Data Protection and Recovery Techniques Part 4: Using Norton Disk Editor
Data Protection and Recovery Techniques
Part 4: Using Norton Disk Editor
Learning to use Norton Disk Editor to learn more about what's on your hard disk drive and recover information that even common data-recovery thinks is "lost."
Introduction
In the previous three parts of this series, Ive discussed how to use various products to retrieve "lost" data. Products such as Norton Unerase, Ontrack Fix-It Utilities, and professional data-recovery programs can work because unless data is overwritten, it isnt really "lost", even if the Windows Explorer or a command such as DIR cant display the file.
In my PC hardware and Data Recovery seminars, I use the Norton Disk Editor; an often-neglected program thats part of the Norton Utilities and Norton SystemWorks, to explore drives. I also use Disk Editor to retrieve "lost" data. Because Disk Editor is a manual tool, it can sometimes be useful even when friendlier automatic programs dont work. And, because Disk Editor displays the structure of your drive in a way other programs dont (they hide the details of the drive structure from you), its a perfect tool for learning more about disk drive structures as well as recovering "lost" data. In this article, youll learn how you can use Norton Disk Editor to display drive and file information and recover "lost" data.
Locating the Disk Editor Files
If you have Norton SystemWorks, SystemWorks Professional, or Norton Utilities for Windows, you have the Norton Disk Editor. To determine if its installed on your system, look in the Norton Utilities folder under the Program Files folder for the following files:
DISKEDIT.EXE and DISKEDIT.HLP
If you dont find these files on your hard disk, you can run them directly from the Norton installation CD. If you have SystemWorks or SystemWorks Professional, look for the CD folder called, "NU," to locate these files.
DISKEDIT is a DOS command line-based program, and it is designed primarily to access FAT-based file systems such as FAT12 (floppy disks), FAT16 (MS-DOS and early Windows 95 hard disks), and FAT32 (Windows 95B/Windows 98/Me hard disks). You can use DISKEDIT with the NTFS-based file systems usually found in Windows NT, Windows 2000, and Windows XP. Unfortunately, the file viewing functions will work only if you prepared the hard disks with the FAT16 or FAT32 file systems. On the other hand, DISKEDIT works fine as a pure sector editor no matter what file system is used on the drive, and is still extremely useful even on NTFS-format drives.
For example, I recently used DISKEDIT to recover an entire 120GB hard drive that was originally formatted using NTFS under Windows XP. The drive was mounted in a Firewire external enclosure and connected to a system when Windows suddenly was unable to read it, recognizing the drive as new/unformatted and offering to format it instead! All of the files and data seemed lost. This was quite horrifying to the user, a student who had several semesters' worth of multimedia and web design projects stored on the drive.
While he was thinking that the time-honored, "The dog ate my hard drive," excuse probably wouldn't go over well with the professors, I removed the drive from the Firewire enclosure, installed it in a system as a primary master ATA drive, and then booted from a floppy disk containing DISKEDIT. I was able to inspect the master boot record and partition boot sector, and I found that something had overwritten the partition boot sector with zeros. While it would be possible (but tedious) to rebuild a partition boot sector from scratch, there was a much easier way.
Knowing that NTFS stores a duplicate (backup) partition boot sector at the end of the partition, using DISKEDIT I merely selected the last sector of the partition and copied it to the first sector in the partition. After replacing the drive in the Firewire enclosure and reconnecting to the, the entire drive was fully accessible as if nothing had happened. Needless to say the individual who owned the drive (which had an entire semester of school work in multimedia and web design) was elated! The entire operation was less than 5 minutes from zero to hero. <g>
The ability to directly edit any sector anywhere on any drive is powerful, and with that power comes danger. I strongly recommend that you first use Disk Editor with floppy disks you have prepared with non-critical files before you use it with a hard disk or with vital files. Because Disk Editor is a completely manual program, the potential for causing new, and devastating, errors is high.
Preparing to Use Disk Editor
The DISKEDIT files can easily fit on a floppy disk, but if you are new to the program, you might want to put them on a different drive than the one you will be examining or repairing. Never copy DISKEDIT files to a drive that contains data you are trying to recover, since the files might overwrite the data area when copied to the disk. For example, if you are planning to examine or repair floppy disks, create a folder on your hard disk called DISKEDIT and copy the files to that folder.
