32 file system. DISKEDIT does not work with NTFS-formatted drives (NTFS is the preferred format for Windows NT/2000/XP).

Note

Windows NT 4.0, Windows 2000, and Windows XP include their own sector editor ( DSKPROBE.EXE ) that can be used in place of Norton Disk Editor for data recovery on NTFS-based drives. To download the Windows NT 4.0 Resource Kit tools, including dskprobe.exe , see Microsoft Knowledge Base Article 206848. To learn more about the Windows 2000 Support tools included on the Windows 2000 CD, see Microsoft Knowledge Base Article 301423. To learn more about the Windows XP Support tools included on the Windows XP CD, see Microsoft Knowledge Base Article 306794.

I strongly recommend that you first use Disk Editor or any other sector editor with floppy disks you have prepared with noncritical files before you use it with a hard disk or with vital files. Because Disk Editor is a completely manual program, the opportunities for error are high.

The DISKEDIT files can easily fit on a floppy disk (you can run the programs from a floppy disk if you need to retrieve data from a hard disk), but if you are new to the program, you might want to put them on a different drive than the one you will be examining or repairing. Never copy DISKEDIT files (or any other data-recovery program) to a drive that contains data you are trying to recover because the files might overwrite the data area and destroy the files you want to retrieve. For example, if you are planning to examine or repair floppy disks, create a folder on your hard disk called DISKEDIT and copy the files to that folder.

You can use Disk Editor without a mouse or integrated pointing device by using keyboard commands, but if you want to use it with your laptop's pointing device or with a PS/2 or serial mouse, you must load an MS-DOS mouse driver (usually MOUSE.COM ) for your pointing device before you start Disk Editor. If you have a Logitech mouse, you can download an MS-DOS mouse driver from the Logitech Web site. If you have a Microsoft mouse, you should note that Microsoft doesn't provide MS-DOS drivers you can download. However, you can get them from www.bootdisk.com/readme.htm#mouse.

For other mice or integrated pointing devices, try the Microsoft or Logitech drivers (most integrated pointing devices work with either driver) or contact the vendor for drivers. Keep in mind that scroll wheels and other buttons won't work with an MS-DOS driver and that USB mice won't work from MS-DOS.

I recommend you copy your mouse driver to the same folder where Disk Editor is located.

Using Disk Editor to Examine a Drive

To use the Disk Editor program to examine a drive, follow these steps:

  1. Boot the computer to a command prompt (not Windows); Disk Editor needs exclusive access to the drives you plan to examine. If you use Windows 9x, press F8 or Ctrl to bring up the startup menu and select Safe Mode Command Prompt, or you can use the Windows 9x/Me Emergency Startup disk (make one with Add/Remove Programs). If you use Windows 2000 or XP, insert a blank floppy disk into Drive A:, right-click Drive A: in My Computer, and select Format. Choose the option Create an MS-DOS Startup Disk, and use this disk to start your computer.

  2. Change to the folder containing your mouse driver and Disk Editor.

  3. Type MOUSE (if your mouse driver is called MOUSE.COM or MOUSE.EXE ; substitute the correct name if it's called something else) and press Enter to load the mouse driver.

  4. Type DISKEDIT and press Enter to start the program. If you don't specify a drive, Disk Editor scans the drive where it's installed. If you are using it to work with a floppy disk, enter the command DISKEDIT A: to direct it to scan your floppy disk. Disk Editor scans your drive to determine the location of files and folders on the disk.

  5. The first time you run Disk Editor, a prompt appears to remind you that Disk Editor runs in read-only mode until you change its configuration through the Tools menu. Press OK to continue.

Once Disk Editor has started, you can switch to the drive you wish to examine or recover data from. To change to a different drive, follow these steps:

  1. Press Alt+O to open the Object menu.

  2. Select Drive.

  3. Select the drive you want to examine from the Logical Disks menu.

  4. The disk structure is scanned and displayed in the Disk Editor window.

Disk Editor normally starts in the Directory mode; you can change it to other modes with the View menu. When you view a drive containing data in the directory mode, you will see a listing similar to the one shown in Figure 15.1.

Figure 15.1. The Norton Disk Editor directory view of a typical floppy disk.

The Name column lists the names of the directory entries. The .EXT column lists the file/folder extensions (if any). The ID column lists the type of directory entry:

  • Dir A directory (folder).

