Skip to content Skip to footer

Advanced Method for Recovering Deleted Files with WinHex

Common ways to delete a file

Deleting files is one of the most common operations we do when using a computer. Under The Windows operating system, there are mainly the following four basic methods to delete files:

1. Delete the file directly, that is, the deleted file does not go through the recycle bin;

2. Put the file in the recycle bin and then empty or delete the file from the recycle bin again.

3. Cut the file and paste it into the target folder.

4. Overwrite a file with the same name by copying a file with the same name in the target folder and overwriting it.

After a file has been deleted, whether it can be fully recovered depends on the extent to which the deleted file has been destroyed. Since different file systems manage files differently, we will only discuss the recovery of deleted files in FAT32 and NTFS file systems.

Common cases of file deletion (FAT32)

In the FAT32 file system, there may be the following six situations after the file is deleted:

Case 1: The directory entry of the deleted file remains, and the file contents are continuously stored and not overwritten;

Case 2: The directory entry of the deleted file is still retained, and the file contents are continuously stored, but some or all of the file contents are overwritten;

Case 3: The directory entries of deleted files are still retained, the file contents are stored discontinuously, and the file contents are not overwritten;

Case 4: The directory entry of the deleted file is overwritten, but the file contents are stored continuously and are not overwritten;

Case 5: The directory entry of the deleted file is still retained, but the high 16 bits of the starting cluster number in the directory entry is set to 0000, and the file contents are continuously stored without being overwritten;

Case 6: The directory entry of the deleted file, part or all of the file contents, has been overwritten.

For case 1, the success rate of file recovery is 100%, and the recovered file can be used normally;

For case 2, the success rate of file recovery is also 100%, but whether the recovered file can be used depends on the extent to which the deleted file content is overwritten;

For case 3, we can get the start cluster number and file size of the file from the directory entry of the deleted file, look for the free cluster number downward from the start cluster number of the file, check whether the free cluster number is the file content to be restored, and connect the file content to be restored at last; Note: For the FAT32 file system, for files stored discontinuously, in general, the cluster number of subsequent segments is always greater than that of preceding segments. The cluster number of the following segment is rarely smaller than that of the preceding segment.

For case 4, you can find and recover files by file type;

For case 5, if the capacity of the logical disk is relatively small, the trial method can be used to estimate the high 16-bit value of the starting cluster number of the file. You can also estimate the high 16-bit value of the directory by looking at the adjacent directories of the directory entry;

For case 6, if the entire contents of the file have been overwritten, it cannot be recovered; If only part of the file content is overwritten, and the overwritten part of the file content does not affect the normal use of the file, the possibility of restoring the file exists.

Recover deleted files (FAT32)

This section only discusses the basic ideas, methods, and steps of using WinHex to recover deleted files (FAT32) under the Windows platform. And the use of other data recovery software to restore the deleted files of the basic ideas, methods, and steps, please study by yourself.

The following introduces two basic ideas, methods, and steps of recovering deleted files in the form of examples.

[Method (1)] Copy the deleted file to the specified directory.

Go to the folder where the directory of the deleted file is located, find the directory entry of the deleted file, select the deleted file directory entry, and copy the deleted file into the specified directory.

[Basic steps]

Step 1 Move the cursor to the directory where the deleted file is located, and then find the directory entry of the deleted file in the directory;

Step 2: Move the cursor to the directory entry of the deleted file, right-click, and select “Recover/Copy…” from the pop-up shortcut menu. In the “Select Target Folder” window, select the folder where the deleted files are stored, and click the “OK” button.

In this case, the a03.doc file in the root directory of the drive J was deleted, and we need to recover the deleted a03.doc file.

[Detailed steps]

Step 1: Start WinHex and open drive J;

Step 2: Move the cursor to the root directory of drive J, and find the directory entry of deleted file “a03.doc”, as shown in the figure. Note: After deleted a03.doc file, the file shown in WinHex is named “?03. Doc “;

word image 60

Step 3: Move the cursor to “?03.doc, right-click and select “Recover/Copy…” from the pop-up shortcut menu; As shown in the figure;

word image 61

Step 4: The “Select Target Folder” window appears. In the “Select Target Folder” window, select the location of files to be stored. In this case, the files to be recovered will be stored in the root directory of Disk D. Click the “OK” button as shown;

You can find the recovered file named “_03.doc” in the root directory of disk D.

例4-18_03

[Method (2)] Restore the deleted file to the state before deletion.

Restore the directory entries of deleted files to the state before deletion, and restore the FAT linked list of deleted file contents to the state before deletion.

[Basic steps]

Step 1: Move the cursor to the directory where the deleted file is located, find the directory entry of the deleted file in the directory, and change the ASCII code “E5” of the first byte of the deleted file directory entry to the ASCII code that can display characters, such as “41”;

Step 2: Get the starting cluster number and the number of bytes of the deleted file from the deleted file directory entry, calculate the cluster number of the file and recover the linked list of file allocation of the file in FAT1 and FAT2 tables.

