Phoenix AZ Auto Repair | Find Auto Repair in Phoenix AZ

SolutionBase: Improve disaster recovery, learning to modify a disk in place

Preview modifying a diskl in place

As you know, Windows 9x is not known for stability. One of the things that can sometimes go wrong with Windows 9x is the corruption of the file system guide FAT32. Being able to work on the data in its place to help your ability to perform disaster recovery, as the enterprise data is stored in systems far FAT32 file in the old Windows 9x systems. You can work directly with the FAT32 file system with a disk editor to recover the files directly from disk. In some cases, may be able to quickly recover lost or damaged file work directly with the record that it was shipping to a service data recovery.

What does it take to change a disk in place

A unit editor with editing tools solids is important to get this job. Is.okpckit My personal favorite.
The creation of a unit of practice
Naturally, as they go through the steps of the depths, you will not want to harm the random data. So before practice on-site recovery, file, create Only a small FAT32 partition for this purpose.

Configuring.okpckit. for file recovery
A few. Okpckit. changes configuration easier rel = "nofollow" href = "http://www.okpckit.com/" <a target="_new"> recover FAT32 data systems </ a>. If you are using another disk editor, as many of these changes, since it allows.

Sure. okpckit . is not configured as a local publisher. If it were, all data changes are immediately saved to the media. In the Options menu, if context Editor is checked, uncheck it. This will allow changes to be committed to disk only when the option of saving them. Note that when working with files sensitive, you can also check the option marked used as a viewfinder, which is open every data write-protected. Leave this option unchecked, however, because we will be writing to the disk.

Then ensure that the details pane is open, select View | Show and control information Panel. This screen displays the necessary information on the disk. Each entry in the file allocation table has four bytes. To easily read the structure FAT32 as one group per line, WinHex game to display four bytes per row. Select View and click the arrow next to the option column least until the screen is four bytes wide. Along with the four hex entries will be four text entries.

FAT Support
To help to prevent disasters unrecoverable disk is a good practice to periodically back up your File Allocation Table. Why do this if the FAT file system already maintains a spare copy? The FAT 2 copy is stored immediately after FAT. Therefore, the same conditions that damage can damage FAT1 spare. For this why it is valuable for regular backup of FAT and store elsewhere.

The file allocation table for FAT32 begins at a place determined by the unit structure. The length of the table depends on disk size and format. The table should be large enough to contain entries for each group available disc (a group, remember, is the smallest unit used to store files). Fortunately, WinHex makes it unnecessary to carry out many of these calculations.

Access FAT 1
. In okpckit, open the test drive with FAT32 format by selecting Tools | Disk Editor and select the partition or drive in the hierarchy logical drives. In Figure A, we are selecting the test (E:) drive. Although it is possible to open the entire hard drive through the Physics list of media, you need the list of logical units access partitions. By physical means are read directly through the BIOS and do not contain the partition, and directory information from another disk format provided by the operating system under which WinHex is running.

Figure A

Double-click on the FAT32 partition or drive from the list of logical drives.

After loads of the unit, you will see a marked drop-down box access to the top of the window. Click the arrow to open and select FAT 1. The cursor will move to the beginning of the FAT table. Enter your starting address, in displacement 4000h (h = hexadecimal), Figure B. Access also allows you to move quickly to the boot sector, root directory, and other frequently used disk areas. One can interpret the boot sector and root directory via templates.

Figure B

Use Access to quickly move to a fat.

The Details pane contains much useful information, such as the drive letter, label, set files, and format disc structure. For example, Group B in the figure shows that the unit E, labeled test has a capacity of 36.9 MB and is formatted 512 bytes per cluster. It also shows the location as FAT 1.

Now use the shortcut menu to move to the back the FAT 2. Use the left arrow to go back a hexadecimal value. This is the last position of the FAT 1, in my case, 4CBFFh.

FAT block and a copy in a file.
To define a block containing the FAT 1, select Edit | Define block. At Block Definition dialog box, such as 4000h the start of the block and write your final address below.

Select Edit | Copy Block | posted in the file. Name the file, such as efat1copy. efat1copy Save to a different partition, otherwise it will not be accessible if the test drive or partition. Worse, it can overwrite the data you want to recover.

Congratulations. You just backup File Allocation Table. Now you can recover the file information in case of hard drive failure.

Backup boot sector
You can use the same steps to access and keep a copy up the boot sector on another partition or disk.

Disk destruction and reconstruction of 101
Here's a quick how to to work with a FAT file table corrupted. Write a small text file containing the text "this is a test file." Save it to your new partition FAT testfile.txt. Since the partition is empty, the system stores it in the cluster available in the first place.

