Dmde virtual filesystem

[Yipeeyep]

Reading this topic, page 4 in particular: 

And this:

On 12/5/2013 at 4:46 PM, grancharov said:

NTFS tools - Repair Directory INDX-Records. There is also Recover the Object and Reconstruct File System in the context menu - what I should use? The idea is that I want to spare myself another copy of 1.8 TB in the reverse direction.

I have an old Usb stick, which possibly has already had backups of it done (onto another stick). Using Dmde I can recover a virtual filesystem (Virtual reconstruction).

I would like to write the virtual FS to the drive. The quote above is for Ntfs. The drive I am using is Fat.

Is there a way to "undelete" the files directly?

More info, the (sub)folders are ok, just the root files don't exist (in the virtual filesystem). I don't care. I just want to see the folders (I will have to rename them).

Using old version of DMDE (2.8?), will try v3.0.6.648.

Thanks. 

[jaclaz]

What you want to do is largely "outside the scope" of DMDE, which mainly is about "recovering files" (as opposed to "repairing the filesystem").

The virtual reconstruction BTW is not something "necessarily valid", it is just an attempt to - maybe - access (otherwise inaccessible) files in a way similar to a "normal filemanager" would, but what you see in the "virtual reconstruction filesystem" is just an attempt, there is no guarantee that an item in the reconstructed filesystem is "good" or "sane" and anyway a number of filesystem metadata will be either missing or faked.

Particularly in the case of a USB stick (which will surely be of limited size) it is easy and quick to create image(s) of the stick and work on those images (it will definitely be faster, once the initial image has been created) to extract the files from the virtually reconstructed filesystem and then create a new filesystem and copy back the recovered files to it.

More or less the only tool we have to actually repair a NTFS filesystem is CHKDSK, but the repair process not necessarily will recover or make accessible again files, on the other hand FAT is a much simpler filesystem (btw having far less filesystem metadata) and if a file is simply deleted there are tools to undelete them (provided that the actual file locations/extents have not been overwritten).

More or less a "simple delete" in FAT consists in marking the entry in the FAT table as "available" by overwriting the first character of the filename with a special character (this is why most FAT undelete tools will ask you for the first letter of the original filename) and 00ing the cluster chain in the FAT table.

If the file (originally, before being deleted) was occupying a single, contiguous, extent on disk, it is trivial to undelete that file with a a hex/disk editor. see as an example the good ol'way using Norton Diskedit:
http://www.informit.com/articles/article.aspx?p=339042

but if the file was fragmented or we are talking of several files and/or the undelete process is not started immediately after having realized that a deletion wrongly occurred, things become more complex, and there is a likely possibility that part of the file(s) have been overwritten and/or create a cluster allocation conflict, so, for obvious safety reasons, most tools will only attempt to extract files and not modify the actual FAT tables of the original filesystem.

See also:
https://en.wikipedia.org/wiki/Undeletion

jaclaz