  • File A data file.

  • LFN A portion of a Windows long filename. Windows stores the start of the LFN before the actual filename. If the LFN is more than 13 characters , one or more additional directory entries are used to store the rest of the LFN. The next three columns list the file size, date, and time.

The Cluster column indicates the cluster where the first portion of the file is located. Drives are divided into clusters or allocation units when they are formatted, and a cluster (allocation unit) is the smallest unit that can be used to store a file. Cluster sizes vary with the size of the drive and the file system used to format the drive.

The letters A, R, S, H, D, and V refer to attributes for each directory entry. A (archive) means the file hasn't been backed up since it was last modified. R is used to indicate the directory entry is read-only. S indicates the directory entry has the System attribute, whereas H indicates the directory entry has the Hidden attribute. D indicates the entry is a directory, whereas V is the attribute for an LFN entry.

The file VERISI~1.GIF (highlighted in black near the bottom of Figure 15.1) is interesting for several reasons. The tilde (~) and number at the end of the filename indicate the file was created with a 32-bit version of Windows. The 32-bit versions of Windows (Windows 9x/Me, 2000, and XP) allow the user to save a file with a long (more than eight characters) filename, plus the three-character file extension (such as .EXE, .BMP, or .GIF); long filenames can also have spaces and other characters not allowed by earlier versions of Windows and MS-DOS.

When you view the file in Windows Explorer or My Computer, you see the long filename. To see the DOS alias name within the Windows GUI, right-click the file and select Properties from My Computer or Windows Explorer, or use the DIR command within a command prompt window. The LFN is stored as one or more separate directory entries just before the DOS alias name. Because the actual long name for VERISI~1.GIF ( Verisignsealtrans.gif ) is 21 characters, two additional directory entries are required to store the long filename (each directory entry can store up to 13 characters of an LFN), as shown in Figure 15.1.

Determining the Number of Clusters Used by a File

An area of the disk called the file allocation table (FAT) stores the starting location of the file and each additional cluster used to store the file; VERISI~1.GIF starts at cluster 632. Clusters, or allocation units, are the smallest disk structures used to store files, and they vary in size depending on the file system used to create the disk, where the files are stored, and the size of the drive. In this case, the file is stored on a 1.44MB floppy disk, which has a cluster size of 512 bytes (one sector). The cluster size of the drive is very important to know if you want to retrieve data using Disk Editor.

To determine the cluster size of a drive, you can open a command-prompt window and run CHKDSK C: to display the allocation unit size (cluster size) and other statistics about the specified drive.

To determine how many clusters (allocation units) are used to store a file, look at the size of the file and compare it to the cluster size of the drive it's stored on. The file VERISI~1.GIF contains 6,006 bytes. Because this file is stored on a floppy disk that has a cluster size of 512 bytes, the file must occupy several clusters. How many clusters does it occupy? To determine this, divide the file size by the number of clusters and then round the result up to the next whole number. The math is shown in Table 15.2.

Table 15.2. Determining the Number of Clusters Used by a File

File Size (F) of VERISI~1.GIF

Cluster Size (S)

Result of (F) Divided by (S) Equals (R)

(R) Rounded Up to Next Whole Number

6,006

512

11.73046875

12

From our calculations, you can see that VERISI~1.GIF uses 12 clusters on the floppy disk; it would use fewer clusters on a FAT16 or FAT32 hard disk, the exact number depending on the file system and the size of the hard disk. The more clusters a file contains, the greater the risk that some of its data area could be overwritten by newer data if the file is "deleted." Consequently, if you need to undelete a file that was not sent to the Windows Recycle Bin or was deleted from a removable-media drive or floppy drive (these types of drives don't support the Recycle Bin), the quicker you attempt to undelete the file, the more likely it is that you can retrieve the data.

The normal directory display in Norton Disk Editor shows the starting cluster (632) for VERISI~1.GIF . If a file is stored on a drive with a lot of empty space, the odds are good that the remainder of the clusters immediately follow the first two; a badly fragmented drive might use noncontiguous clusters to store the rest of the file. Because it's much easier to perform data recovery when the clusters are contiguous, I strongly recommend that you defragment your drives frequently.

To see the remainder of the clusters used by a file, move the cursor to the file, press Alt+L or click the Link menu, and select Cluster Chain (FAT); you can also press Ctrl+T to go directly to this view. The screen changes to show the clusters as listed in the FAT for this file, as shown in Figure 15.2. The clusters used by the file are highlighted in red, and the filename is shown at the bottom of the screen. The symbol <EOF> stands for "End of File," indicating the last cluster in the file.

Figure 15.2. The FAT view of VERISI~1.GIF . All its clusters are contiguous.

How the Operating System Marks a File When It Is Deleted

If a file ( VERISI~1.GIF in this example) is deleted, the following changes happen to the disk where the file is stored, as shown in Figure 15.3:

  • The default directory view shows that the first character of the filename (V) has been replaced with a " s " (lowercase sigma) character.

  • There are now two new types of entries in the ID column for this file and its associated LFN: Erased (an erased file) and Del LFN (an LFN belonging to an erased file). Note also that the beginning cluster (632) is still shown in the Cluster column.

Figure 15.3. The Directory view after VERISI~1.GIF has been deleted.

Zeroes have also replaced the entries for the cluster locations after the beginning cluster in the FAT. This indicates to the operating system that these clusters (allocation units) are now available for reuse. Therefore, if an undelete process is not started immediately, some or all of the clusters could be overwritten by new data. Because the file in question is a GIF graphics file, the loss of even one cluster will destroy the file.

As you can see from analyzing the file-deletion process, the undeletion process involves four steps:

  1. Restore the original filename.

  2. Locate the clusters used by the file.

  3. Re-create the FAT entries for the file.

  4. Relink the LFN entries for the file to the file.

Of these four steps, the most critical are locating the clusters used by the file and re-creating the FAT entries for the file. However, if the file is a program file, restoring the original name is a must for proper program operation ( assuming the program can't be reloaded from the original distribution media), and restoring the LFN entries will make it easier for a Windows user accustomed to long filenames to use the file.

If you want to make these changes to the original disk, Disk Editor must be configured to work in Read-Write mode.

To change to Read-Write mode, follow these steps:

  1. Press Alt+T to open the Tools menu.

  2. Press N to open the Configuration dialog box.

  3. Press the spacebar to clear the check mark in the Read Only option box.

  4. Press the Tab key until the Save box is highlighted.

  5. Press Enter to save these changes and return to the main display.

Caution

As a precaution, I recommend that you use DISKCOPY to make an exact sector-by-sector copy of a floppy disk before you perform data recovery on itand you should work with the copy of the disk, not the original. By working with a copy, you keep the original safe against any problems you might have, and you can make another copy if you need to.

Once you change to Read-Write mode, Disk Editor will stay in this mode and will use Read-Write mode every time you use it. To change back to Read-Only mode, repeat the preceding steps, but check the Read-Only box. If you are using Disk Editor in Read-Write mode, you will see the message "Drive x is locked" when you scan a drive.

Undeleting an Erased File

Once you have configured Disk Editor to work in Read-Write mode, you can use it to undelete a file.

To recover an erased file, follow this procedure:

  1. To change to the folder containing the erased file, highlight the folder containing the erased file and press Enter. In this example, we will recover the erased file VERISI~1.GIF .

  2. Place the cursor under the lowercase sigma symbol and enter the letter you want to use to rename the file.

  3. If the keyboard is in Insert mode, the lowercase sigma will move to the right; press the Delete key to delete this symbol.

  4. This restores the filename, but even though the ID changes from Erased to File, this does not complete the file-retrieval process. You must now find the rest of the clusters used by the file. To the right of the filename, the first cluster used by the file is listed.

  5. To go to the next cluster used by the file, press Ctrl+T to open the Cluster Chain command. Because you changed the name of the file, you are prompted to write the changes to the disk before you can continue. Press W or click Write to save the changes and continue.

  6. Disk Editor moves to the first cluster that was used by the deleted file. Instead of cluster numbers , as shown earlier in Figure 15.2, each cluster contains a zero (0). Because this file uses 12 clusters, there should be 12 contiguous clusters that have been zeroed out if the file is unfragmented.

  7. To determine whether these are the correct clusters for the file, press Alt+O or click Object to open the Object menu and then press the C key to open the Cluster dialog box (or press Alt+C to go straight to the Cluster dialog box). Enter the starting cluster number (632, in this example) and the ending cluster number (644, in this example). Click OK to display these clusters.

