| How to use.
Before starting RECON.
RECON is designed to enable you to recover data,
without writing to the volume you try to recover data from. In certain
scenario's, like recovering files from a deleted volume it is simply
impossible to write to the same volume since the operating system does
not assign a drive letter to the deleted partition. But in others,
writing to the same volume is possible, like for example, if you are
recovering from a volume that was accidently formatted.
Important! We strongly recommend NOT
to do this! By doing so, you might overwrite data that you are trying to
recover. Once this happens, this information can not be recovered
anymore.
RECON depends on the operating system you booted to store the recovered
files. So, any destination that gets a drive letter assigned by the
operating system can be used to store the recovered files. If the
operating system you boot is DOS6.22 for instance, only diskettes and
FAT16/FAT12 partitions can be used to store recovered files (and any
devices you load a device driver for such as ZIP disks, or network
shares). This implies, that if you intend to store files on a FAT32
partition, you must either boot Windows 95b or higher, or boot of a
diskette that was created from Windows 95b or higher.
Important! If you want to recover deleted files of a
healthy volume, it is best to NOT write to this volume anymore until you
have recovered the files. Therefor it is best to boot of a bootdiskette,
since starting Windows can result in write actions to the volume. For
help on creating bootable diskettes visit http://www.bootdisk.com.
Important! Do NOT copy RECON to the volume you are trying
to recover from, it might overwrite the data that you try to recover!
Loading device drivers for devices like ZIP drives, networks etc. is not
done by RECON. DIY DataRecovery can not assist in setting up device
drivers. For this refer to the documentation of the device. For creating
a boot diskette that enables you to write to a (NT/Novell) network drive
visit http://www.backmagic.de/download.htm
and look for the utility Netboot.
Hint: Concentrate the recovery on files that are,
really important, can not be restored from a backup, can not be
reinstalled and you can not live without. It is a waste of time to try
to recover files that can be restored from a backup or that can be
reinstalled.
Running RECON for the first time.
Note: This paragraph does not apply for the
trial, shareware version. This step can also be skipped when working
with the registered version if the build number is < 1.0.6.
When you run the full version of RECON for the first time, it will ask
for a blank formatted diskette to be inserted in the a: drive. You must do
this to in order to be able to use the program. After this 'write
protect' the diskette! Do NOT use this diskette to store recovered
files or any other files. It will only take a
second before RECON can be used. In the future, if you start RECON, it
will ask for this diskette again.
Hint: If you have copied all files from the ZIP file you
downloaded on to a blank formatted diskette, simply leave the diskette in. When you use RECON
again in the future, it will not ask for the diskette again if you run
it from this diskette.
Note: If you apply an update in the future, make sure you use
this diskette again.
Note: For your own use, you can make multiple diskettes with the
RECON signature. With the full version, you will always be able to
generate diskettes again by repeating the above steps.
RECON is a character based console application, meaning there is no graphical user
interface and there are no menu's. It still is rather easy to use,
people who have worked with DOS before have a slight advantage. Do not
let this frighten you, using RECON will not make things worse, it is
rather safe to experiment.
You can start the program in WIN9X/WINME by double clicking Recon.exe
and from DOS by typing Recon [enter] on the command prompt. Once the
program starts it will notify you that it is ready to process input by
displaying the RECON prompt:
If you select the [help] command, all possible commands are listed:
We'll now address all comands one by one in the order they are
listed. If you are in a hurry, jump to quickstart.
*General* - commands not directly related to data recovery -
- [quit] - Quits the program and gets you back to the command
interpreter, or the environment you started the program from.
- [cls] - Clears the screen in the recovery console. So
leaves you with a blank screen with the RECON command prompt.
- [help] - Displays the command reference.
- [about] - Displays about info on RECON, build number,
registered version or not, copyrights etc.
- [shell] - Shells to a DOS command prompt. This way you can
create directories to store recovered files and check recovered
files etc. When you are done, simply type, exit [enter] to return to
the recovery console again. For instance use the [shell] option to
set the active directory. If you intend to store
recovered files on the volume that has drive letter d: assigned, use
[shell] to go a command prompt, from there type d:[enter], you can
now make a directory entering; md rescued [enter], change to the
directory by typing; cd rescued [enter], type exit [enter] to return
to the recovery console. If you enter the name of the file to be
recovered; rescueme.tst [enter], it will be written to
'd:\rescued\rescueme.tst'.
- [debug] - In general it is advised not to enable debug
mode. It will make the program slow and present you with a lot of
information that is used internally by the program, that will not
help the actual recovery of files. Once you have switched the
program to debug mode, you cannot switch it back, other then by
ending the program and restarting it. Only use the option when it is
requested by technical support.
*Mount Volume* - commands that allow volumes to be accesses by
the program -
- [showvol] - This command provokes a sequence of sub
procedure's. First of all, RECON will querry the bios and try to
determine which devices are connected to the computer that can be
accessed through the bios int13h functions. In general, all devices
that are detected by FDISK will show up here.
Important! For SCSI devices you must enable the option
'int13h' in the setup of the SCSI adapter.
RECON counts the devices 'zero-based'. So the first device will be
numbered '0', the second '1' etc ... For the devices the drive
geometry is also shown. If this is done, you have two choices; [s] -
to select a device you want RECON to scan for FAT(12/16/32) volumes
and [q] - to stop the detection at this point. The option [s] will
read the primary and extended partition tables, and determine if
partitions of any of the FAT types are defined. So, RECON will not
detect deleted volumes! Use this option if you want to recover data
from healthy, corrupt or (un)formatted volumes.
Volumes will not be identified by a drive letter in RECON. They will
be listed in the order in which they are defined in the partition
tables. So you must be aware of which physical volume you want to
recover data from. For instance, if something happened to the volume
that is normally identified as 'c:', it will be the first volume
found on the first physical drive.
- [mountvol] - This command mounts a volume that was detected
using the [showvol] command and deleted volumes that are not defined
in the partition tables. You will be asked to enter some parameters
that define the volume: The physical drive that the volume is on,
simply enter the number as shown by [showvol] - the start cylinder,
head and sector as shown by [showvol]. Enter the numbers at the
'>' prompt. After you have entered the values, RECON will examine
the bootsector for the volume and display some information about it.
If the volume can be mounted, a message will display; "Volume
mounted, current location is 'root'."
Important! If RECON displays error messages at this
point, or the program crashes, it is likely that the information in
the bootsector is corrupt. Start RECON again and use the [mountadv]
command to mount the volume.
- [mountadv] - This powerful command mounts volumes without
using the information in the bootsector of the volume. It allows
severely corrupted volumes to be mounted, and thus, data recovery of
those volumes. RECON will use pattern recognition to determine the
volumes variables and defaults as they are used in general by the
operating and file - system.
The [mountadv] command allows additional input from the user. Apart
from the physical drive, start cylinder,head and sector, it requires
the number of sectors to be entered as shown by the [showvol]
command. If the volume was mounted, a message will display;
"Volume mounted, current location is 'root'."
Important! Once the volume is mounted and the 'root'
appears to be empty or contains garbage, the location of the root
was 'non-standard'. This can occur when partitioning tools like
PartitionMagic were used. Refer to the paragraph 'trouble shooting'
for instructions on finding the rootfolder.
- [mountflop] - Mounting a diskette can be done with this
command. A diskette can be mounted to recover a deleted file from a
healthy diskette, or to recover data from a reformatted or corrupt
diskette. RECON will use default values for 1.44 Mb formatted
diskettes. No further user input is required. RECON will only look
for diskettes in the a: drive. Make sure a diskette is inserted when
using the command.
*View* - ways a sector can be displayed -
- [ashex] - RECON always reads per sector. One sector
consists of 512 bytes. These 512 butes are stored in a buffer, and
the contents of the buffer can be made visible for the user. [ashex]
is the rawest form RECON can present the information. Three columns
are shown. The first one is generated by RECON and displays the
offset of the first byte on the following row within the sector. It
is not information that is actually on the drive. The second part is
also devided into columns. The hex - values are paired by byte
(columns) value. The last column is generated by RECON. It displays
the (hex) - information as it was found on the drive as ascii
characters, aka 'readable' text.
- [asdir] - This option displays the sector, as if it were a
directory. This view is te most usefull for the recovery of data and
navigating the volume. The information from the raw sector is
interpreted and translated to a readable output. This information is
a lot easier to use for navigating the volume and recovering data.