In okpckit, use Access to navigate back to FAT. Use the down arrow to scroll through the file allocation table until you see your file, testfile.txt contained in the details pane, as shown in Figure C. Since it is a small file that will be contained in a cluster, and its FAT entry is marked only FF FF FF 0F, end-of-file flag. Panel indication Group 3: End indicates that this group is the end of a file.

Figure C

In this unit, testfile.txt is written in group 3 and is fully contained within it.

Damaging the FAT
Click the cursor in the first byte the hexagonal (no text) screen. Enter the following data: 00 00 00 00. Four of 00 bytes in the FAT tells the system that the proposed cluster contains free space. Note that editing is displayed in blue. Blue means a change has been made, but has not yet been saved.

Select File | Save. WinHex warn that the integrity of the unit could be seriously damaged. Click OK. Once again, click OK to close the second notice. The entry is now displayed in color black to show that it has committed to disk.

Use the text editor to try to open the file testfile.txt. You will be unable to open it, even though the name of file is visible in the root directory of the drive. This is because the entry points of the guide to allocate space and Windows returns an error.

Repairing the damage
Use okpckit restore FAT entry Group 3 0F FF FF FF and save the changes. Now you should be able to successfully open the file testfile.txt in your text editor.

If you can not open the file, make sure you have entered data in the hexagonal non-the-screen text area, and has entered correctly. You have now successfully restored by editing files on your hard disk.

What this lesson shows
Some viruses delete the two copies of the file allocation table, leaving disk data intact, including the phone book entries. This data is recoverable if it has not been overwritten, as in the situation just to emulate.

When FAT tables are cleared, either by disk failure, user error, virus or other disaster, you have few options to recover files:

• Restoring a backup. But often a backup is not available.
• Run a file recovery program. However, most file recovery programs can only restore files that are not fragmented. If so, only partial files of the first groups chain can be recovered.
• Recovery files manually using a good disk editor, copying the blocks in a new file in a different partition. While this option may be labor for many files, if you are looking for a critical file or two, is often the quickest and easiest way to go.

More information on the FAT entries navigation
Navigate to the beginning of a FAT. Now look at the display panel details. In the next section bottom of the panel you can find information about your location on the disk. Last scanned tells you when WinHex final reading groups in the unit under consideration. If there has been activity on the hard disk since it opened, you will need to scan. Select Tools | Disk Tools | Back to examine the cluster chains.

Note that the first four-byte entry is marked "reserved." The start of the FAT contains two special entries, F8 FF FF FF FF FF FF and FF, groups 0 and 1 reserve. The first group files is available for group 2.

From this moment, FAT32 entries of four bytes tell the operating system that:

• The cluster is the free space (00 00 00 00).
• The cluster is bad (F7 FF FF 0F).
• The cluster contains a file continues in another group. In that case, the hex value points to the cluster in the file continues.
• The cluster contains the end of a file (FF FF FF 0F).

Table FAT32, then, is simply a database of pointers to the clusters, where the direction of the FAT is equivalent to a cluster. Here's how you can calculate.

The reference group FAT32 address equals the address minus the offset to the start of the FAT table, divided by four (because there are four bytes per cluster). For example, an address 457Ch FAT32 cluster = 351 (December). The FAT is started on an address 4000h. 457Ch-4000h = 57Ch. 57Ch = 1404 (December) / 4 = 351. If the entry contains 00 00 00 00 h, then 351 is free space cluster.

Figure D shows a few entries from a normally dirty FAT (containing fragmented files). A dotted line to a file entry in the address 4034h, which is in group 13. The pointer the FAT is 0B 00 00 00. Therefore, the data in the group 13 is continuous, not 14, but in group 11 (OBH = 11d). The entry on line C, however, the direction flags 403Ch (group 15) as free space.

Figure D

Three entries in a FAT files shown fragmented as the basis FAT data data tracks on the disc.

The position of the cursor at offset 4034 (shown in line B) is interesting. Panel details 4034 offset shows a file called TechRepublic. This is really a directory entry. In the FAT32 file system, phone entries are files, too. As other files, the minimum space allocation is a cluster, and grow as needed, becoming fragmented, if there is space adjacent to the hotel.

Directory files contain information about files and subdirectories within them, as their names DOS 8.3, long file names, size, and start cluster. These 32 bytes of the entry in the guide, along with the FAT, you can retrieve files manually. File recovery programs also use this information to reconstruct as much of a file as they can.

The FAT directory reveals that TechRepublic is not continuous. His string of file begins in clusters 13 and jumps to the group 47406. The details pane does the calculation for you, which shows this step as "13> 47406."

However, the two bytes of the entry, 2E B9, seems to point to the group 11961. Why this difference? FAT32 flags are in reverse order, with the lower order byte to the left. The correct group, therefore, reads like 2E B9: 47,406.

