Reading all deleted files

Using TestDisk to undelete files
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
mesajflaviu
Posts: 37
Joined: 12 Sep 2019, 19:54

Reading all deleted files

#1 Post by mesajflaviu »

Is there any function inside the code which can list all deleted files from a HDD ? I ran

Code: Select all

dir_whole_partition_log_aux
Yes, seem to be what I am looking for, but I got weird strings:

Code: Select all

/_523156_
  ŠVe¦\ÃCpˆ&ÙÈ+³Û^j˜1bEåœ /_523156_
  ˆÀ嫵`>㺷ñžþ /_523156_
  3Ø´·ð¿ØÖJ}áéc±Ä /_523156_
  ÉÙpÔå(,(ö¸U¾¤¹J¼öô5ú¡jÕ /_523156_
  
and this reported strings are listed endless ... I tried the wrong function ?

recuperation
Posts: 2721
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Reading all deleted files

#2 Post by recuperation »

Try running this command on a filesystem that you have checked before.
Otherwiese search the code for the location where it queries the keys and branches for the "p"-key (list files).

mesajflaviu
Posts: 37
Joined: 12 Sep 2019, 19:54

Re: Reading all deleted files

#3 Post by mesajflaviu »

Yes, good point, it is a start, but there is a code that seek the files only for that level, not for next level, or for other sibling levels ... I have to dig in ... I don't know C very well ...

mesajflaviu
Posts: 37
Joined: 12 Sep 2019, 19:54

Re: Reading all deleted files

#4 Post by mesajflaviu »

And to see what I am talking about, here is the code where user choose a folder:

Code: Select all

				case 'p':
				case 'P':
				case '+':
				case ' ':
				case KEY_RIGHT:
				case '\r':
				case '\n':
				case '6':
				case KEY_ENTER:
					file_info_t *tmp = td_list_entry(pos, file_info_t, list);
					if (pos != &dir_list->list && (LINUX_S_ISDIR(tmp->st_mode) != 0))
					{
						const unsigned long int new_inode = tmp->st_ino;
						if ((new_inode != inode) && (strcmp(tmp->name, ".") != 0))
						{
							if (strcmp(tmp->name, "..") == 0)
								return 1;
							if (strlen(dir_data->current_directory) + 1 + strlen(tmp->name) + 1 <= sizeof(dir_data->current_directory))
							{
								if (strcmp(dir_data->current_directory, "/"))
									strcat(dir_data->current_directory, "/");
								strcat(dir_data->current_directory, tmp->name);
								return (long int)new_inode;
							}
						}
					}
it simply return a node ...

mesajflaviu
Posts: 37
Joined: 12 Sep 2019, 19:54

Re: Reading all deleted files

#5 Post by mesajflaviu »

"I don't know C very well" in fact, I know just a little :D

mesajflaviu
Posts: 37
Joined: 12 Sep 2019, 19:54

Re: Reading all deleted files

#6 Post by mesajflaviu »

Obviously, dir_whole_partition_log is listing all deleted files, and dir_whole_partition_copy is copy all deleted files from an HDD. The problem is that I don't know why is gave me those "crypted" strings ... strange ... moreover, if I call these functions, seem to run endless ...

mesajflaviu
Posts: 37
Joined: 12 Sep 2019, 19:54

Re: Reading all deleted files

#7 Post by mesajflaviu »

A question is coming to my mind: the code is retrieve some folders (from an USB stick exFAT): _523156_, _613046_, _148765_, _165500_ ? I am pretty sure that I didn't have such folders ... why is listing such folders ? What are they ?

recuperation
Posts: 2721
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Reading all deleted files

#8 Post by recuperation »

First, please be so precise to mention where your code examples come from so that not just you but others as well can follow and profit from this discussion!

Second, without knowing the details of exfat, but knowing fat16 and fat32 I would guess that these are unique labels for directories based on a cluster or sector adress.

Your question suggests to me that you should change your strategy.
Learn one simply file system first, like FAT16. Use a hex editor to break one (on a stick p.e.), think for yourself what you would do to recover and debug what the code from Christoph is doing.

mesajflaviu
Posts: 37
Joined: 12 Sep 2019, 19:54

Re: Reading all deleted files

#9 Post by mesajflaviu »

Ok, I will do what you said, and perhaps I will return with a very specific question, I hope to find answers here. Thank you @recuperation.

mesajflaviu
Posts: 37
Joined: 12 Sep 2019, 19:54

Re: Reading all deleted files

#10 Post by mesajflaviu »

Forgive me the late hour when I am write here, but I noticed a hint for those strange char (maybe someone will read this later).

In source code, in dir.cpp, at function dir_whole_partition_log_aux there is function call:

Code: Select all

int dir_whole_partition_log_aux(disk_t* disk, const partition_t* partition, dir_data_t* dir_data, const unsigned long int inode)
{
	.....
	dir_aff_log(dir_data, &dir_list);
	TRACE("%s %s %s\n", s, current_file->name, dir_data->current_directory);  // <-- here I put a log trace, to see deleted files and the folder from where this file is
	/* Not perfect for FAT32 root cluster */
	....
so, when I run this (recursive) function, dir_whole_partition_log_aux, on a USB stick, formated as exFAT, but formated today, I retrieved a list with deleted files.

Example from log trace:

Code: Select all

// log trace
X ASPSiteDev /Temp20/ASPDev
X ConsoleTest /Temp20/ASPDev
X SecurityUtil /Temp20/ASPDev
X ASPSiteDev_Local /Temp20/ASPDev/ASPSiteDev
X Default.asp /Temp20/ASPDev/ASPSiteDev/ASPSiteDev_Local
X global.asa /Temp20/ASPDev/ASPSiteDev/ASPSiteDev_Local
X search.htm /Temp20/ASPDev/ASPSiteDev/ASPSiteDev_Local
Ok.

Then I tried this function, dir_whole_partition_log_aux, on a USB stick, formated as exFAT, but formated 10 months ago and where I deleted a lot of files until now ( I am using this USB disk intensively ), I retrieved those strange folders, and files:

Code: Select all

// log trace
X  /_523156_
  ŠVe¦\ÃCpˆ&ÙÈ+³Û^j˜1bEåœ /_523156_
  ˆÀ嫵`>㺷ñžþ /_523156_
  3Ø´·ð¿ØÖJ}áéc±Ä /_523156_
  ÉÙpÔå(,(ö¸U¾¤¹J¼öô5ú¡jÕ /_523156_
X  /_523156_
X  /_523156_
X  /_523156_
X  /_523156_
   /_523156_
   /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X Œ˜¼š°[_0³¢|¿¥Ç /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X ßÃ’è=èÑy
sÇþšòÉÆoË~'>pøSGÁ»…³ÕÔµn÷B4ÎÇyB˜u /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
  j…ŽG`—¾˜T á– /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
   /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
   /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
  +€|Í2\“Á§ÍFC홿CKP’6,ÒF²¡Z³ /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
   /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X Ìàü¹ûøTÔªU©ØÖ‹¡ÄJš2è=¢¹Ð(ëA¶ˆ›âïqTѪ#xžTë /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
and this log traces are listed a lot minutes ...

So this is the cause for these strange chars and for these folders (eg _523156_). And that is because I have deleted a lot of files from this USB disk ... I am not figure out why deleting a lot of files I read with this folders, _523156_. I didn't have this folders on this USB disk, for sure.

Locked