You can use Disk Editor without a mouse, using keyboard commands, but if you want to use it with a mouse, you can do so if your mouse attaches to the serial or PS/2 mouse ports. (USB mice generally dont work from the command prompt, but if your USB mouse has a PS/2 mouse port adapter, you can use it). You must load an MS-DOS mouse driver (usually MOUSE.COM) for your mouse before you start Disk Editor. If you have a Logitech mouse, you can download an MS-DOS mouse driver from the Logitech website (www.logitech.com). If you have a Microsoft mouse, Microsoft doesnt provide MS-DOS drivers you can download, but you can get them from the following website:
http://www.bootdisk.com/readme.htm#mouse
For other mice, try the Microsoft or Logitech drivers, or contact the vendor for drivers. Keep in mind that scroll wheels and other buttons wont work with an MS-DOS driver.
I recommend you copy your mouse driver to the same folder where Disk Editor is located.
Starting Disk Editor
To start the Disk Editor program:
1. Boot the computer to a command prompt (not Windows); Disk Editor needs exclusive access to the drives you plan to examine. If you use Windows 9x, press F8 or Ctrl to bring up the startup menu and select Safe Mode Command Prompt, or use the Windows 9x/Me Emergency Startup disk (make one with Add/Remove Programs). If you use Windows XP, insert a blank floppy disk into Drive A:, right-click Drive A: in My Computer, and select Format. Choose the "Create an MS-DOS startup disk", and use this disk to start your computer.
2. Change to the folder containing your mouse driver and Disk Editor.
3. Type MOUSE (if your mouse driver is called MOUSE.COM or MOUSE.EXE; substitute the correct name if its called something else) and press ENTER to load the mouse driver.
4. Type DISKEDIT and press ENTER to start the program. If you dont specify a drive, Disk Editor scans the drive where its installed. If you are using it to work with a floppy disk, enter the command DISKEDIT A: to direct it to scan your floppy disk. Disk Editor scans your drive to determine the location of files and folders on the disk.
5. The first time you run Disk Editor, a prompt appears to remind you that Disk Editor runs in read-only mode until you change its configuration through the Tools menu. Press OK to continue.
Once Disk Editor has started, you can switch to the drive that you want to examine or from which you want to recover data. To change to a different drive:
1. Press Alt-O to open the Object menu.
2. Select Drive.
3. Select the drive you want to examine from the Logical disks menu.
4. The disk structure is scanned and displayed in the Disk Editor window.
For the rest of this article, Im going to use a floppy disk I created from some old technical articles written by an associate of mine. These articles and their associated graphics files are stored in two folders on the floppy disk. Because the articles and graphics were created with a 32-bit version of Windows, most files have long filenames (LFN) associated with them. In particular, Im going to be working with a file called VERISI~1.GIF. First, Im going to show you, using Disk Editor, how the file is stored on the system, and then Ill delete it and show you how Disk Editor can be used to retrieve the file.
Understanding the Disk Editor Display
Disk Editor normally starts in the Directory mode; you can change it to other modes with the View menu. When you view a drive containing data in the directory mode, you might see a display similar to that shown in Figure 1.
 (Click for Larger Image) |
Figure 1
The Norton Disk Editor directory view of a typical floppy disk.
The Name column lists the names of the directory entries. The .EXT column lists the file/folder extensions (if any). The ID column lists the type of directory entry:
- Dir a directory (folder)
- File a data file
- LFN a portion of a Windows long file name. Windows stores the start of the LFN before the actual filename. If the LFN is more than thirteen characters, one or more additional directory entries are used to store the rest of the LFN. For example, VERISI~1.GIF uses the two directory entries immediately preceding it for its LFN.
The next three columns list the file size, date, and time.
The Cluster column indicates the cluster where the first portion of the file is located. Drives are divided into clusters or allocation units when they are formatted. A cluster (allocation unit) is the smallest unit that can be used to store a file. Cluster sizes vary with the size of the drive and the file system used to format the drive.
The letters A, R, S, H, D, and V refer to attributes for each directory entry.
- A (archive) means the file hasnt been backed up since it was last modified
- R is used to indicate the directory entry is read-only
- S indicates the directory entry has the System attribute
- H indicates the directory entry has the Hidden attribute
- D indicates the entry is a directory
- V is the attribute for an LFN entry.
