Page 1 of 1

Reading all deleted files

Posted: 27 Sep 2019, 10:32
by mesajflaviu
Is there any function inside the code which can list all deleted files from a HDD ? I ran

Code: Select all

dir_whole_partition_log_aux
Yes, seem to be what I am looking for, but I got weird strings:

Code: Select all

/_523156_
  ŠVe¦\ÃCpˆ&ÙÈ+³Û^j˜1bEåœ /_523156_
  ˆÀ嫵`>㺷ñžþ /_523156_
  3Ø´·ð¿ØÖJ}áéc±Ä /_523156_
  ÉÙpÔå(,(ö¸U¾¤¹J¼öô5ú¡jÕ /_523156_
  
and this reported strings are listed endless ... I tried the wrong function ?

Re: Reading all deleted files

Posted: 27 Sep 2019, 11:50
by recuperation
Try running this command on a filesystem that you have checked before.
Otherwiese search the code for the location where it queries the keys and branches for the "p"-key (list files).

Re: Reading all deleted files

Posted: 27 Sep 2019, 13:22
by mesajflaviu
Yes, good point, it is a start, but there is a code that seek the files only for that level, not for next level, or for other sibling levels ... I have to dig in ... I don't know C very well ...

Re: Reading all deleted files

Posted: 27 Sep 2019, 13:59
by mesajflaviu
And to see what I am talking about, here is the code where user choose a folder:

Code: Select all

				case 'p':
				case 'P':
				case '+':
				case ' ':
				case KEY_RIGHT:
				case '\r':
				case '\n':
				case '6':
				case KEY_ENTER:
					file_info_t *tmp = td_list_entry(pos, file_info_t, list);
					if (pos != &dir_list->list && (LINUX_S_ISDIR(tmp->st_mode) != 0))
					{
						const unsigned long int new_inode = tmp->st_ino;
						if ((new_inode != inode) && (strcmp(tmp->name, ".") != 0))
						{
							if (strcmp(tmp->name, "..") == 0)
								return 1;
							if (strlen(dir_data->current_directory) + 1 + strlen(tmp->name) + 1 <= sizeof(dir_data->current_directory))
							{
								if (strcmp(dir_data->current_directory, "/"))
									strcat(dir_data->current_directory, "/");
								strcat(dir_data->current_directory, tmp->name);
								return (long int)new_inode;
							}
						}
					}
it simply return a node ...

Re: Reading all deleted files

Posted: 27 Sep 2019, 16:12
by mesajflaviu
"I don't know C very well" in fact, I know just a little :D

Re: Reading all deleted files

Posted: 27 Sep 2019, 16:38
by mesajflaviu
Obviously, dir_whole_partition_log is listing all deleted files, and dir_whole_partition_copy is copy all deleted files from an HDD. The problem is that I don't know why is gave me those "crypted" strings ... strange ... moreover, if I call these functions, seem to run endless ...

Re: Reading all deleted files

Posted: 27 Sep 2019, 16:57
by mesajflaviu
A question is coming to my mind: the code is retrieve some folders (from an USB stick exFAT): _523156_, _613046_, _148765_, _165500_ ? I am pretty sure that I didn't have such folders ... why is listing such folders ? What are they ?

Re: Reading all deleted files

Posted: 27 Sep 2019, 17:39
by recuperation
First, please be so precise to mention where your code examples come from so that not just you but others as well can follow and profit from this discussion!

Second, without knowing the details of exfat, but knowing fat16 and fat32 I would guess that these are unique labels for directories based on a cluster or sector adress.

Your question suggests to me that you should change your strategy.
Learn one simply file system first, like FAT16. Use a hex editor to break one (on a stick p.e.), think for yourself what you would do to recover and debug what the code from Christoph is doing.

Re: Reading all deleted files

Posted: 29 Sep 2019, 08:08
by mesajflaviu
Ok, I will do what you said, and perhaps I will return with a very specific question, I hope to find answers here. Thank you @recuperation.

Re: Reading all deleted files

Posted: 29 Sep 2019, 21:13
by mesajflaviu
Forgive me the late hour when I am write here, but I noticed a hint for those strange char (maybe someone will read this later).

In source code, in dir.cpp, at function dir_whole_partition_log_aux there is function call:

Code: Select all

int dir_whole_partition_log_aux(disk_t* disk, const partition_t* partition, dir_data_t* dir_data, const unsigned long int inode)
{
	.....
	dir_aff_log(dir_data, &dir_list);
	TRACE("%s %s %s\n", s, current_file->name, dir_data->current_directory);  // <-- here I put a log trace, to see deleted files and the folder from where this file is
	/* Not perfect for FAT32 root cluster */
	....
so, when I run this (recursive) function, dir_whole_partition_log_aux, on a USB stick, formated as exFAT, but formated today, I retrieved a list with deleted files.

Example from log trace:

Code: Select all

// log trace
X ASPSiteDev /Temp20/ASPDev
X ConsoleTest /Temp20/ASPDev
X SecurityUtil /Temp20/ASPDev
X ASPSiteDev_Local /Temp20/ASPDev/ASPSiteDev
X Default.asp /Temp20/ASPDev/ASPSiteDev/ASPSiteDev_Local
X global.asa /Temp20/ASPDev/ASPSiteDev/ASPSiteDev_Local
X search.htm /Temp20/ASPDev/ASPSiteDev/ASPSiteDev_Local
Ok.

Then I tried this function, dir_whole_partition_log_aux, on a USB stick, formated as exFAT, but formated 10 months ago and where I deleted a lot of files until now ( I am using this USB disk intensively ), I retrieved those strange folders, and files:

Code: Select all

// log trace
X  /_523156_
  ŠVe¦\ÃCpˆ&ÙÈ+³Û^j˜1bEåœ /_523156_
  ˆÀ嫵`>㺷ñžþ /_523156_
  3Ø´·ð¿ØÖJ}áéc±Ä /_523156_
  ÉÙpÔå(,(ö¸U¾¤¹J¼öô5ú¡jÕ /_523156_
X  /_523156_
X  /_523156_
X  /_523156_
X  /_523156_
   /_523156_
   /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X Œ˜¼š°[_0³¢|¿¥Ç /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X ßÃ’è=èÑy
sÇþšòÉÆoË~'>pøSGÁ»…³ÕÔµn÷B4ÎÇyB˜u /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
  j…ŽG`—¾˜T á– /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
   /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
   /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
  +€|Í2\“Á§ÍFC홿CKP’6,ÒF²¡Z³ /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
   /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X Ìàü¹ûøTÔªU©ØÖ‹¡ÄJš2è=¢¹Ð(ëA¶ˆ›âïqTѪ#xžTë /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
X  /_523156_/3Ø´·ð¿ØÖJ}áéc±Ä
and this log traces are listed a lot minutes ...

So this is the cause for these strange chars and for these folders (eg _523156_). And that is because I have deleted a lot of files from this USB disk ... I am not figure out why deleting a lot of files I read with this folders, _523156_. I didn't have this folders on this USB disk, for sure.