Manual Data Recovery
Aside from offering various automatic data recovery mechanisms, WinHex is a powerful tool to manually recovery data. It is possible to restore lost or deleted files (or more general: data) that have not been physically erased (or overwritten), but merely marked as deleted in the file system (logical deletion).
Open the logical drive where the deleted file resided on using the disk editor. Principally you can recreate such a file by selecting the disk sectors, that were allocated to the file, as the current block and saving them using the menu command Edit | Copy Block | Into New File. But it may prove difficult to find the sectors where the file is still stored in the first place. There are principally two ways to accomplish this:
| 1. | In case you know a snippet of the file you are looking for (e.g. the characteristic signature in the header of a JPEG file or the words "Dear Mr. Smith" in a MS Word document), search it on the disk using the common search commands ("Find Text" or "Find Hex Values"). This is a very simple and safe way, and can be recommended to anyone. |
| 2. | In case you only know the filename, you will need some knowledge about the filesystem on the disk (FAT16, FAT32, NTFS, ...) to find traces of former directory entries of the file and thereby determine the number of the first cluster that was allocated to the file. Information on file systems is available in the Knowledge Base on the WinHex web site. The following applies to all FAT variants: |
| If the directory that contained the file (let's call that directory "D") still exists, you can find D on the disk using Tools | Disk Tools | List Directory Clusters. The factory template for FAT directory entries that comes with WinHex will then be helpful to find out the number of the first cluster that was allocated to the deleted file in that directory. Otherwise, if D has been deleted as well, you need to find the contents of D (using the directory entry template) starting with the directory that contained D (possibly the root directory). |
| Deleted files and directories are marked with the character "å" (hexadecimal: E5) as the first letter in their name. |
You may encounter the problem that the file to recover is fragmented, that is, not stored in subsequent contiguous clusters. On FAT drives, the next cluster of a file can be looked up in the file allocation table at the beginning of the drive, but this information is erased when a file is deleted.