• Please review our updated Terms and Rules here

New program for FAT12/FAT16 archeology: PADD

Trixter

Veteran Member
Joined
Aug 31, 2006
Messages
7,478
Location
Chicagoland, Illinois, USA
Right before I started my sabbatical, I created a boot disk that combined a Xircom adapter and mTCP to automatically boot any vintage PC and put it on the local LAN with an FTP server so that you could suck all the data off of the hard drive. A few days later, I realized that this doesn't grab the deleted data sections, nor any filesystem slack space. So, I spent the month of October writing a utility to do just that. Results are here:

PADD

The main features are:

  • Browse deleted data onscreen using a handy ASCII and HEX viewer
  • "Freeze" all deleted areas into a file which can then be examined using normal file utilities or copied off-disk for further analysis
  • Save all file "slack space" off the drive to a new file
While you can archive a drive completely using an image utility (ie. Norton Ghost, Unix's dd, etc.), I don't know of any that work on < 386 hardware. So I still feel that the util is worthwhile when archiving 808x or 286 systems' hard drives.

While I've tested it extensively with my own gear, I'd love if a few other people could test it it out and see if they encounter any bugs. There are dozens of safety checks and a few user confirmations that things are running properly, so if something is going wrong, it should be obvious. If you're worried about the utility writing to the drive, it only does that during a "freeze" operation, so simply don't use that function during testing if you get spooked.

Full docs and source code are in the .zip from the web page listed above. I look forward to any comments, even if they're negative :)
 
Very cool! I remember recovering deleted data from 360K disks on my Amstrad PC1512 using a utility called BIGFILE (which I probably got from a magazine cover disk) which works in a similar way to the freeze functionality in PADD - it just made a file called DISKFILL consisting of all the (previously) unallocated clusters. It didn't have a viewer though, and couldn't do anything with file slack space.

It was fun to see what kinds of things got left behind in the unallocated areas of disks that I bought or that were given to me. I wish I had had PADD at the time so I could have examined the file slack space as well!
 
Actually I remember using debug to undelete files on a floppy, but that was just based on the fat table entries. Still anything easy to use is always welcome :)
 
I remember recovering deleted data from 360K disks on my Amstrad PC1512 using a utility called BIGFILE (which I probably got from a magazine cover disk) which works in a similar way to the freeze functionality in PADD - it just made a file called DISKFILL consisting of all the (previously) unallocated clusters.

Crap! I thought my idea was unique :) Well, PADD examines all the unused clusters and if a cluster contains only the F6h format fill mark, it is not considered deleted data and is not added to the frozen file. So at least there's some intelligence behind it. The "-a" option will also consider any cluster all filled with the same value as "formatted" so you can weed out even more junk (for drives that were "wiped" with a secure erase util or something).

It was fun to see what kinds of things got left behind in the unallocated areas of disks that I bought or that were given to me. I wish I had had PADD at the time so I could have examined the file slack space as well!

The slack can be pretty interesting. I found a Perl module hiding in the slack of my 5160 and there has never been any Perl code on that machine whatsoever! I believe it got there somehow when I transferred files off of my Solaris box to the 5160, but whether it was FTP buffer/stream slack or TCP buffer slack, I have no idea.

Unfortunately, about 90% of slack is just junk left over from DOS BUFFERS, so you see a lot of directory entries in there.

My favorite time investigating hidden space in floppies was Wizardry -- part of the pascal source code is on there because they didn't format the disk they used to make the production master.
 
SEA (of ARC fame) apparently made a utility called OHMYGAWD which did something similar, as a last-ditch attempt at recovering deleted files.
 
Sure enough, it's in the ARC602 ARC.DOC file (only available to registered users though). It follows a similar approach, although it doesn't check if the cluster actually has anything in it like PADD does. How about that! :)
 
I have on my todo list a feature in the FTP client to backup/restore the hard drive by doing sector copies. From within DOS you can access only the current partition; using BIOS calls you can snarf up any partition, the boot sector, or just the entire hard drive.

Is that feature interesting to you?


Mike
 
Didn't Mike Chambers write a similar utility also (backup drive over ftp)? More to your question Mike, I think it would be an excellent question. If there was an easy bootable method I think a lot of folks would benefit from this to restore data off of their old computer or gain access to files from relatives who have passed, etc.
 
I know Mike started ...

But I also know that my FTP client has the benefit of at least two years of widespread use and testing. So while the ability to treat partitions as special files would be new, I know the rest of it is solid.

I was thinking of it as a good backup solution for machines where it is not easy to just remove the drive and attach it to a modern machine. I have this problem with my old XTs that still have their original drives.
 
While you can archive a drive completely using an image utility (ie. Norton Ghost, Unix's dd, etc.), I don't know of any that work on < 386 hardware. So I still feel that the util is worthwhile when archiving 808x or 286 systems' hard drives.

Trixter,

This is not strictly true. Older versions of Ghost (before Norton bought them) ran in real mode DOS so they should run on an 8086 level machine.
 
I have on my todo list a feature in the FTP client to backup/restore the hard drive by doing sector copies. From within DOS you can access only the current partition; using BIOS calls you can snarf up any partition, the boot sector, or just the entire hard drive.

Is that feature interesting to you?


Mike

I'd definitely would love to see something like this. Even a std. alone bare bones utility would be cool. Something to image the HDD onto a network drive for example!
 
Is that feature interesting to you?

Absolutely, but you'll have a harder time than I did. I rely on DOS for everything including sector reads that are handily translated for me by DOS (I don't have to worry about partition tables).

I built my utility partially because this feature you speak of does not exist :)
 
It has been done (as well as a bunch of other stuff, since about 1987. Look for "Computer Forensics Tools" (I oughta know :) ).

Well, I didn't know any of this before I started! In any case, I'm proud of the result. It's small, fast, and works, and was a great way to pass the time during my sabbatical.

Chuck, I can't find any specific links to similar tools you've authored, only evidence that you have authored some. If you have any specific info, I'd love to see what wheel I was reinventing...
 
Absolutely, but you'll have a harder time than I did. I rely on DOS for everything including sector reads that are handily translated for me by DOS (I don't have to worry about partition tables).

I built my utility partially because this feature you speak of does not exist :)

Yes, I know it doesn't exist. The question was, would it still be interesting ... it's been on the todo list for two years.

Reading the current partition is done using DOS reads. Reading the partition table and modifying it is something I'm quite comfortable with - I wrote a utility to let me switch between DOS 3.3 and 5.0 installed on the same hard drive. (It hides the non-boot DOS partitions and unhides the one you selected to boot.)
 
Back
Top