jaclaz Posted November 20, 2006 Posted November 20, 2006 I think that is an EXCELLENT idea.Yep, I a a smart guy B), though the basic idea is not really new, from the Art of War by Sun Tzu, around (500 BC):Chapter I18. All warfare is based on deception.19. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.24. Attack him where he is unprepared, appear where you are not expected.Chapter V 5. In all fighting, the direct method may be used for joining battle, but indirect methods will be needed in order to secure victory. 6. Indirect tactics, efficiently applied, are inexhaustible as Heaven and Earth, unending as the flow of rivers and streams; like the sun and moon, they end but to begin anew; like the four seasons, they pass away to return once more.Chapter VI30. So in war, the way is to avoid what is strong and to strike at what is weak.Chapter XI60. Success in warfare is gained by carefully accommodating ourselves to the enemy's purpose.65. If the enemy leaves a door open, you must rush in.Chapter XII19. If it is to your advantage, make a forward move; if not, stay where you are....and I probably just won the 2006 award for the most off-topic post of the year ... jaclaz
porear Posted November 20, 2006 Posted November 20, 2006 hehe very nicely done. This thread was about due for a dose of OT Playing with dsfo now and trying to determine the length of the FAT, am thinking I read somewhere the boot record including FAT is 63 sectors, so 63 * 512 = 32256. Just how erroneous is that?
jaclaz Posted November 20, 2006 Posted November 20, 2006 Just how erroneous is that?erroneus enough:CHS 0/0/1 = 1st Sector on disk = Sector 1 = Sector 0 LBA is the MBRCHS 0/0/2 to 0/0/63 =Sectors from 2nd = sectors 2÷63 = Sectors 1÷62 LBA are hidden sectors (unused)CHS 0/1/1 = 1st sector in partition = Sector 64 = Sector 63 LBA is the partition bootsectorDepending on size of the partition and number of directories entries, following sectors are FAT1/FAT2 and Root directory.Number of sectors used is written in bootsector, use either beeblebrox:http://students.cs.byu.edu/~codyb/or Roadkil's Boot Builder:http://www.roadkil.net/bootbuild.htmlTo explore the contents of your bootsector.Check the Starman's realm for reference:http://thestarman.dan123.com/asm/mbr/MSWIN41.htmhttp://thestarman.dan123.com/asm/mbr/NTFSBR.htmand here for FAT16:http://home.teleport.com/~brainy/fat16.htmhttp://averstak.tripod.com/fatdox/bootsec.htmhttp://www.ntfs.com/fat-partition-sector.htmor just use the two utilities and report contents of bytes 0x0E÷0x0F; 0x11÷0x12; 0x16÷0x17, respectively Reserved Sectors, Root Entries, Sectors per FAT.I am assuming that the volume has two FATs and is FAT16.jaclaz
porear Posted November 20, 2006 Posted November 20, 2006 (edited) I am assuming that the volume has two FATs and is FAT16.That should be correct. Thanks for the info and references, I'll look at them. This project is opening up quite a few new things to me.Beeblebrox reports C/H/S for the USB is 246/255/63. NumSectors in the partition table is 3963841.Using WinHex (and Beeblebrox to double check) to observe the bytes mentioned,0x0E÷0x0F Reserved Sectors data is 04 000x11÷0x12 Root Entries data is 00 020x16÷0x17 Sectors per FAT data is F2 00Choosing to jump to FAT1 in Winhex points to offset 0x800, and FAT2 is at offset 0x1EC00. From the data, this should be my drive:Offset 0x0 is Boot sectorOffset 0x800 is FAT1Offset 0x1EC00 is FAT2Offset 0x3D000 is RootOffset 0x41000 is First data sector0x1EC00 - 0x800 = 123,904. This length agrees with the calculation 242 sectors/FAT * 512 bytes/sector = 123,904 bytes/FAT.As always, thanks so much for the continued assistance. Edited November 21, 2006 by porear
jaclaz Posted November 21, 2006 Posted November 21, 2006 Hmmm, unless I am mistaken, your data appears to be correct, if you start from the partition, but maybe you missed the initial MBR and hidden sectors...:Counting whole DRIVE:0x000000 (0 Dec) MBR 0x000200 (512 Dec) Hidden sectors (62 of them)0x007E00 (32256 Dec) Bootsector0x008600 (32768 Dec) 3 more reserved sectors0x008000 (34304 Dec) FAT10x026A00 (158208 Dec) FAT20x044E00 (282112 Dec) Root Directory0X048E00 (298496 Dec) First Data SectorCounting from Partition:0x000000 (0 Dec) Bootsector0x000200 (512 Dec) 3 more reserved sectors0x000800 (2048 Dec) FAT10x01EC00 (125952 Dec) FAT20x03D000 (249856 Dec) Root Directory0X041000 (266240 Dec) First Data SectorNow, let's see if the above is correct:MBR = 512 bytesHidden sectors= 62x512= 31,744 