Saving data from unallocated disk space to a file

K

Kindman2011-06-07 15:33:00

Windows

Kindman, 2011-06-07 15:33:00

There was a need to analyze the contents of free clusters on the disk. This content (in addition to any garbage) includes fragments of deleted (but not overwritten) files, as well as fragments of descriptions of directories (folders).
In the good old FAT12/16/32 , this could be done quite simply: To do this, you could open (create) a new file
using the fopen()
function, and then, using fseek(), go far beyond the end of the file (by the amount approaching the size of free disk space) and close the file.
As a result, a file was obtained, in which it was exactly what was required.
But, in the case of NTFS , such a trick does not work.
So, the question is: how, without having administrator privileges, to quickly save empty space on an NTFS partition into one (or several) files for further analysis?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

B

burdakovd, 2011-06-07
@burdakovd

In theory, no way - it would be a security breach.
Just as the OS clears the freed RAM pages before giving it to another process, so, in theory, the disk space should be cleared before giving it to another user. Since there is no owner information for free disk clusters, no one should be able to read them.
But if you succeed - write, I would also be interested.

M

Mikhail Lyalin, 2011-06-07
@mr_jok

And what prevents you from booting from LiveCD and using software to clone / duplicate the disk?

C

ComodoHacker, 2011-06-07
@ComodoHacker

Make an image of the entire partition. Then use recovery programs.
For NTFS, I recommend DMDE (dmde.ru). To recover multiple files is free.