The information is devided into columns. The first column displays
the file and directory names. These are displayed without the period
between the name and the extension that you are used to seeing in
DOS. The second column displays the startcluster for the
file/directory. This value is required to find the file/directory
within the volume. Next, the size in bytes for the file is
displayed. For directories this value is always zero. The last
column can be empty, or display '?dir' when the entry is probably a
(sub) directory.
*Navigate/Rescue*
- [next] - Reads the next sector into the memory buffer so it
can be displayes with [ashex] or [asdir]. As mentioned before, RECON
only reads one sector at the time into memory. If you are for
instance viewing a sector as directory, 16 directory entries is the
maximum that will be displayed. The reason is, that one sector can
only contain 16 entries. The directory can be larger though. To view
the next 16 entries, use the [next] command to read the next sector,
wait for RECON to respond with 'OK...', and the [asdir] command to
view it as a directory again.
- [goto] - Allows a cluster number to be entered, from which
the first sector will be read into the memory buffer. So, if you
find yourself in the root directory for instance, and you want to go
to the subdirectory 'data', use [goto][enter], and enter the
startcluster that is shown for 'data'. Wait for the 'OK...' and use
[asdir] to view the sector as a directory. If you find yourself in a
sub directory, and you want to go one level 'back' to the parent
directory, enter the startcluster of the '..' entry.
- [root] - If you lost track of where you are, the [root]
command is a quick way to return to the root of the mounted volume.
After 'OK...' use [asdir] to diplay the root again.
Important: If the volume was reformatted, or
[mountadv] was used and the root is not on the default location, the
root is empty or contains garbage.
- [finddir] - If the volume was reformatted, or [mountadv]
was used and the root is not on the default location, the root is
empty or contains garbage. The command [finddir] can be used to
locate sub directories. No further user input is required. When
RECON finds a sub directory, it will display at what cluster it was
found, read it into memory and display it as a directory. [finddir]
can also be used to copy files out deleted directories.
- [copyfl] - This is the command you can finally save your
file with. You will be asked to enter the file number (as shown by
RECON in the directory list) and the destination path/filename. If
no path is entered, the file will be written to the active
directory. Use the [shell] option to set the active directory. For
instance, if you intend to store recovered files on the volume that
has drive letter d: assigned, use [shell] to go a command prompt,
from there type d:[enter], you can now make a directory entering; md
rescues [enter], change to the directory by typing; cd rescued
[enter], type exit [enter] to return to the recovery console. If you
enter the name of the file to be recovered; rescueme.tst [enter], it
will be written to 'd:\rescued\rescueme.tst'.
*advanced* - advanced mount and volume detection options -
- [scan4vol] - In case you want to recover data from a
deleted FAT16 or FAT32 volume, you need a way to determine the start
values for that volume. The command [showvol] only lists volumes
that are defined in the partition tables. An important property for
a deleted volume is, is that it is not defined in the partition
tables. [scan4vol] will ask the user to enter the number for the
physical device that has to be scanned. Remember that RECON counts
devices zero-based. So to scan the first physical device, enter '0'.
The scan may take several minutes depending on the harddrive size.
When the start of a volume is found, RECON tells the start values
for the volume (which are required to mount the volume) and it will
try to read the bootsector for the volume and displays the
information it found there. If you had set a label for the volume,
this will help identifying the volume.
- [setparm] - Only use this option when the following
commands for mounting a volume have failed: [mountvol] and
[mountadv]. [setparm] requires all values that are used by the
program to mount and navigate a volume to be entered manually. For
using this option, a good understanding of the inner workings of a
FAT16 or FAT32 volume are required. If you need technical support on
using this command, a RepoMan log (FUL-mode, see The E-mail support notification)
is required. Since this often requires a detailed analysis of the
problem, support will only be available for registered users.
Quickstart:
Running RECON for the first time.
Note: This paragraph does not apply for the
trial, shareware version. This step can also be skipped when working
with the registered version if the build number is < 1.0.6.
When you run the full version of RECON for the first time, it will ask
for a blank formatted diskette to be inserted in the a: drive. You must do
this to in order to be able to use the program. After this 'write
protect' the diskette! Do NOT use this diskette to store recovered
files or any other files. It will only take a
second before RECON can be used. In the future, if you start RECON, it
will ask for this diskette again.
Hint: If you have copied all files from the ZIP file you
downloaded on to a blank formatted diskette, simply leave the diskette in. When you use RECON
again in the future, it will not ask for the diskette again if you run
it from this diskette.