How Windows Identifies Files with Long File Names
The file VERISI~1.GIF (highlighted in black near the bottom of Figure 1) is interesting for several reasons. The tilde (~) and number at the end of the filename indicate the file was created with a 32-bit version of Windows. 32-bit versions of Windows (Windows 9x/Me, 2000, and XP) allow the user to save a file with a long file name (more than eight characters, not counting the three-character file extension). Long file names can also have spaces and other characters not allowed in earlier versions of Windows and MS-DOS. To enable older versions of Windows and MS-DOS to access the file, a "DOS alias" filename is also created from the first six characters of the filename, followed by the tilde and a number indicating whether this is the first or a subsequent file in the current folder to have the same first six characters in the alias name (see Figure 2).
 (Click for Larger Image) |
Figure 2
How a DOS Alias file name is created by Windows from the LFN.
When you view the file in Windows Explorer or My Computer, you see the long file name. To see the DOS alias name, right-click on the file and select Properties from My Computer or Windows Explorer, or use the DIR command within a command prompt window. The LFN is stored as a separate directory entry just before the DOS alias name. Because the actual long name for VERISI~1.GIF (Verisignsealtrans.gif) is 21 characters, two additional directory entries are required to store the long filename (each directory entry can store up to 13 characters of an LFN), as seen in Figure 1.
Understanding Clusters and the File Allocation Table
How does the computer, "know" where a file is located? If it's a FAT file system, then an area of the disk called the FAT (file allocation table) stores the starting location of the file and each additional cluster used to store the file; VERISI~1.GIF starts at cluster 632. Clusters, or allocation units if you prefer, are the smallest disk structures used to store files. They vary in size depending upon the file system used to create the disk where the files are stored and upon the size of the drive. In this case, the file is stored on a 1.44MB floppy disk, which has a cluster size of 512 bytes. The cluster size of the drive is very important to know if you want to retrieve data using Disk Editor.
You can determine the cluster size of a drive in a variety of ways. You can open a command-prompt window and run CHKDSK <diskdrive> to display the allocation unit size (cluster size) and other statistics about the specified drive (see Figure 3). So to run this utility on your primary hard drive, you'd type CHKDSK C:.
 (Click for Larger Image) |
Figure 3
Using CHKDSK with Windows XP to display the file system and allocation unit (cluster size) of G drive.
You can also look up allocation unit sizes in reference charts, such as those found in Chapter 24, "File Systems and Data Recovery" of my book, Upgrading and Repairing PCs 14th Edition. Table 1 contains a few values from those charts.
Table 1 - Selected Cluster Sizes for Popular Drive Types and Sizes
|
Drive Type |
File System |
Size Range |
Cluster Size |
|
1.44MB floppy disk |
FAT12 |
(Not applicable) |
512 bytes |
|
Hard disk |
FAT16 |
1,024 MiB to 2,048 MiB |
32,767 bytes |
|
Hard disk |
FAT32 |
260 MiB to 8,192 MiB |
4,096 bytes |
MiB = Mebibytes (formerly known as binary megabytes)
1 MiB = 1,048,072 bytes
To determine how many clusters (allocation units) are used to store a file, look at the size of the file and compare it to the cluster size of the drive its stored on. The file VERISI~1.GIF contains 6,006 bytes. Since this file is stored on a floppy disk that has a cluster size of 512 bytes, the file must occupy several clusters. How many clusters does it occupy? To determine this, divide the file size by the number of clusters, and round the result up to the next whole number as shown here.
| File Size |
Cluster Size |
Round Up Result |
Number of Clusters Used to Store the File |
| 6,006 / | 512 = | 11.73046875 = | 12 |
From our calculations, we can see that VERISI~1.GIF uses 12 clusters on the floppy disk. It would use only two clusters if it were stored on the FAT32-format hard disk listed in Table 1, and only one cluster if stored on the FAT16-format hard disk listed in Table 1.
The more clusters a file contains, the greater the risk is that some of its data area could be overwritten by newer data if the file is "deleted." Consequently, if you need to undelete a file which was not sent to the Windows Recycle Bin or was deleted from a removable-media drive or floppy drive (these types of drives dont support the Recycle Bin), the quicker you attempt to undelete the file, the more likely it is that you can retrieve the data.
