After the cluster chain is defined, the final task is to read and save contents of the defined clusters to another place, verifying their contents.
With a chain of clusters and standard formulae it is possible to calculate each cluster offset from the beginning of the drive. Starting from the calculated offset, we copy a quantity of data equal to the size of the chain of clusters, into a newly-created file.
A variation on this formula does not copy the total size of the cluster, but starting from the file size excludes the number of copied clusters and multiplies the result by the cluster size. (See NTFS).
Formulae for calculating cluster offset vary depending on file system.
To calculate the cluster offset in a FAT drive we need to know the following:
To calculate the cluster offset on NTFS, the linear space architecture makes life simpler; multiply cluster number by cluster size.
This section continues to examine the deleted file MyFile.txt from the previous topics By now we have chain of clusters 03, 04, 05, 06 ready for recovery. Our cluster consists of 64 sectors, sector size is 512 bytes, so cluster size is: 64*512 = 32,768 bytes = 32 Kb.
The first data sector is 535 (we have one boot sector, plus two copies of FAT by 251 sectors each, plus root folder of 32 sectors, total 534 occupied by system data sectors).
Clusters having numbers 0 and 1 do not exist on FAT, so first data cluster is 2.
Cluster number 3 is next to cluster 2, which is located 64 sectors behind the first data sector (535), i.e. 535 + 64 = 599 sectors, equal to offset of 306,668 bytes from the beginning of the drive (0x4AE00 in hex).
With the help of the Active@ UNERASER low-level disk viewer we can see our data starting from offset 0x4AE00 (3rd cluster, or 599th sector):
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0004AE00 47 55 49 20 6D 6F 64 65 20 53 65 74 75 70 20 68 GUI mode Setup h 0004AE10 61 73 20 73 74 61 72 74 65 64 2E 0D 0A 43 3A 5C as started...C:\ 0004AE20 57 49 4E 4E 54 5C 44 72 69 76 65 72 20 43 61 63 WINNT\Driver Cac
Because the cluster chain is consecutive, all we need to do is copy 112,435 bytes, starting from this place. If the cluster chain was not consecutive, we would need to re-calculate the offset of each found cluster, and copy 3 times by 64*512 = 32768 bytes, starting from each cluster offset, and then from the last cluster copy the only remainder - 14,131 bytes, that is calculated as (112,435 bytes - (3 * 32768 bytes)).
In our example we want to pick up 110 clusters starting from the cluster 312555.
Cluster size is 512 byte, so the offset of the first cluster would be 512 * 312555 = 160028160 = 0x0989D600
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0989D600 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00 РП.аЎ±.б........ 0989D610 00 00 00 00 00 00 00 00 3E 00 03 00 FE FF 09 00 ........>...юя.. 0989D620 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 0989D630 69 00 00 00 00 00 00 00 00 10 00 00 6B 00 00 00 i...........k... 0989D640 01 00 00 00 FE FF FF FF 00 00 00 00 6A 00 00 00 ....юяяя....j... 0989D650 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF яяяяяяяяяяяяяяяя
In the above data, data recovery is complete when data has been read from this point through 110 clusters (56320 bytes). This data is copied to another location.