bytesBootsector=512 bytesMore reserved sectors=1,536 bytesFAT1= 242 x 512 = 123,904 bytesFAT2= 242 x 512 = 123,904 bytesRoot= 512 x 32 = 16,384 (each record is 32 bytes long)512+31,744+512+1,536+123,904+123,904+16,384=298,496and512+1,536+123,904+123,904+16,384=266,240 If you use the dsfok with "partition" offset, you must give it a drive letter, whilst if you use the "Drive" offset, you can use PHYSICAL drive (and need to rewrite the initial 63 sectors).To automate the process while making sure you are rewriting on the right drive, the "fixed" letter for the USB stick through migrate.inf, that cdob proved to be working in the other thread might be useful .Also, have a look at the small batch I posted here:http://www.911cd.net/forums//index.php?sho...=15837&st=5that should give you some ideas on how to make this.It has been some time since I "peeked and poked" on FAT filesystems with hexeditors, I cannot remember if there is something else that must be taken into account.I'll try and "freshen" my experience in the next few days, and post if I find something else........as an afterthought, maybe there are some more appropriate utilities on the net, I'll have a look at them too.jaclaz
porear Posted November 22, 2006 Posted November 22, 2006 (edited) UPDATED See flagged note belowI think my method of experimenting is flawed. I am using the disk offset of 282,112 (also tried 298,496) and addressing the USB with the scheme \\.\PHYSICALDRIVE1I am doing all of this from within Windows XP (which I think is a problem)Save through FAT2 with dsfo \\.\PHYSICALDRIVE1 0 282112 fatsav1.dskDelete several files from the stickRestore back to the stick with dsf1 \\.\PHYSICALDRIVE1 0 282112 fatsav1.dskSave another file through FAT2 with dsfo \\.\PHYSICALDRIVE1 0 282112 fatsav2.dskCompare the two saved files fatsav1.dsk and fatsav2.dsk with WinHexThe files are identical, so the restore succeeds. However, the deleted files do not reappear in Windows Explorer. If then I do a View->Refresh of the USB drive in Windows Explorer, then save another snapshot with dsfo \\.\PHYSICALDRIVE1 0 282112 fatsav3.dskDifferences are found between this and the first two snapshots! I've attached REPORT.TXT generated by WinHex that shows the differences.It seems as if Windows XP has the first few sectors of the USB disk cached, and assumes that direct disk writes that bypass XP will not take place. The refresh action seems to write the XP cached data back to the disk. Is this a feasible theory?Update: I have tested this theory by removing the USB stick after restoring the FAT, then plugging it back in. Sure enough, this does seem to destroy any XP cached FATs, and the deleted files and folders reappear. HOWEVER... Only files and folders in the root are undeleted. Folders that originally held files that are undeleted to the root are now all empty. So, the root directory is being restored, but not the FATsIf this is true, will the same problem arise in the setup/install environment? I have not tried it yet since my experiments have failed so far.I also am searching for other possible existing utilities for backup/restore of the FAT, or an undelete that will work in the install environment.I'll write back when I have anything new, but may not be on as much for the next few days, its holiday time here. I will also look at the link to the batch file you posted. Thanks!! BTW, I've been making it a point to honor the provisions of your CareWare license today, my friend. Report.txt Edited November 22, 2006 by porear
jaclaz Posted November 22, 2006 Posted November 22, 2006 BTW, I've been making it a point to honor the provisions of your CareWare license today, my friend.Good! Have a nice Thanksgiving...jaclaz
Puggsley Posted November 22, 2006 Posted November 22, 2006 Could you not copy a dos floppy to the flash drive, then edit autoexec.bat? to run winnt.exe (Setup App intended for dos prompt). I managed to do this for win 98se, but i know a few of the dos files need tweaking a bit. Your flash drive should be formated as fat, not fat32 or ntfs as dos does not support these.
LLXX Posted November 23, 2006 Posted November 23, 2006 Could you not copy a dos floppy to the flash drive, then edit autoexec.bat? to run winnt.exe (Setup App intended for dos prompt). I managed to do this for win 98se, but i know a few of the dos files need tweaking a bit. Your flash drive should be formated as fat, not fat32 or ntfs as dos does not support these.DOS 7.1+ kernel (in Win95b and above) supports FAT32.
jaclaz Posted November 23, 2006 Posted November 23, 2006 (edited) Could you not copy a dos floppy to the flash drive, then edit autoexec.bat? to run winnt.exe (Setup App intended for dos prompt). I managed to do this for win 98se, but i know a few of the dos files need tweaking a bit. Your flash drive should be formated as fat, not fat32 or ntfs as dos does not support these.You might have missed the start of this:http://www.msfn.org/board/index.php?showto...mp;#entry563654The method using DOS 7.1 and WINNT.EXE has already been developed fully and has been published here:http://www.911cd.net/forums//index.php?showtopic=16713One can later convert the FAT32 system drive to NTFS with the MS utility convert:http://www.microsoft.com/technet/prodtechn...convertfat.mspxconvert C: /fs:ntfsthough I never tried this myself and I have read conflicting reports about success of such an operation.@LLXXYep, but still formatting a USB stick as FAT16 gives more probabilities to have it bootable on some motherboards.Using the DOS 7.1 files (or other FAT32 enabled DOS) is however needed, otherwise the resulting partition on the target drive will be affected by FAT16 size limit of 2 Gb.jaclaz Edited November 23, 2006 by jaclaz
porear Posted November 25, 2006 Posted November 25, 2006 uuuuuuuughhhhhh too much food. Hello, Puggsley and LLXX.I've been trying to determine what happens during a file deletion. Not only is the FAT altered, but one byte per file (I am assuming the first) is overwritten as well. It appears that this is the first character of the file name that must be manually supplied for most undelete methods.Experiment: I imaged through the end of my FAT tables (img1), then imaged the whole stick (img2). I deleted 3 files, restored the FAT from its image (img1), then re-imaged the entire stick again (img3). Comparing the two whole-disk images (img2 and img3) resulted in 3 differences found, in attached REPORT.TXT.The 42, 47, and 47 that were overwritten should correspond respectively to b, g, and g in the filenames bootlace.com, grldr.mbr, and grub.exe.So, for successful automatic undelete, the first character of all file names must be saved prior to deletion and then restored. I am assuming this is what "delete tracking" in the old DOS undelete did.http://free-backup.info/file-recovery-usin...s-undelete.htmlThis would be perfect, unfortunately it requires a DOS 5.22 to DOS 6.0 environment to run. I've been looking but have not come across a similar tool that works in our XP Setup environment.From http://www.computerhope.com/undelete.htmThis program / command was designed to only be run in MS-DOS versions 5.0 to 6.22. If you have upgraded to Windows 95, Windows 98, Windows NT, or any other Operating system, this command will not restore any information but may possibly cause additional issues with the Hard Drive if run. I hope we're not digressing too much here to chase this as a solution to the file move issue, especially since this was already "Plan B" Although my talents are limited in this area, I might look at what it would take to try to write something that approximates the undelete "tracker".I ahd thought that although it complicates things, maybe we could alternatively boot to DOS, XP Setup, then DOS again and use the existing undelete with tracking. However, the tracking has to be running when a file is deleted for it to be added to teh tracking file.Report.txt
hatsumi Posted November 25, 2006 Posted November 25, 2006 (edited) Here are some instructions you may find helpful:WeetHet USB Boot setupSo could this method not be used? After all the boot.bin is located in the nlite folder (if you have nlite installed!)use mkbt to set the usb key up and copy the contents of the cd over?I may try this just to see what happens Edit: never mind. My USB key is not interested in working with this. Edited November 25, 2006 by hatsumi
jaclaz Posted November 25, 2006 Posted November 25, 2006 So, for successful automatic undelete, the first character of all file names must be saved prior to deletion and then restored. I am assuming this is what "delete tracking" in the old DOS undelete did.Yep, that's what I was referring to originally, though I most probably suggested a WRONG method as a workaround, I simply forgot that files are not in ROOT, but rather in \I386, my bad.Most probably imaging more sectors will make the image too big for practical use.As said, deleted files 1st character is replaced by character "å", so, theoretically, all we need is a "database of deleted filenames/original filenames, something like:åDEFAULT.PI_ _DEFAULT.PI_å2520437.CP_ 12520437.CP_å2520850.CP_ 12520850.CP_å394.IN_ 1394.IN_...and an application capable (with direct access to disk) to replace the pairs, something like gsar:http://gnuwin32.sourceforge.net/packages/gsar.htm...but I seem not to be able to find any such program, though I am quite sure it must exist somewhere.Another possibility may, but I still have to experiment with it, the bunch of apps that you can find here:http://www.partitionsupport.com/index.htmlOne could make a small ramdisk, copy to it a few sectors copied from the stick, apply the gsar substitution to them, and copy them back to stick, but I have the feeling that the processing time would be huge........and off I go searching again for the right tool! jaclaz
porear Posted November 25, 2006 Posted November 25, 2006 ....and off I go searching again for the right tool!hehe and I as well. As a tip, I have found that the term "file system snapshot" is turning up some interesting results, but have not gotten in too deep yet.As said, deleted files 1st character is replaced by character "å", so, theoretically, all we need is a "database of deleted filenames/original filenames, something like:åDEFAULT.PI_ _DEFAULT.PI_å2520437.CP_ 12520437.CP_å2520850.CP_ 12520850.CP_å394.IN_ 1394.IN_and an application capable (with direct access to disk) to replace the pairs, something like gsar:http://gnuwin32.sourceforge.net/packages/gsar.htmThis might not actually be that hard to do. I know the 3,025 files in question that are deleted and could make the database easily. This database would contain only the filenames and not their locations, so a complete search would have to happen for each file.My only concern would be that if gsar searches the entire disk each time to make each replacement, this may be impractical for the time required. A more targeted approach that would use the FAT information to go straight to the file would use a fraction of this time.
porear Posted November 27, 2006 Posted November 27, 2006 Possible idea:Tiny Hexer athttp://www.mirkes.de/en/home.phpIt's free, it's scriptable. Maybe there is a (scriptable) way to feed it the text file listing of file names, search for the location of each of the file names on the disk, and record these locations in the text file with the names.Then... create a batch or script file to use dsfi to restore the first character of each file name after deletion based on the text file created above.What do you think?
Recommended Posts