Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>AFAIK, it's a fairly involved process. You can't just use CreateFile and enumerate the "deleted files". You have to load up the master file table of the drive, and enumerate that for files marked deleted, and then try to load the data from the disk position listed in the MFT. This would require a lot of Platform Invoked code, and probably a few redefinitions of native data structures in C#. </p> <p>The short answer to your question is this:</p> <pre><code>CreateFile("\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, NULL) </code></pre> <p>You use create file to open the disk itself. </p> <p><a href="http://www.codeproject.com/KB/files/NTFSUndelete.aspx" rel="nofollow noreferrer">Here is a really good article about the whole process on Code Project.</a> But, it's all in c++. The code is there, and it seems you know how to p\invoke, so porting it over shouldn't be a problem.</p> <p><strong>Edit:</strong></p> <p>The fact that drive is external shouldn't make it any harder, you can still open the disk the same way I showed (maybe use a <a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&amp;displaylang=en" rel="nofollow noreferrer">WMI tool</a> to look up the path once the drive is connected). Then, you can use the information on the <a href="http://en.wikipedia.org/wiki/File_Allocation_Table" rel="nofollow noreferrer">Wikipedia page for FAT32</a> to define data structures that you can read the MFT and other pieces of the file system into. Once you get there, you just iterate through the 32 byte file definitions in the directory table looking at the first byte for:</p> <pre><code>0xE5 Entry has been previously erased and is available. File undelete utilities must replace this character with a regular character as part of the undeletion process. </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload