Browse All Articles > Recovering an Accidentally Screwed Up File... the hard way
From Coral's "So You Want To Play With Computers" Series
Preface:
What follows is a tweaked reprint from 2005/06. This is a True Story. The names have been changed to protect the guilty. While this deals with a fairly simple, text file recovery, disk editors (hex editors) are Advanced Tools, and can do some amazing, and dangerous stuff. They give you "byte level access" to EVERYTHING written on your disk. You can do anything from fixing bad sector links, repairing bad file headers, to rebuilding Partition Tables, to tweaking programming code "on the fly".
If you mess up the wrong thing, you can count on reformatting your drive and rebuilding your OS from scratch. Don't say I didn't warn you.
It had been pointed out to me that I use a lot of slang, so.... for over a week, I had been putting together a glossary. After FINALLY getting most of what I could think of in it, I spent a couple of hours arranging and making pretty all the words and definitions I had just been jamming into a text file, as I thought of them.
As it was starting to get into the wee hours of the morning, and things had been going very nicely. I thought I would call it quits for the night. Oh, what the heck! I still had a half a cup of coffee left, so I figured I would just quickly run it through my new spell checker.
Pressed Control-Alt-F12. The little sweetheart popped right up and went through that text file like it was warm butter.
It caught a few misspelled words, I added a few to the Custom Dictionary, then clicked OK to finish.
Vaporized it!!!!
I'm talking it went from over 6K, to a 0-byte file size.
That was NOT a sonic boom you heard that night. That was my head hitting the desk! I hadn't backed it up yet, and the backup I did have was nowhere close to the changes I had made.
OK. Not a problem. This is what I do. Right??? Right!!
First thing... get a fresh cup of coffee. And some aspirin and an icepack for my head.
Next... crank up Disk Investigator. Put it in Directory mode and look for the file. There it is. Double Click on the file name...
ERROR. Invalid starting sector.
Uh oh... That can't be good.
Try for an UNDELETE.
ERROR ... File not deleted.
Hmmmmmm....
Go to View Sector mode ... No text there. Go back and forth a dozen sectors either way. Nothing! I had been saving the file as I went along, so it HAS to be here somewhere!
Time to drink some more coffee, light up a cigarette, and have a bright idea (don't start about the cigs! I already gave up good booze and fast women, I'm keeping one bad habit).
Ahhh-ha!
On harddrives, Sectors are grouped into Clusters. Files always take whole clusters even if they don't use all of it. What they do not use is called "wasted space". And HD's write to the first empty sectors they find. Since I Defragged not too long ago, my missing file should be toward the rear of the "used" area of the drive.
Soooo... if I write down the starting sector and cluster number of some of the files that were made about the same time as the Glossary one, it should put me in the general area on the HD. I'm a genius! Somebody call MENSA.
Let's see.... the files I picked range between clusters 251,697 to 257,478. THAT's 6,000 CLUSTERS! With 32 sectors in a cluster..... that's way too big a number. You better hold that call.
Ok. Most of the files are in the 255,xxx to 257,xxx range. Better, but that's still 2,000 clusters. I will just check the first sector of the clusters around the files I picked, then.
I spent a half hour poking around, still no luck.
Still not a problem. I will just do a search for a keyword. Glossary... Yeah! That should work! Type it in, click Search. Est. 2 hrs. to scan drive. ?!?!?! 4 AM: It finally finished. No Match Found
Alright. How about adding some html tags. Est. 2 hrs. to scan drive.
Oh well, I might as well take a nap. Woke up about 9 AM to the sound of rain. Good! Don't have to go to work today. I rolled over and went back to sleep. Woke up again about noon. The computer is still on and a Search Results box is waiting for me. No match found.
Bugger this!! Exit out of everything. Turn the system off.
![hammer.jpg]()
It sounds like the rain quit. I think I will go outside and get medieval on the front driveway gate, and put the new one on. There are a couple of other things that could use some ...err... attention...
