Disk Scanning is a process of low-level enumeration of all entries in the Root Folders of FAT12, FAT16, FAT32, Master File Table (MFT), NTFS, or NTFS5.
The goal is to find and display deleted entries.
In spite of different file/folder entry structures among different file systems, all of them contain basic file attributes like: name, size, creation and modification date/time, file attributes, existing/deleted status, etc...
A drive contains a root file table and any file table (like a MFT, a root folder of the drive, a regular folder, or even a deleted folder), and has a location, a size, and a predefined structure. It is therefore possible to scan the drive from the beginning to the end while checking each entry to discover if it's deleted or not and display information for all found deleted entries.
Deleted entries are marked differently depending on the file system. For example, in FAT, a deleted entry for any file or folder is marked with the ASCII symbol 229 (OxE5) which becomes the first symbol of the entry. In NTFS, the deleted entry has a special attribute in the file header that points to whether the file has been deleted or not.
1. Existing folder MyFolder entry (long entry and short entry)
0003EE20 41 4D 00 79 00 46 00 6F 00 6C 00 0F 00 09 64 00 AM.y.F.o.l....d. 0003EE30 65 00 72 00 00 00 FF FF FF FF 00 00 FF FF FF FF e.r...yyyy..yyyy 0003EE40 4D 59 46 4F 4C 44 45 52 20 20 20 10 00 4A C4 93 MYFOLDER ..JA" 0003EE50 56 2B 56 2B 00 00 C5 93 56 2B 02 00 00 00 00 00 V+V+..A"V+......
2. Deleted file MyFile.txt entry (long entry and short entry)
0003EE60 E5 4D 00 79 00 46 00 69 00 6C 00 0F 00 BA 65 00 aM.y.F.i.l...?e. 0003EE70 2E 00 74 00 78 00 74 00 00 00 00 00 FF FF FF FF ..t.x.t.....yyyy 0003EE80 E5 59 46 49 4C 45 20 20 54 58 54 20 00 C3 D6 93 aYFILE TXT .AO" 0003EE90 56 2B 56 2B 00 00 EE 93 56 2B 03 00 33 B7 01 00 V+V+..i"V+..3·..
4. Existing file Setuplog.txt entry (short entry only)
0003EEA0 53 45 54 55 50 4C 4F 47 54 58 54 20 18 8C F7 93 SETUPLOGTXT .??" 0003EEB0 56 2B 56 2B 00 00 03 14 47 2B 07 00 8D 33 03 00 V+V+....G+..?3.. 0003EEC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0003EED0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
This folder contains 3 entries, one of them is deleted. The first entry is an existing folder called MyFolder. The second one is a deleted file called MyFile.txt. The third one is an existing file called Setuplog.txt.
The first symbol of the deleted file entry is marked with the
E5 symbol, so a Disk Scanner can assume that this entry has been deleted.
See also: Example of scanning a folder on NTFS5 (Windows 2000)
This document is available in PDF format,
which requires Adobe® Acrobat® Reader
(Free download):
