Hard drive reads and writes without file creation

3
votes

There are programs out there that recover deleted files from the hard drive and also ones that overwrite free space in order to prevent deleted files from being recovered.

The act of overwriting free space seems understandable. The program creates files and writes arbitrary bytes to them.

However, when it comes to reading deleted files, I'm stumped. I understand that deleting a file only gets rid of the reference in the file system and that recovery programs search for common file headers in order to determine which part of the 'free space' could be a recoverable file.

But how can a program read data from the hard disk that is not part of the file system? Any language that I've used or read some documentation about, allows reading from the hard disk only by opening a file - which is not free space.

I would also be grateful for a small example of a read from hard disk maybe in C++, Java or Python.

Also, I am a Windows user.

EDIT: This is what the Java guys came up with : How to access specific raw data on disk from java

1
hard-drivedata-recovery
This question reads as off-topic; there's no actual formal coding problem here to be solved. We can't link to off-topic resources for you either, sorry.Makoto
I'm all about flagging questions as too broad, but I disagree - it is a bit broad, but I still think it's a legit question at a slightly higher level. Normally questions that ask for an example in any language would be totally off-topic, but this is a more conceptual question asking for a very specific answer, so I think that's reasonable enough.neminem
What I'm asking about can either be done or it cannot. If it can then there ought to be some sequence of programmatic statements that can achieve it. I think finding this sequence of statements is a formal coding problem.Dziugas
Please do not close this question.B.K.
@mpez0 - maybe not, or you need a quick hand on Ctrl-CEugen Rieck

1 Answers

4
votes

Every OS out there has the notion of a block device - with a hard disk being the canonical example. Now the beauty is, that in most implementations (this includes Windows), these can be opened just as if they were files on a file system by referring to special file names, that would be invalid inside the file system (appropriate user privileges are assumed).

On Windows, e.g. opening \\?\Device\Harddisk0\Partition1 will give you access to the first partition of the first harddrive. With read access to this special "file", you can now read the drive's content without going through the file system, giving you the possibility to discover and salvage objects, that are no longer part of the file system, but have not yet been overwritten or trimmed.