The normal directory display in Norton Disk Editor shows the starting cluster (632) for VERISI~1.GIF. If a file is stored on a drive with a lot of empty space, the odds are good that the remainder of the clusters immediately follow the first two; a badly fragmented drive might use non-contiguous clusters to store the rest of the file. Since its much easier to perform data recovery when the clusters are contiguous, I strongly recommend that you defragment your drives frequently.
To see the remainder of the clusters this file uses, move the cursor to the file, press Alt-L or click the Link menu, and select Cluster Chain (FAT); you can also press Ctrl-T to go directly to this view. The screen changes to show the clusters as listed in the FAT for this file (see Figure 4).
 (Click for Larger Image) |
Figure 4
The FAT view of VERISI~1.GIF. All its clusters are contiguous.
As you can see, the clusters used by the file are highlighted in red and the filename is shown at the bottom of the screen. The symbol <EOF> stands for "End of File", indicating the last cluster in the file.
What Happens When You Delete a File
After exiting Norton Disk Editor (Alt-O, Exit), I deleted VERISI~1.GIF. Then, I restarted Disk Editor and opened the folder that contained this file. When a file is deleted, the following changes happen to the disk where the file is stored:
- The default directory view shows that the first character of the filename (V) has been replaced with a "s" (lowercase sigma) character (see Figure 5).
- There are now two new types of entries in the ID column for this file and its associated LFN:
Erased an erased file
Del LFN an LFN belonging to an erased file
Note also that the beginning cluster (632) is still shown in the Cluster column.
 (Click for Larger Image) |
Figure 5
The Directory view after VERISI~1.GIF has been deleted.
However, when I select the file and run the Cluster Chain command (Ctrl-T) that zeros have replaced the entries for the cluster locations used by this file (see Figure 6). This indicates to the operating system that these clusters (allocation units) are now available for re-use.
 (Click for Larger Image) |
Figure 6
The FAT view after VERISI~1.GIF has been deleted, showing the FAT entries previously used by the file have been zeroed out.
If an undelete process is not started immediately, some or all of the clusters could be overwritten by new data. Since the file in question is a .GIF graphics file, the loss of even one cluster will destroy the file.
As we can see from analyzing the file-deletion process, the undelete process involves four steps:
1. Restoring the original filename
2. Locating the clusters used by the file
3. Recreating the FAT entries for the file
4. Relinking the LFN entries for the file to the file
Of these four, the most critical steps involve locating the clusters used by the file and then recreating its FAT entries. However, if the file is a program file, restoring the original name is a must for proper program operation (assuming the program cant be reloaded), so restoring the LFN entries will make it easier for a Windows user accustomed to long file names to use the file.
To make these changes to the original floppy disk, Disk Editor must be configured to work in Read-Write mode.
As a precaution, I recommend that you use DISKCOPY to make an exact sector-by-sector copy of a floppy disk before you perform data recovery on it, and you should work with the copy of the disk, not the original. By working with a copy, you keep the original safe against any problems you might have, and you can make another copy if you need to. To make a copy of a floppy disk with DISKCOPY, open a command prompt window, type the command DISKCOPY A: A:, and follow the prompts to insert your source (original) disk and target (copy) disk. Unlike old versions of DISKCOPY, which required multiple disk swaps, recent versions of DISKCOPY store the contents of the source disk on the hard disk to make copying a disk a single disk-swap operation.
Configuring Disk Editor to Work in Read-Write Mode
If you are using Disk Editor to examine the structures of a drive, or if you plan to transfer a recovered file to another drive, you dont need to change its default read-only setting. However, if you are recovering files or making other changes to the current drive, you need to switch Disk Editor into read-write mode. If you need to make changes to the structure of a floppy disk, such as unerasing files or making other repairs, insert the floppy disk where you want to make the repairs (use the copy you made, not the original) before you continue.
To change to Read-Write mode:
1. Press Alt-T to open the Tools menu.
2. Press N to open the Configuration dialog.
3. Press the spacebar to clear the checkmark in the Read Only option box.
4. Press the Tab key until the Save box is highlighted.
5. Press Enter to save changes and return to the main display.
Once you change to Read-Write mode, Disk Editor will stay in this mode, and will use Read-Write mode every time you use it. To change back to Read-Only mode, repeat the steps above, but place a checkmark in the Read-Only box. If you are using Disk Editor in Read-Write mode, you will see the message "Drive x is Locked" when you scan a drive.
Undeleting an Erased File
Once you have configured Disk Editor to work in Read-Write mode, you can use it to undelete a file. To recover an erased file, follow this procedure:
1. To change to the folder containing the erased file, highlight the folder containing the erased file and press ENTER. In this example, we will recover the erased file VERISI~1.GIF.
2. Place the cursor under the lowercase sigma symbol and enter the letter you want to use to rename the file.
3. If the keyboard is in Insert mode, the lower-case sigma will move to the right; press the Delete key to delete this symbol.
4. This restores the filename, but even though the ID changes from Erased to File, this does not complete the file-retrieval process. You must now find the rest of the clusters used by the file. To the right of the filename, the first cluster used by the file is listed.
6. To go to the next cluster used by the file, press Ctrl-T to open the Cluster Chain command. Since you changed the name of the file, you are prompted to write the changes to the disk before you can continue. Press W or click Write to save the changes and continue.
7. The FAT view of the clusters starting with the first cluster of the erased file is shown. As we calculated earlier for VERISI~1.GIF, this file uses twelve clusters starting with cluster 632. We see twelve contiguous clusters that have been zeroed out. Even if we hadnt looked at the clusters this file used before we deleted it, its likely that the file occupies these clusters. At this point, we can manually enter the cluster numbers into the empty fields or we can scan the disk to determine if these are the correct clusters for the file.
8. To scan the disk for clusters starting with cluster 632. press Alt-O or click Object to open the Object menu. Type C to open the Cluster dialog (or type Alt-C to go straight to the Cluster dialog). The empty clusters range from 632 to 644, so enter 632 as the starting cluster and 644 as the ending cluster. Tab to OK and press Enter or click OK to display these clusters.
Disk Editor automatically switches to the best view for the specified object, and in this case, the best view is the Hex view (see Figure 7). Note that the first entry in cluster 632 is GIF89a (as shown in the right-hand column). Since the deleted file is a GIF file, this is what we expected. Since a GIF file is a binary graphics file, the rest of the information in the specified sectors should not be human-readable. As I scroll down through the sectors with the Page Down key, I can see that this is the case. Note that the end of the file is indicated by a series of 00s in several disk sectors before another file starts.
 (Click for Larger Image) |
Figure 7
The top (1) and end-of-file (2) for VERISI~1.GIF. (3) indicates the start of another file (a WordPerfect document as indicated by WPC)
Since the area occupied by the "empty" clusters 632 through 644 contains binary data starting with GIF89a, we can feel pretty confident that these clusters contain the data we need.
9. Now its time to return to the FAT to fill in the cluster numbers for the file. To do this, open the Object menu and select Directory. The current directory is selected, so click OK.
10. Move the cursor down to the entry for VERISI~1.GIF, open the Link menu and click Cluster Chain (FAT). Refer back to Figure 6 to see how it looks.
11. The Cluster Chain refers to the clusters after the initial cluster (632), so you need to enter 633 into the first empty field, and continue until you enter 643 and place the cursor into the last empty field. This field needs to have the <EOF> marker placed in it to indicate the end of the file. Press Alt-E to open the Edit menu, and select Mark (or press Ctrl-B). Open the Edit menu again and select Fill. Select End of File from the menu and click OK. Refer back to Figure 4 to see how the FAT looks after these changes have been made.
12. To save the changes to the FAT, open the Edit menu again and select Write. When prompted to save the changes, click Write, then click Rescan the disk.
13. To return to the Directory view, open the Object menu and select Directory. Click OK.
14. The LFN entries directly above VERISI~1.GIF file are still listed as Del LFN. To reconnect them to VERISI~1.GIF, select the first one (verisignsealt), open the Tools menu (Alt-T), and select Attach LFN. Click Yes when prompted. Repeat the process for (rans.gif).
15. To verify that the file has been undeleted successfully, I closed Disk Editor and opened the file in a compatible graphics program. The file, complete with its long file name, displayed perfectly.
As you can see, this is a long process, but it is, essentially, the same process that a program such as Norton Unerase performs automatically. However, Disk Editor can perform these tasks on all types of disks, including those which use non-DOS operating systems; its a favorite of advanced Linux users.
In Part 5 of this series, Ill revisit Norton Disk Editor to show you how to explore a hard disk and retrieve data to another drive.
Copyright©2002 Pearson Education. All rights reserved.