Win32 Windows Volume Program and Code Example 26

 

 

 

 

 

Next, open the DeletedFile.txt.

 

Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - a list of deleted files should be stored in the DeletedFile.txt

 

Then let try to recover a file.

 

Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - a list of deleted file names, file size and the reference indices

 

From the DeletedFile.txt, we choose one file. In this case, TECHNOTE.TXT (with index 416394). Then we re-run the program with the index and file name as the arguments.

 

Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - running the program to recover a deleted text file

 

The recovered file should be stored under the project's Debug folder.

 

Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - the recovered file content

 

The next task is to delete the file reference in MFT. By using the index we re-run the program with the index as an argument.

 

Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - removing the deleted file reference in MFT

 

Then, let verify the previous task. Re-run the program to recover the same file as done previously.

 

Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - retry to recover the previously deleted file reference in MFT

 

Re-open the recovered file. As shown in the following Figure, the files content is filled with 0. Just zeroing out the 'content' huh?

 

Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - the deleted file in MFT shows the file content with zeros

 

More information for Windows MFT can be found in the following links:

 

1.      NTFS On-Disk Structures - Visual Basic NTFS Programmer’s Guide by Alex Ionescu (pdf)

2.      NTFS Documentation - the Linux NTFS driver by Richard Russon and Yuval Fledel (pdf)

3.      ReactOS – The Windows clone project.

4.      Windows ® Internals, Fifth Edition

5.      NTFS On-Disk Structures – C code and older version compared to no. 1 (pdf).

 

Windows Master Boot Record (MBR)

 

There is 'no' information to extract or manipulate the Windows MBR data in MSDN. Many people use Hex editor to view the MBR. Most of the headers dealing with MBR are available in Windows Driver Kit (WDK). However, there are many headers and libraries created by third party and individual for Windows MBR. For Windows 7 and Server 2008 R2, FSCTL_GET_BOOT_AREA_INFO control code can be used together with BOOT_AREA_INFO structure to retrieve the locations of boot sectors for a volume. Hopefully, the libraries will be expanded for more features in the future. The following list redirects you for more information on Windows MBR.

 

  1. CodeProject: How to develop your own Boot Loader
  2. Official WDK and Developer Tools Home
  3. Windows Driver Kit (WDK) Documentation Blog
  4. TestDisk: A very nice multi OS data recovery – for MBR and MFT.

 

 

 

  < Windows Volume 25 | Win32 Programming Index | Windows Volume Index | Windows Volume 27 >