3

There are programs out there that recover deleted files from the hard drive and also ones that overwrite free space in order to prevent deleted files from being recovered.

The act of overwriting free space seems understandable. The program creates files and writes arbitrary bytes to them.

However, when it comes to reading deleted files, I'm stumped. I understand that deleting a file only gets rid of the reference in the file system and that recovery programs search for common file headers in order to determine which part of the 'free space' could be a recoverable file.

But how can a program read data from the hard disk that is not part of the file system? Any language that I've used or read some documentation about, allows reading from the hard disk only by opening a file - which is not free space.

I would also be grateful for a small example of a read from hard disk maybe in C++, Java or Python.

Also, I am a Windows user.

EDIT: This is what the Java guys came up with : How to access specific raw data on disk from java

Community
  • 1
  • 1
Dziugas
  • 1,500
  • 1
  • 12
  • 28
  • 1
    This question reads as off-topic; there's no actual formal coding problem here to be solved. We can't link to off-topic resources for you either, sorry. – Makoto Feb 19 '15 at 01:00
  • 2
    I'm all about flagging questions as too broad, but I disagree - it is a bit broad, but I still think it's a legit question at a slightly higher level. Normally questions that ask for an example in any language would be totally off-topic, but this is a more conceptual question asking for a very specific answer, so I think that's reasonable enough. – neminem Feb 19 '15 at 01:01
  • What I'm asking about can either be done or it cannot. If it can then there ought to be some sequence of programmatic statements that can achieve it. I think finding this sequence of statements is a formal coding problem. – Dziugas Feb 19 '15 at 01:05
  • Please do not close this question. – B.K. Feb 19 '15 at 01:11
  • @mpez0 - maybe not, or you need a quick hand on Ctrl-C – Eugen Rieck Feb 19 '15 at 01:14
  • @EugenRieck ok, `dfd = open("/dev/sd0a", O_RDONLY);` :) – mpez0 Feb 19 '15 at 01:17
  • @mpez0 Thanks, much better (I did that `cat /dev/sda` stunt once via SSH on a machine with fast disk and slow network ...) – Eugen Rieck Feb 19 '15 at 01:19

1 Answers1

4

Every OS out there has the notion of a block device - with a hard disk being the canonical example. Now the beauty is, that in most implementations (this includes Windows), these can be opened just as if they were files on a file system by referring to special file names, that would be invalid inside the file system (appropriate user privileges are assumed).

On Windows, e.g. opening \\?\Device\Harddisk0\Partition1 will give you access to the first partition of the first harddrive. With read access to this special "file", you can now read the drive's content without going through the file system, giving you the possibility to discover and salvage objects, that are no longer part of the file system, but have not yet been overwritten or trimmed.

Eugen Rieck
  • 64,175
  • 10
  • 70
  • 92