    Disk Editor automatically switches to the best view for the specified object, and in this case, the best view is the Hex view (see Figure 15.4). Note that the first entry in cluster 632 is GIF89a (as shown in the right column). Because the deleted file is a GIF file, this is what we expected. Because a GIF file is a binary graphics file, the rest of the information in the specified sectors should not be human-readable . Note that the end of the file is indicated by a series of 00s in several disk sectors before another file starts.

    Figure 15.4. The start and end of the file VERISI~1.GIF .

    Because the area occupied by the "empty" clusters 632 through 644 contains binary data starting with GIF89a, we can feel pretty confident that these clusters contain the data we need.

  8. To return to the FAT to fill in the cluster numbers for the file, open the Object menu and select Directory. The current directory is selected, so click OK.

  9. Move the cursor down to the entry for VERISI~1.GIF , open the Link menu, and click Cluster Chain (FAT). The Cluster Chain refers to the clusters after the initial cluster (632); enter 633 into the first empty field and continue until you enter 643 and place the cursor into the last empty field. This field needs to have the <EOF> marker placed in it to indicate the end of the file. Press Alt+E to open the Edit menu and then select Mark (or press Ctrl+B). Open the Edit menu again and select Fill. Select End of File from the menu and click OK. Refer back to Figure 15.2 to see how the FAT looks after these changes have been made.

  10. To save the changes to the FAT, open the Edit menu again and select Write. When prompted to save the changes, click Write and then click Rescan the Disk.

  11. To return to the Directory view, open the Object menu and select Directory. Click OK.

  12. The LFN entries directly above the VERISI~1.GIF file are still listed as Del LFN. To reconnect them to VERISI~1.GIF , select the first one ( verisignsealt ), open the Tools menu (Alt+T), and select Attach LFN. Click Yes when prompted. Repeat the process for ( rans.gif ).

  13. To verify that the file has been undeleted successfully, exit Disk Editor and open the file in a compatible program. If you have correctly located the clusters and linked them, the file will open.

As you can see, this is a long process, but it is, essentially , the same process that a program such as Norton Unerase performs automatically. However, Disk Editor can perform these tasks on all types of disks that use the FAT file systems, including those that use non-DOS operating systems; it's a favorite of advanced Linux users.

Retrieving a File from a Hard Disk or Flash Memory Card

What should you do if you need to retrieve an erased file from the hard disk or a flash memory card? It's safer to write the retrieved file to another disk (preferably a floppy disk if the file is small enough) or to a different drive letter on the hard disk. You can also perform this task with Disk Editor.

Tip

If you want to recover data from a hard disk and copy the data to another location, set Disk Editor back to its default Read-Only mode to avoid making any accidental changes to the hard disk. If you use Disk Editor in a multitasking environment such as Windows, it will default to Read-Only mode.

The process of locating the file is the same as that described earlier:

  1. Determine the cluster (allocation unit) size of the drive where the file is located.

  2. Run Disk Editor to view the name of the erased file and determine which clusters contain the file data.

However, it's not necessary to restore the filename because you will be copying the file to another drive.

Because the clusters will be copied to another file, it's helpful to use the Object menu to look at the clusters and make sure they contain the necessary data. To view the data stored in the cluster range, open the Object menu, select Cluster, and enter the range of clusters that the Cluster Chain command indicate should contain the data. In some cases, the first cluster of a particular file will indicate the file type. For example, a GIF file has GIF89a at the start of the file, whereas a WordPerfect document has WPC at the start of the file.

Tip

Use Norton Disk Editor to view the starting and ending clusters of different types of files you create before you try to recover those types of files. This is particularly important if you want to recover files from formatted media. You might consider creating a database of the hex characters found at the beginning and ending of the major file types you want to recover.

If you are trying to recover a file that contains text, such as a Microsoft Word or WordPerfect file, you can switch DISKEDIT into different view modes. To see text, press F3 to switch to Text View. However, to determine where a file starts or ends, use Hex mode (press F2 to switch to this mode). Figure 15.5 shows the start of a Microsoft Word file in Text format and the end of the file in Hex format.

Figure 15.5. Scrolling through an erased file with Disk Editor.

To copy the contents of these clusters to a file safely, it's best that you specify the sectors that contain the file. The top of the Disk Editor display shows the sector number as well as the cluster number. For example, the file shown in Figure 15.5 starts at cluster 75207, which is also sector 608470. The end of the file is located in sector 608503.

Here's how to write these sectors to a new file:

  1. Open the Object menu and select Sector.

  2. Specify the starting and ending sectors (click OK).

  3. Scroll through the sectors to verify they contain the correct data.

  4. Open the Tools menu and select Write Object To, To a File.

  5. Click the drive where you want to write the data.

  6. Specify a DOS-type filename (eight characters plus a three-character extension); you can rename the file to a long filename after you exit DISKEDIT.

  7. Click OK. Then click Yes to write the file. A status bar appears as the sectors are copied to the file.

  8. Exit DISKEDIT and open the file in a compatible program. If the file contains the correct data, you're finished. If not, you might have specified incorrect sectors, or the file might be fragmented.

Norton Disk Editor is a powerful tool you can use to explore drives and retrieve lost data. However, your best data-recovery technique is to avoid the need for data recovery. Think before you delete files or format a drive, and make backups of important files, and you won't need to recover lost data very often.

Data Recovery from Flash Memory Devices

Laptop computers are often just one part of a mobile information strategy. You might also work with flash memory devices such as USB keychain drives and data storage cards used in digital cameras and digital music players. Retrieving lost data from flash memory devices presents a unique challenge to data-recovery programs. Although from a user standpoint these devices emulate conventional disk drives, have file allocation tables similar to those found on floppy disks, and can usually be formatted through the Windows Explorer, many data-recovery programs that work well with conventional drives cannot be used to recover data from flash memory devices, especially when the device has been formatted.

There are several conditions under which data loss can occur with a flash memory device. Some of them, such as formatting of the media or deletion of one or more photos or files, can occur when the device is connected to the computer through a card reader or when the flash memory device is inserted into a digital camera. When photos are deleted, the file location and name listings in the file allocation tables are changed in the same way as when files are deleted from magnetic media: the first character of the filename is changed to a lowercase sigma, indicating the file has been erased. Just as with magnetic media, undelete programs that support removable-media drives and the Norton Disk Editor can be used to retrieve deleted files on flash memory devices in the same way that they retrieve deleted files from magnetic media; note that Disk Editor must be run in Read-Only mode, and it works best on systems running Windows 9x/Me. Data files can also be damaged if the flash memory card is removed from a device before the data-writing process is complete.

However, retrieving data from a formatted flash memory devicewhether it has been formatted by a digital camera or through Windowsis much more difficult. Traditional unformat programs such as the command-line Norton Unformat program provided with Norton Utilities and Norton System Works can't be used because flash memory devices are accessible only from within the Windows GUI, and command-line programs are designed to work with BIOS-compatible devices such as hard and floppy drives.

Programs that rely on the file system, such as Ontrack Easy Recovery Personal Edition Lite 5.x (incorporated into V-Com System Suite 4.0) and Ontrack Easy Recovery Lite v6.x, will not work either because the previous file system is destroyed when flash memory devices are formatted.

Note

When a digital camera formats a flash memory card, it usually creates a folder where photos are stored. Some cameras might also create another folder for storing drivers or other information.

If you need to recover data from a formatted flash memory device, we have found the following programs work extremely well:

  • Ontrack EasyRecovery Professional Edition v6.x This program costs $499; a free evaluation and more information are available from www.ontrack.com.

  • PhotoRescue v.1.x This program costs $29; a free evaluation and more information are available from www.datarescue.com/photorescue/.

Norton Disk Editor (incorporated into Norton Utilities, Norton System Works, and Norton System Works Pro) can also be used to recover data if you can determine the starting and ending clusters used by the data stored on the device.

To recover data from a formatted flash memory card with EasyRecovery Professional Edition, the RawRecovery option (which recovers data on a sector-by-sector basis) must be used. This option bypasses the file system and can be used on all supported media types. A built-in file viewer enables you to determine whether the recovered data is readable.

PhotoRescue, which works only with standard photo image types such as JPG, BMP, and TIF, can access the media in either logical drive mode (which worked quite well in our tests) or physical drive mode. Physical drive mode uses a sector-by-sector recovery method somewhat similar to that used by EasyRecovery Professional Edition. PhotoRescue also displays recovered photos in a built-in viewer.

With both products, you might recover data from not just the most recent use before format, but leftover data from previous uses as well. As long as the data area used by a particular file hasn't been overwritten, the data can be recovered, even if the device has been formatted more than once.