Fast conversion
To quickly convert hex December, open the Windows calculator, select Start | Run, type calc, and press [Enter]. Switch to scientific mode, choose View | Sci. Click the Hex radio button. In the area entry, type the hexadecimal value, then click in December to perform the conversion. Or start with your decimal and hexadecimal click. (You can also conversion in Excel using the DEC2HEX HEX2DEC and functions.)

File recovery manually
Now you know all the information needed to recover FAT32 file system. If you have a backup of a fat cluster contains the string to a fragmented file lost, and to act quickly enough so that all or Most of the data have not been overwritten, you can retrieve the data, as in the following scenario.

Let's say you accidentally delete the only permanently copy of a file, HP Blade PC.doc (44 KB). You need this file to make a presentation to your CIO. How could an accident? Perhaps, as you took Telework coffee break his cat walked across your keyboard and press [Shift] [Delete] with their feet while the file is displayed in Windows Explorer. Hey, happened to me. Suspend for a moment the knowledge that Word creates a backup file recovery throughout the system. This example applies to the files where recovery automatic is not available.

Fortunately, even though you are behind on backing up your data, recently made a backup FAT cluster chain includes HP Blade PC.doc.

Figure E shows a partial list of the original cluster chain for the file before was deleted. In WinHex can obtain this list through WinHex Directory Browser. Access drop-down menu next to an icon of a folder and a file check box. Check the box to open WinHex Directory Browser. Navigate to the file. Double-click the name and opens a window that shows the cluster chain. Consider the two jumps in the sequence, from 4873 to 695 and 710-13472.

Figure E

HP Blade PC.doc is a fragmented file.

WinHex joins the chain as does the operating system, based on the input data directory and FAT.

Delete the file and re-analyzed cluster chains. When you scroll back to the file, WinHex shows your name beside a folder icon is lost, "to indicate it is deleted. Double-click the file name now appears continuous block groups from 4810 to 4896, equal to the length of the file (in fact, the FAT entry for cluster 4896 really belongs to another file). The jumps in chain cluster of fragmented file are not documented because FAT entries flags have been replaced by free space. This is encouraging, indicating that the system not all groups have overwritten with new data. In short, all or part of the data is recoverable.

This is where most programs no file recovery. Other programs with data search features can retrieve data based on keywords entered, but this can be laborious. But with a spare copy of FAT, you can succeed where recovery programs fail. You will need to overwrite the current table with the FAT backup.

First make a backup of the current by FAT (will have to restore it later). Call currentfat. Then open the copy of the backup FAT WinHex previously. Select All [Ctrl] A. Copy the block to the clipboard [Ctrl] C.

Place the cursor in the window of the affected unit at the beginning of a FAT. Clipboard Choose Data | | Edit writing. WinHex warns that the copied data is written to compensate 4000. Click OK. All FAT 1 is now shown in blue. Select File | Save and follow the instructions.

One step closer to resurrect the file. Using Explorer Directory, highlight the entry for the deleted file. Click it and select Go to the directory entry. WinHex screen moves the guide data for that input file.

In the position of the cursor can find the version of DOS 8.3 file name, with the first letter replaced by the entry hex E5. (E5 flags at the entrance to the guidance of a deleted file.) In the text input area, replace the character displayed by the first letter of the file name (in this case, H). A few lines above, you'll see that the first position of the input file name too long has been replaced by E5. In the area hexadecimal display, replace this with 01, as shown in Figure F. (See Figure 01 indicates a file name long input continue on another line.) Save the changes.

Figure F

Replace these two entries directory to retrieve the file in the eyes of the operating system.

It is now necessary to revisit the cluster chain. WinHex will give a warning. Click Cancel to dismiss it. The file appears in the Directory Browser not eliminated. Double-click the cluster and the chain of original pop up. Now, click the file name and select Recover / Copy. All strings are copied. Click OK to the original use of the file allocation table if possible system then copy the data to another partition or disk. The file is recovered.

Best partial recovery also
There is another advantage of this method of recovery. Although some groups file is overwritten in a single step to withdraw all remaining data, including data that can be left slack space in a cluster to a new file written ends. After retrieving the data, you may be able to clean and restore the file.

Now have to restore the FAT table to its original state. Replace the directory has changed E5 values ​​and hard copy of the FAT file properly. Save the changes to restore the disk as it was. If you receive an error message that the FAT tables are not identical, some disk activity must have occurred in the interim. In that case, a copy of FAT 2 FAT on 1.

Using this technique to change the disc, along with performing regular backups of a fat (sometimes even between backing up data) you will be able to recover files the next time you have an emergency disk.

About the Author

Amazing Intro [Thumbs Up For Template!]