Note: If you apply an update in the future, make sure you use
this diskette again.
Note: For your own use, you can make multiple diskettes with the
RECON signature. With the full version, you will always be able to
generate diskettes again by repeating the above steps.
Important note! If you want to recover deleted files, do NOT copy RECON
to the harddrive! Also, do NOT start Windows! Both actions might
overwrite the information you want to recover.
Hint: Concentrate the recovery on files that are, really
important, can not be restored from a backup, can not be reinstalled and
you can not live without. It is a waste of time to try to recover files
that can be restored from a backup or that can be reinstalled.
- Once you have started the program and want to start exploring a
volume there are a couple of steps you have to go through. First of
all the physical device you want to recover from has to be selected.
The command [showvol] displays all these devices. So type: showvol
[enter] at the RECON\> command prompt. RECON lists the devices by
number and displays the geometry information. RECON counts the
devices 'zero-based'. By pressing [s] you can select one of the
devices found, so, if you want to recover data from the first
harddrive in the system, select 0 (zero). RECON will now examine the
partition tables and look for FAT12 - FAT16 - and FAT32 partitions,
it will display volumes that meet the criteria and the start
cylinder/head/sector and the number of sectors. These are required
for the next step:
(Note: For mounting a diskette, simply use the [mountflop] command)
- Mounting a volume can be done by selecting the [mountvol] command.
The program will ask for the physical drive number, the start
cylinder, head and sector. If you don't know what this means, don't
worry, you can enter them as RECON shows them in step 1.
For example:
For mounting a volume, CHS start values and disk are required:
Enter physical device no.>0
Enter the start cylinder>0
Enter the start head>1
Enter the start sector>1
Once you have received the message; Volume mounted, current location is
'root', you are ready to browse the volume.
(Note: This is not required to mount a diskette)
- For navigating the volume, a few commands are available. [root]
will always return you to the root directory. The command [asdir]
will display the contents of the root directory (Note: if the volume
was reformatted, the root directory does NOT contain valid
information, it was 'reinitialized' by the format command). [goto]
allows you to jump to a subdirectory. It will ask for a cluster
number, enter the number that is listed under 'start' for the
directory. Directories are the entries marked '?dir'. RECON displays
always information per sector. One sector can only contain 16
entries, although a directory can be larger than one sector. Using
the [next] command RECON reads the next sector in to memory, [asdir]
displays the sector as a directory again.
If the root directory appears to be empty (because the volume was
re-formatted) you can find directories using the [finddir] command.
If RECON finds a directory, the first 16 entries will be diplayed.
RECON also tells in which cluster the directory structure was found.
- Recovering a file is done using the [copyfl] command. You wil be
asked to enter the number for the entry, and the full path to where
the file should be written to. So if you are recovering a deleted
file from the volume c: (as assigned by the operating system), you
can enter for instance d:\filename.ext for the destination
file.
Important! Never select the c:\volume if you are recovering from the
c:\volume !
Important! The file must be written to a location that can be
accessed by the operating system you have booted from ! So, if a DOS
6.22 diskette was used to boot from FAT32 partitions can NOT be
accessed!
Scenario's - tutorial
General : Steps that are always required.
Step 1: - determining volume start parameters.
No matter what the situation is you are in, to recover data from a
volume, some steps are always required. The volume you try to recover
data from, always has to be mounted first. And to mount the volume,
you'll need the start values. It depends on the situation which comand
you use to determine the start values for the volume. If the volume is
still defined in the partition tables, the [showvol] command can provide
you with the information needed to mount the volume. This is the case
when you want to recover:
- deleted files from a healthy volume
- files from a re or un-formatted volume
- files from an accidently fdisk-ed volume
- files from a corrupt volume (corrupt bootsector, file allocation
table etc.)
- files from a hidden volume
When the [showvol] command is selected, you'll be stepped through
several steps. The program first displays all physical devices it
detects. Physical devices may be IDE/SCSI harddrives, but also removable
devices that can be accessed through the bios like ZIP and JAZ
drives.
Once the devices are listed [q] will quit the routine. To scan the
partition tables for a device press [s] and enter the number for the
physical device. All FAT12, FAT16 and FAT32 volumes that are found will
listed together with the parameters required to mount the volume. Press
[q] to exit this routine.
Note: ZIP and JAZ drives (in general) do not have
partition tables. Scanning them for partitions may have unexpected and
unwanted results. To mount such a device, read on.