7 PM: I feel much better now. Fired the system up again. The file had not magically reappeared. {sigh} Went back into D.I. and tried one more search. Since I only have about 5gigs of data on this 30gig drive, I scanned to just past 30%. That should be about 10gigs. Still no match.
OK! This is WAR! Time to break out UBCD (Ultimate Boot CD)!!
Exited out of D.I and Windows. Rebooted into the BIOS and set the CDRom as First Boot Device. Put UBCD in the drive. Then click Save Settings and Reboot.
When UBCD came up, I thought I would try something different. I ran a couple of the File Managers first, just to see what they had to say about the situation. Not the correct angle of attack.![wrongo.jpg]()
Fired up a disk editor. For some strange reason it hung the system. GRRRRRRRRR!!!!!!!!!
Rebooted and ran another disk editor. It came right up. That's more like it. Typed in the search keywords, clicked Search...
Look at that bad boy just screaming through the HD! 10 minutes later, there is my text showing in the sector dump window. WooHoo!
![hexoutput01.jpg]()
What?!? No copy/paste to a file function?!? No sweat. I will just write down the cluster number, and exit out. I take the CD out of the drive and Reboot back to Windows. Run D.I. again, then type in the cluster number, and .... It's Not There!!!!
Impossible!!!
Start viewing the first sectors of the clusters on either side of this one. BINGO!
The numbers seem to be about 10 clusters off in D.I. It's a few clusters before what the editor in UBCD said it was. Copy/pasted the sector dump screens into a text editor and saved it. Then MADE A BACKUP! Next I edited out some unneeded sector info stuff, made another backup, and I am back in business.
A little bruised and contused. BUT I WON!!!!
Just a couple of loose ends to clean up:
- The best I can figure, even though I was saving the file as I was working on it, I must have forgotten to save it that last time before I ran the spell checker. A couple of the last minor changes were missing. Running the spellchecker on an unsaved file might have been why it vaporized. Who knows. The spell checker has worked great since then.
- Forget about that 6,000 cluster spread I quoted earlier. It was more like 30,000. I was looking in the 257,000 range, when it was really in the 288,000 range. Still.... considering that there are over 1.8 MILLION clusters on this 30gig, it was a good idea. For those that are curious, that's just short of 59 million sectors.
- I can never thank Esopo enough for snail mailing this CD to me. Once again UBCD makes me wonder how I got along without it.
I don't think beer is going to cut it, tonight. Going to need something stronger. hmmmmm... Vodka! Yeah, I'm going to need Vodka after this one. Maybe with a little pineapple juice...
Skål !!!
Hex/Disk Editors
Here are some links to hex/disk editors, that will let you see/modify the actual sector data on your hard drive. Just looking around is fairly safe, but if you want to play, do a lot of reading first. You REALLY need to know what you are doing, which means a fairly wide range of 'background' knowledge.
For starters -
- You need to at least know what "hex" is.
- You need to know how the Bits and Bytes are organized on the hard drive "platters".
- How the Partition Table, and MBR (Master Boot Record) are structured.
- How Sectors and Clusters work, and what values are needed where.
Neo Hex Editor (freeware) {my current one}
http://www.hhdsoftware.com/free-hex-editor
Disk Investigator (freeware):
http://www.theabsolute.net/sware/dskinv.html
Winhex - byte level editor (not free)
www.winhex.com (with links to other toys)
or:
http://www.x-ways.net/winhex/forensics.html
Download link on there for Eval version
Pricing info
http://www.x-ways.net/order.html
And I know UBCD has a couple of them on it. (free)
Ultimate Bootdisk and diag utils:
http://ultimatebootcd.com
And you can always just dig around on your favorite Freeware site (which is fun to do anyway), or Google for hex editor or freeware hex editor.
ASCII to HEX Conversion
this one is kind of fun:
http://www.asciitohex.com/
but this site might be more useful:
http://www.rapidtables.com/convert/number/ascii-to-hex.htm
http://www.rapidtables.com/convert/number/hex-to-ascii.htm
and these are quick lookup table:
http://www.asciitable.com/
http://ascii.cl/
Preface:
What follows is a tweaked reprint from 2005/06. This is a True Story. The names have been changed to protect the guilty. While this deals with a fairly simple, text file recovery, disk editors (hex editors) are Advanced Tools, and can do some amazing, and dangerous stuff. They give you "byte level access" to EVERYTHING written on your disk. You can do anything from fixing bad sector links, repairing bad file headers, to rebuilding Partition Tables, to tweaking programming code "on the fly".
If you mess up the wrong thing, you can count on reformatting your drive and rebuilding your OS from scratch. Don't say I didn't warn you.
On with the story...
It had been pointed out to me that I use a lot of slang, so.... for over a week, I had been putting together a glossary. After FINALLY getting most of what I could think of in it, I spent a couple of hours arranging and making pretty all the words and definitions I had just been jamming into a text file, as I thought of them.
Fight Night
As it was starting to get into the wee hours of the morning, and things had been going very nicely. I thought I would call it quits for the night. Oh, what the heck! I still had a half a cup of coffee left, so I figured I would just quickly run it through my new spell checker.
Pressed Control-Alt-F12. The little sweetheart popped right up and went through that text file like it was warm butter.
It caught a few misspelled words, I added a few to the Custom Dictionary, then clicked OK to finish.
Vaporized it!!!!
I'm talking it went from over 6K, to a 0-byte file size.
That was NOT a sonic boom you heard that night. That was my head hitting the desk! I hadn't backed it up yet, and the backup I did have was nowhere close to the changes I had made.
OK. Not a problem. This is what I do. Right??? Right!!
Round One
First thing... get a fresh cup of coffee. And some aspirin and an icepack for my head.
Next... crank up Disk Investigator. Put it in Directory mode and look for the file. There it is. Double Click on the file name...
ERROR. Invalid starting sector.
Uh oh... That can't be good.
Try for an UNDELETE.
ERROR ... File not deleted.
Hmmmmmm....
Go to View Sector mode ... No text there. Go back and forth a dozen sectors either way. Nothing! I had been saving the file as I went along, so it HAS to be here somewhere!
Time to drink some more coffee, light up a cigarette, and have a bright idea (don't start about the cigs! I already gave up good booze and fast women, I'm keeping one bad habit).
Ahhh-ha!
On harddrives, Sectors are grouped into Clusters. Files always take whole clusters even if they don't use all of it. What they do not use is called "wasted space". And HD's write to the first empty sectors they find. Since I Defragged not too long ago, my missing file should be toward the rear of the "used" area of the drive.
Soooo... if I write down the starting sector and cluster number of some of the files that were made about the same time as the Glossary one, it should put me in the general area on the HD. I'm a genius! Somebody call MENSA.
Let's see.... the files I picked range between clusters 251,697 to 257,478. THAT's 6,000 CLUSTERS! With 32 sectors in a cluster..... that's way too big a number. You better hold that call.
Ok. Most of the files are in the 255,xxx to 257,xxx range. Better, but that's still 2,000 clusters. I will just check the first sector of the clusters around the files I picked, then.
I spent a half hour poking around, still no luck.
Round Two
Still not a problem. I will just do a search for a keyword. Glossary... Yeah! That should work! Type it in, click Search. Est. 2 hrs. to scan drive. ?!?!?! 4 AM: It finally finished. No Match Found
Alright. How about adding some html tags. Est. 2 hrs. to scan drive.
Oh well, I might as well take a nap. Woke up about 9 AM to the sound of rain. Good! Don't have to go to work today. I rolled over and went back to sleep. Woke up again about noon. The computer is still on and a Search Results box is waiting for me. No match found.
Bugger this!! Exit out of everything. Turn the system off.
It sounds like the rain quit. I think I will go outside and get medieval on the front driveway gate, and put the new one on. There are a couple of other things that could use some ...err... attention...
Round Three
7 PM: I feel much better now. Fired the system up again. The file had not magically reappeared. {sigh} Went back into D.I. and tried one more search. Since I only have about 5gigs of data on this 30gig drive, I scanned to just past 30%. That should be about 10gigs. Still no match.
OK! This is WAR! Time to break out UBCD (Ultimate Boot CD)!!
Exited out of D.I and Windows. Rebooted into the BIOS and set the CDRom as First Boot Device. Put UBCD in the drive. Then click Save Settings and Reboot.
When UBCD came up, I thought I would try something different. I ran a couple of the File Managers first, just to see what they had to say about the situation. Not the correct angle of attack.
Fired up a disk editor. For some strange reason it hung the system. GRRRRRRRRR!!!!!!!!!
Rebooted and ran another disk editor. It came right up. That's more like it. Typed in the search keywords, clicked Search...
Look at that bad boy just screaming through the HD! 10 minutes later, there is my text showing in the sector dump window. WooHoo!
What?!? No copy/paste to a file function?!? No sweat. I will just write down the cluster number, and exit out. I take the CD out of the drive and Reboot back to Windows. Run D.I. again, then type in the cluster number, and .... It's Not There!!!!
Impossible!!!
Start viewing the first sectors of the clusters on either side of this one. BINGO!
The numbers seem to be about 10 clusters off in D.I. It's a few clusters before what the editor in UBCD said it was. Copy/pasted the sector dump screens into a text editor and saved it. Then MADE A BACKUP! Next I edited out some unneeded sector info stuff, made another backup, and I am back in business.
Post Bout
A little bruised and contused. BUT I WON!!!!
Just a couple of loose ends to clean up:
- The best I can figure, even though I was saving the file as I was working on it, I must have forgotten to save it that last time before I ran the spell checker. A couple of the last minor changes were missing. Running the spellchecker on an unsaved file might have been why it vaporized. Who knows. The spell checker has worked great since then.
- Forget about that 6,000 cluster spread I quoted earlier. It was more like 30,000. I was looking in the 257,000 range, when it was really in the 288,000 range. Still.... considering that there are over 1.8 MILLION clusters on this 30gig, it was a good idea. For those that are curious, that's just short of 59 million sectors.
- I can never thank Esopo enough for snail mailing this CD to me. Once again UBCD makes me wonder how I got along without it.
I don't think beer is going to cut it, tonight. Going to need something stronger. hmmmmm... Vodka! Yeah, I'm going to need Vodka after this one. Maybe with a little pineapple juice...
Skål !!!
Links
Hex/Disk Editors
Here are some links to hex/disk editors, that will let you see/modify the actual sector data on your hard drive. Just looking around is fairly safe, but if you want to play, do a lot of reading first. You REALLY need to know what you are doing, which means a fairly wide range of 'background' knowledge.
For starters -
- You need to at least know what "hex" is.
- You need to know how the Bits and Bytes are organized on the hard drive "platters".
- How the Partition Table, and MBR (Master Boot Record) are structured.
- How Sectors and Clusters work, and what values are needed where.
Neo Hex Editor (freeware) {my current one}
http://www.hhdsoftware.com/free-hex-editor
Disk Investigator (freeware):
http://www.theabsolute.net/sware/dskinv.html
Winhex - byte level editor (not free)
www.winhex.com (with links to other toys)
or:
http://www.x-ways.net/winhex/forensics.html
Download link on there for Eval version
Pricing info
http://www.x-ways.net/order.html
And I know UBCD has a couple of them on it. (free)
Ultimate Bootdisk and diag utils:
http://ultimatebootcd.com
And you can always just dig around on your favorite Freeware site (which is fun to do anyway), or Google for hex editor or freeware hex editor.
ASCII to HEX Conversion
this one is kind of fun:
http://www.asciitohex.com/
but this site might be more useful:
http://www.rapidtables.com/convert/number/ascii-to-hex.htm
http://www.rapidtables.com/convert/number/hex-to-ascii.htm
and these are quick lookup table:
http://www.asciitable.com/
http://ascii.cl/
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (2)
Commented:
Author
Commented: