After clusters chain is defined, automatically or manually, the only task left is to read and save contents of the defined clusters to another place verifying their contents.
We have a chain of clusters; we can calculate each cluster offset from the beginning of the drive, using standard formulas. After that we copy amount of data equals to the cluster size, starting from the calculated offset into the newly created file. For the last one we copy not all cluster, but reminder from the file size minus number of copied clusters multiplied by cluster size.
Formulas for calculating cluster offset could vary depending on file system.
To calculate, for example, offset of the cluster for FAT we need to know:
On the NTFS, we have linear space so we can calculate cluster offset simply as cluster number multiplied by cluster size.
Lets continue examine an example for deleted file MyFile.txt from the previous topics.
By now we have chain of clusters 3, 4, 5, 6 ready for recovering. Our cluster consists of 64 sectors, sector size is 512 bytes, so cluster size is: 64*512 = 32,768 bytes = 32 Kb First data sector is 535 (we have 1 boot sector, plus 2 copies of FAT by 251 sectors each, plus root folder 32 sectors, total 534 occupied by system data sectors). Clusters 0 and 1 do not exist, so first data cluster is 2. Cluster number 3 is next to cluster 2, i.e. is located 64 sectors behind the first data sector (535). i.e. 535 + 64 = 599 sector, equal offset of 306,668 byte from the beginning of the drive (0x4AE00).
With a help of low-level disk editor on the disk we can see our data starting with offset 0x4AE00, or 3 cluster, or 599 sector:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F ------------------------------------------------------------------------------ 0004AE00 47 55 49 20 6D 6F 64 65 20 53 65 74 75 70 20 68 GUI mode Setup h 0004AE10 61 73 20 73 74 61 72 74 65 64 2E 0D 0A 43 3A 5C as started...C:\ 0004AE20 57 49 4E 4E 54 5C 44 72 69 76 65 72 20 43 61 63 WINNT\Driver Cac
All we need to do is just copy 112,435 bytes starting from this place because clusters chain is consecutive. If it was not - we would need to re-calculate offset of each found cluster, and copy 3 times by 64*512 = 32768 bytes starting from each cluster offset, and then from the last cluster copy reminder: 14,131 bytes that is calculated as 112,435 bytes - (3 * 32768 bytes).
In our example we just need to pick up 110 clusters starting from the cluster 312555.
Cluster size is 512 byte, so the offset of the first cluster would be 512 * 312555 = 160028160 = 0x0989D600
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F ------------------------------------------------------------------------------ 0989D600 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 ÐÏ.ࡱ.á........ 0989D610 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 ........>...þÿ.. 0989D620 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 0989D630 69 00 00 00 00 00 00 00 00 10 00 00 6B 00 00 00 i...........k... 0989D640 01 00 00 00 FE FF FF FF 00 00 00 00 6A 00 00 00 ....þÿÿÿ....j... 0989D650 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Here is our data. What's left to do is just reading from this point 110 clusters (56320 bytes) and then copy them to another location. Data recovery is complete now.
DO NOT SAVE ONTO THE SAME DRIVE DATA THAT YOU FOUND AND TRYING TO RECOVER! process of recovering by overwriting FAT records for this and other deleted entries. It's better to save data onto another logical, removable, network or floppy drive.