Note: The diskette drive is never listed! Use the
[mountflop] command to mount a diskette.
In scenario's where the partition is not defined in the partition
table anymore, use the advanced command [scan4vol] to determine the
volume's parameters. This is the case when you are dealing with deleted
partitions. When you type the [scan4vol] command you are asked to enter
the physical device you want to scan. The scan may take several minutes
depending on the harddrive size. When the start of a volume is found,
RECON tells the start values for the volume (which are required to mount
the volume) and it will try to read the bootsector for the volume and
displays the information it found there. If you had set a label for the
volume, this will help identifying the volume.
Note: the [scan4vol] command can also be used to detect
PqRP partitions.
Step 2: - Mounting the volume.
When you have determined the start parameters for the volume you
want to recover files from, you are ready to mount the volume. The
standard command for mounting a volume is [mountvol]. RECON will ask for
the physical device the volume is on, and the start cylinder, head and
sector. Use the values as you have found them in step 1. RECON will now
determine the file system parameters by reading the volume's bootsector.
It will show those values, and if the volume was mounted succesfully,
the message 'volume mounted, current location is root' will be
displayed.
When you suspect the bootsector to be corrupt, or the volume is shown by
your operating system as 'unformatted', or the [mountvol] command mounts
the volume incorrectly or produces an error message ('error 6:overflow'
or 'error 11:devision by zero' can occur), use the [mountadv] option.
Like the [mountvol] command, the [mountadv] command also requires the
user to enter the start cylinder, head and sector, but it also requires
the number of sectors for that volume to be entered. Both the [showvol]
as the [scan4vol] show you this value. After the values are entered
RECON tries to mount the volume without using the values in the
bootsector, using defaults and pattern recognition to determine the file
system parameters.
ZIP and JAZ drives, that are can be accessed through the bios can be
mounted as well. Enter the physical device number as shown in the
initial step of the [showvol] command. For start values enter 0 for
cylinder, 0 for head and 1 for sector.
When mounting a volume with one of the commands described above
fails, or, when navigating the volume after having mounted it is
impossible (when going to a sub-directory for instance doesn't get you
there, as the [asdir] command does not display a subdirectory) then
either, the bootsector information is incorrect (using the [mountvol]
command), or, RECON was not able to calculate the correct filesystem
parameters (using the [mountadv] command). The command [setparm] allows
the user to mount a volume by entering all values required to mount and
navigate a volume manually. For using this option, a good understanding
of the inner workings of a FAT16 or FAT32 volume are required. If you
need technical support on using this command, a RepoMan log (FUL-mode,
see The E-mail support notification) is required.
Since this often requires a detailed analysis of the problem, support on
using this option will only be available for registered users. I will
add a tutorial for using this option in the 'recovery guides' section of
our website.
Note: No matter how you mount the volume, if a volume
is mounted that is displayed by your operating system as unformatted or
you have accidently reformatted a volume, the root directory may be
empty or contains garbage. This is caused by the fact, that a format
resets the root directory entries to be empty. When using the [mountadv]
command, a default value for the location of the root-directory is used.
If the position of the root is non-default, RECON will show the root
containing garbage. This does not prevent recovery from files located in
sub-directories. Refer to step 3 for instructions on finding those
sub-directories.
Step 3: - Navigating the volume.
Once you have mounted he volume, the file system can be 'browsed',
the view options are avialable, and files can be copied from the mounted
volume to a destination that can be accessed by the operating system you
have booted.
When RECON reports the volume to be mounted and the current location to
be the root-directory, the directory can be displayed by using the
[asdir] command. Maximum 16 files and folders are listed. In this
version of RECON, long file names are not filtered, and they are
displayed as well. You can ignore them, as there is nothing you can do
with them. Sometimes the root-directory is not displayed or contains
garbage, refer to step 2 for possible causes for this.
RECON reads the mounted volume per sector. Per sector, only 16 directory
entries are possible. If you expect more entries in the root-directory,
or any other directory, use the [next] command to read the next sector.
RECON will display 'ok...' when the next sector was read. Use [asdir] to
display the sector as a directory again.
The [asdir] command lists the entries in four columns:
NAME .EXT START
SIZE
--------------
--------- ----------
In the column 'NAME.EXT', the filename + the extension is shown. The
period you are used to seeing in DOS is not present since it is not
really in the directory entry. It is the way DOS presents it (with the
dot). The space between the name and the extension is filled with
spaces. In total 11 characters are available for name space. The column
'START' displays the start cluster for the file or sub-directory. For
going to a sub-directory use the [goto] command. You'll be asked to
enter the start cluster for that directory, enter the start cluster as
displayed by RECON. The message 'ok...' will be displayed when the
sector is read in to memory, the command [asdir] displays it as
directory. The command [root] will always take you back to the
root-directory.
In case the root-directory is empty or contains garbage, use the
[finddir] command to scan the volume for lost sub-directories. When a
directory structure is found, RECON displays the cluster number and
displays the contents of the directory. From there, use the [goto]
command to jump to subdirectories, or use the [finddir] command to
continue scanning the volume for sub-directories.
Step 4: - Copying files to a safe location.
For recovering files, you need a location where you can store those
files.
Important! We strongly advise to copy the files to a
different volume than the one you are recovering from, even when the
volume you are recovering from is accessable and gets a drive letter
assigned by the operating system you booted!
It depends on the operating system you boot, and device drivers that you
load in the operating systems startup files which destinations for the
recovered files are available. For example, if you boot DOS 6.22, FAT32
partitions do not get a drive letter assigned and are not available as a
destination. You can still recover from a FAT32 partition.
If you want to store recovered files to a removable device such as a ZIP
drive, you first need to install the device drivers for that device.
Refer to the documentation for the device for instructions. Read the
paragraph 'before starting RECON' for some suggestions on creating
bootdisks, and bootdisks with network access.
Important! RECON does not support drive spanning! This
means, that if you are working with removable devices as a destination
such as ZIP disks or floppy disks, and the destination is full, you'll
receive an error, 'error 61: the disk is full...'.
Once you have the destination set up you can access the destination from
RECON using the [shell] command. Using the this command, you can set the
'active directory', create sub-directories for storing the recovered
files etc. Some examples: (For a complete description of available
commands, refer to your DOS manual.)
1. md dirname [enter] - creates a directory with the name 'dirname'.
(replace dirname...)
2. driveletter: [enter] - changes to the specified drive letter.
(replace driveletter by a:, d: etc...)
3. cd dirname [enter] - changes to the directory name specified in
dirname. It also sets the 'active directory'.
4. dir [enter] - displays the contents of the active directory.
To return to RECON, enter 'exit' at the DOS command prompt.
Copying files from the mounted volume to the safe location is done with
the [copyfl] command. The user will be asked to enter the file number,
which is the number in front of the file as assigned by RECON using the
[asdir] command, and a path/filename. The filename, is the filename you
want the recovered file to be named. When assigning a name, we have to
follow DOS conventions, meaning the '8.3' naming convention: DOS allows
maximum 8 characters for a filename, and 3 for the extension.
When entering the path/filename, you must enter the full path. If you
want to write the recovered file to d:\dirname\subdir\filename.ext, you
must enter the complete line.
Hint: When you have set the 'active directory' to be
d:\dirname\subdir using the [shell] command. You then only have to enter
the filename and the extension, and the file will be copied to
d:\dirname\subdir\filename.ext. So, if you want to write a recovered
file from a mounted volume to diskette, use [shell] to shell to DOS,
from the DOS command prompt do a: [enter] and type exit [enter] to
return to RECON. You then type for file/pathname the filename, which be
copied to the a: drive which is the active directory.
Once you have copied the file, RECON will display the message 'one
file copied' and the current directory again.
Hint: Concentrate the recovery on files that are, really
important, can not be restored from a backup, can not be reinstalled and
you can not live without. It is a waste of time to try to recover files
that can be restored from a backup or that can be reinstalled.
Scenario 1: Recovering deleted files from a healthy volume.
When you delete a file, the contents of the file are not really
deleted. This implies, that as long as the clusters that make up a file
are not written to again, recovery of a file is possible. When the
operating system deleted a file, it marks the clusters that were
occupied by the file as being available for new data, and it replaces
the first character of the file name in the directory entry with E5h
which is represented by a 'ò' symbol.
Now assume the file example.del in the directory 'd:\test' is deleted
and must be recovered. The directory is located on the first harddrive.
Since the volume is intact we can use [showvol] to display all FAT type
volumes. When we have the values the [mountvol] command can be used to
mount the volume. Once the message, Volume mounted, current location is 'root', is
displayed we can view the root directory by using the [asdir]
command.
Now locate the entry for the directory test, it will be marked '?dir' in
the last column. Use the [goto] command and enter the cluster number for
'test'. Wait for the 'OK...' and type [asdir]. Look for your file that
was deleted which should look something like 'òxample.del'.
The [copyfl] command allows you to copy the file to a safe location (do
NOT write to the same volume that you are recovering from!), for
instance, enter 'c:\example.del' as destination.
Scenario 2: Recovering files from a re-formatted volume.
When a volume is formatted, key area's for the file system book
keeping are reinitialized. Depending on the format type, a surface test
of the area to be formatted will be performed. Apart from these book
keeping area's no data is overwritten.
Hint: A so called 'low-level' format does overwrite
all information on the harddrive. On modern harddrives, low-level
formats are not required. All format utilities that are bundled with
your operating system have nothing to do with low-level formatting. Most
of the times, for a low-level format you are required to download a
program of your harddrives manufacturers website. Also,
(commercial) data-erasure software is based on the primciple of
overwriting data on the harddrive so it can not be recovered.
Knowing this, it must be possible to recover the data. If a volume was
reformatted, the information in the partition table is still valid. It
is important to know that a formatted volume does get a drive letter
assigned by the operating system and that data can be stored on the
volume. Be aware of this when picking a destination for your recovered
files!
Since the partition table information is valid, the [showvol] command
can be used to determine the start values for the volume. Once you have
identified the correct volume use [mountvol] to mount the volume.
Once the volume is mounted, the [asdir] command probably shows an empty
root directory (as it was reinitialized by the format operation).
Sometimes, the folder 'recycled' is shown which was created while
Windows was started. Now the serach for directories starts. For this the
[finddir] command is used. RECON will tell that it is scanning for
directories. As soon as it finds one, it will show in what cluster the
directory was found and display the first 16 entries for that directory.
If all 16 entries are used, chances are that the directory is larger
then just the one sector and the [next], and the [asdir] - command can
be used to verify that. If you recognize the directory, and know where
it is normally located in the directory tree you can use the [goto]
command to jump to the parent folder (marked by '..') or subdirectories.
You can also use [finddir] again to start scanning for lost directories
again. Once located files you want to recover, use the [copyfl] command
to move them to a safe location (remember not to write to the
re-formatted volume!).
Scenario 3. Recovering files from a volume that is identified as
un-formatted by the operating system.
There can be various reasons for a volume to be seen as un-formatted
by the operating system. One of them is, you deleted a volume with FDISK
and tried to recreate it in the free space of the previous volume. If
you didn't use FDISK, it is likely that the bootsector is corrupt (and
maybe other file system 'book-keeping' area's).
Since the volume is still defined in the partition table, the [showvol]
command can be used to determine the start values for it. We assume that
the information in the bootsector can not be trusted, with the
[mountadv] command a volume can be mounted while RECON will try to
determine the right values for navigating the volume. Apart from the
values that are required for the [mountvol] command, the drive number
and the start cylinder/head/sector an additonal value is required; the
number of sectors for the volume. All these values can be entered as
they are shown by the [showvol] command.
Once the volume is mounted, the [asdir] command can be used to determine
to see if the root directory was found. If not, the root directory is
damaged, or stored on a non-default location, use the [finddir] command
to scan for lost direcories. If the root directory is present, or the
[finddir] command shows you the first directory it found, check if the
volume was mounted correctly: Do this by using the [goto] command and
enter the start cluster for a sub directory of the directory you are
currently in. Then use the [asdir] command to see if you are actually in
the subdirectory. If all seems okay, you can proceed as described in
scenario 2.
If not, sent the following information to support@diydatarecovery.nl
so we can determnine the cause and solution for this. A partinfo and a
RepoMan FUL scan. Refer to The E-mail support notification
for instructions on making these reports.
The probable cause is one of the following:
- The partition table entry is invalid, therefor the wrong start sector
is interpreted as bootsector by the operating system.
- The drive translation has changed in the bios of the computer and
therefor the partition tables do not reflect the current geometry.
With the diagnostic reports this issue can be resolved by, determining
the right start values for the partition, or re-configuring the
harddrive in the bios - setup.
More scenario's may be made available on the website (recovery
guides), or may be found on the online forum.
|