Table 15.3 provides an overview of our results when trying to recover data from two common types of flash memory devices: a Compact Flash card used in digital cameras and a USB keychain storage device.

Table 15.3. Retrieving Lost Data from Flash Memory Devices

Results by Data-Recovery Program

Device

Cause of Data Loss

Norton Utilities 2002

Ontrack/VCOM System Suite 4.0

DataRescue Photo Rescue

Ontrack EasyRecovery Professional 6.0

Compact flash 64MB

Deleted selected files in camera

Recovered data back to device when used with Windows 9x/Me only. [1] , [2]

Recovered data to user-specified folder. [1] , [3]

Recovered data from most recent format and from previous card uses to specified folder. [3] , [4]

RawRecovery recovered deleted files from current and previous uses. [3] , [4]

Compact flash 64MB

Deleted selected files with Windows Explorer

Recovered data back to device when used with Windows 9x/Me only. [1] , [2]

Recovered data specified to folder when used with any supported version of Windows. [3]

Recovered data from most recent format and from previouscard uses to specified folder (files and folders renamed ).

DeletedRecovery recovered deleted data from current use (first character of file/folder name lost).

Compact flash 64MB

Format in camera

Drive could not be unformatted; DISKEDIT could retrieve data from current and previous uses to user-specified folder. [3] , [5] , [6]

Could not locate data; no data recovered.

Recovered data from most recent format and from previous card uses to user-specified folder. [3] , [4]

RawRecovery recovered all readable data, including data from previous card uses to user-specified folder. [3] , [4]

Compact flash 64MB

Format in card reader

Drive could not be unformatted; DISKEDIT could retrieve data from current and previous uses. [5] , [6]

Could not locate data; no data recovered.

Recovered data from most recent format and from previous card uses to user-specified folder. [4]

RawRecovery recovered all readable data, including data from previous card uses to user-specified folder. [4]

USB keychain drive (128MB)

Deleted folder with My Computer

DISKEDIT can retrieve data from current use [3] , [6]

Partial success: Recovered some files. [3]

Recovered photo files only. [3] , [4]

RawRecovery retrieved most files. [3] , [4]

USB keychain drive (128MB)

Formatted by Windows Explorer

DISKEDIT could retrieve data from current use. [3] , [6]

Partial success: Recovered some files (folder names and structure lost). [3]

Recovered photo files only. [3] , [4]

RawRecovery retrieved most files. [3] , [4]

[1] User supplied first letter of filename during undelete process.

[2] Norton Unerase doesn't support removable-media drives in Windows NT/2000/XP.

[3] Program operates in Read-Only mode on the drive containing lost data.

[4] Original file and folder names were not retained; files are numbered sequentially and might need to be renamed after recovery.

[5] Windows must be used to access flash memory devices, and Norton Unformat can't be used in a multitasking environment such as Windows.

[6] DISKEDIT requires the user to manually locate the starting and ending sector of each file and write the sectors to another drive with a user-defined filename.

Retrieving Data from a Damaged Laptop

If your laptop computer has suffered physical damage, you might still be able to read data from its hard disk using one of these methods:

  • Remove the drive and install it in a similar model.

  • Remove the drive and connect it to another laptop or a desktop model using the adapters discussed previously in this chapter.

If the drive cannot be read by another PC because of BIOS-translation issues but appears to be working properly (it spins and doesn't make any loud noises), you can try professional data-recovery companies such as Ontrack and others. Many of these companies offer remote data recovery.

Remote data recovery requires you to install a client program on the laptop or desktop computer that has the drive connected to it. After establishing Internet access with the computer, the remote data-recovery technicians read the information from the drive and determine what data can be recovered and how much the recovery will cost. This process can take several hours and is most easily performed if the computer being used to host the drive uses a broadband Internet connection.

Even if the host computer's BIOS is not able to correctly translate the drive, the special methods used by data-recovery companies can read the data and determine the correct way to write the data back to the drive.

If the drive itself has sustained physical damage, the only alternative is to send the hard disk (or the entire laptop) to the data-recovery company of your choice. These companies have clean rooms, where damaged drives can be rebuilt, and special equipment capable of retrieving data from damaged drives. This "mail-in" type of data recovery is more expensive than remote data recovery, but if the drive cannot be accessed by a normal computer because of physical damage, it is the only way to retrieve the data.

Категории