[Detailed steps]

Step 1 Start WinHex and open drive J;

Step 2: Move the cursor to the root directory of drive J, and find the directory entry of deleted file “A03.doc”; Change the value of the first byte of the file directory entry from “E5” to “41”, which is the ASCII code of “A”, as shown in the figure.

word image 62

Step 3 It can be seen from the figure that the starting cluster number of deleted file a03.doc is 54424 (i.e. 0X0000D498), and the occupied space is 31232 (i.e. 0X00007A00) bytes. From the DBR of Drive J, it can be seen that the sector number of each cluster is 2. It can be calculated that:

Number of clusters of a03.doc file = ROUNDUP(number of bytes of files /(number of sectors of each cluster ×512),0)

= ROUNDUP (31232 / (512) 2 x, 0)

= 31

Since the a03.doc file starts with cluster number 54424 and the contents of a03.doc file are continuously stored on drive J, the ending cluster number is 54454. That is, the content of a03.doc file occupies the cluster number 54424~54454(i.e. 0XD498 ~ 0XD4B6). From this, the linked list of a03.doc files can be calculated, as shown in the figure.

word image 63

The storage form of its allocated linked list in the FAT1 table and FAT2 table is shown in the figure:

word image 64

Step 4: Restore the linked list of a03.doc files in table FAT1. Move the cursor to 0XD498(that is, the location of cluster 54424).

Steps: “location” -> “Go to FAT Entry”; Type 54424 in the “Go to FAT Entry” window that pops up. Move the cursor to FAT1 table 54424, enter “99 D4 00” at cluster 54424, enter “9A D4 00” at 54425, and enter “9B D4 00” at 54426…, enter “B6 D4 00 00” at the position of cluster item No. 54453, and “FF FF FF 0F” at the position of cluster item No. 54454, as shown in the figure, and then save; At this point, the linked list of a03.doc files in FAT1 table has been restored.

word image 65

Step 5: Restore the linked list of A03.doc files in the FAT2 table. It can be seen from the DBR of Drive J that each FAT table accounts for 1585 sectors. The sector number of the linked list of a03.doc files in the FAT1 table on Drive J is sector 5447. Therefore, the sector number of the linked list of a03.doc file in the FAT2 table in drive J is sector 7032. Move the cursor to sector 7032.

Steps: “location” -> “Go to Sector”; Select “Logical” on the Go to Sector window that pops up. Type 7032 in the file box to the right of “Sector:” to move the cursor to Sector 7032. Enter “99 D4 00” at 54424, “9A D4 00” at 54425, and “9B D4 00” at 54426… , type “B6 D4 00 00” at cluster 54453 and “FF FF FF 0F” at cluster 54454, as shown in the figure. Save and exit WinHex. At this point, the linked list of a03.doc files in the FAT2 table has been restored “.

word image 66

The recovered “a03.doc” file can be seen in the root directory of drive J in step 6.

Common cases of file deletion (NTFS)

For NTFS file systems, there are five possible scenarios when a file is deleted:

Case 1: The record of the deleted file in the metafile $MFT remains, and the 80H attribute of the file record is the resident attribute;

Case 2: The record of the deleted file in meta-file $MFT is still retained, the 80H attribute of the file record is non-resident, and the file content is not overwritten;

Case 3: The record of the deleted file in meta-file $MFT is still retained. The 80H attribute of the file record is a non-resident attribute, but part or all of the file content has been overwritten.

Case 4: The record of the deleted file in the metafile $MFT has been overwritten. The 80H attribute of the file record is non-resident, but the file content is not overwritten.

Case 5: The record of the deleted file in the metafile $MFT has been overwritten, the 80H attribute of the file record is non-resident, and some or all of the file contents have been overwritten.

For case 1 and case 2, the success rate of file recovery is 100%, and the recovered file can be used normally;

For case 3, the success rate of file recovery is also 100%, but whether the recovered file can be used normally depends on the extent of the file content is covered and the importance of the file content;

For case 4, you can restore the file by file type, and the recovered file can be used normally;

For case 5, you can restore by file type, but the restored file may not be usable.

For NTFS file systems, after a file has been deleted, other data recovery software can be used for recovery. This section discusses only the basic steps for recovering deleted files using WinHex software.

Recover the deleted files (NTFS)

[Basic steps]

Step 1. Move the cursor to the folder in the recycle bin that begins with “S-1-5-21”;

Step 2 Find the file with the file name of “$I+6 random characters + extension”. Note: the file size is 0.5KB;

Step 3: The disk character, path and file name of the deleted file can be viewed from the 80H attribute of the file record. Carefully confirm whether the file is the file to be recovered. If “yes”, turn to step 4; If not, go to Step 2 and look for the next text file with the name “$I+6 random characters + extension”.

Step 4 Find the file with “$R+6 random characters + extension” (note: 6 random characters are the same as “$I+6 random characters”);

Step 5: Move the cursor to the file “$R+6 random characters + extension”, right-click and select “Recover/Copy…” from the pop-up shortcut menu. In the “Select Target Folder” window, select the location of the file and click the “OK” button.

In this case, we recover the deleted 13.jpg file in the abcd3 folder of drive H with WinHex software.

[Detailed steps]

Step 1 Start WinHex and open drive H;

Step 2: Move the cursor to the drive H, then locate the deleted file in $Recycle.bin\S-1-5-21-894613213-3022215824-3749548889-100

In the folder, find the file “$IS30pkh.jpg” and move the cursor to the record 80H attribute, as shown in the figure. According to the record 80H attribute, the drive letter, path, and filename of the deleted file are “H:\abcd3\13.jpg”, which is the drive letter, path and file name of the file to be recovered.

word image 67

Step 3: As can be known from the record of $IS30pkh.jpg file, the deleted file is in the folder $recycle.bin\S-1-5-894613213-3022215824-3749548889-100 in drive H. And the filename is $RS30PKH.jpg.

Move the cursor to $RS30pkk.jpg, right-click, select “Recover/Copy…” from the pop-up shortcut menu. Select the folder in the “Select Target Folder” window, select abc folder on Disk F here, and then click the “OK” button;

Step 4: Go to the ABC folder of F disk, and you can view the restored “$RS30pkh.jpg”, the contents of which are the contents of deleted file 13.jpg.

Show CommentsClose Comments

Leave a comment