Challenger Rocket File System View¶
Introduction¶
File System View is a Task Integrated Tool for analysis, display, forensic tasks and data recovery of Partitions and Files.
File System View Will use Current Device Task Options for any operations or command.
Opening File System View¶
File System View will be displayed clicking on File System View Button located on Rocket Toolbar.
Opening Partition Table¶
Most Devices are configured with a legacy MBR ( master boot record ) located at default sector 0. Usually Sector 0 Contains the Partition Table Scheme.
Modern devices are configured with GPT Partition Table, an extension of a legacy mbr which points to a partition type 0xEE usually located at sector 1.
Hint
On a direct volume, the first sector of device is the partition boot sector.
To read and expand current partition table double click on device name located on top left on File System View
Inspecting Master Boot Record¶
In a Device Diagnostic Process, inspection of master Boot Record Sector should be performed in ANY CASE.
Since Master Boot Record has Big Relevance in any Data Recovery Task, first check effective status of the logical block address, next inspect partition offsets and their offset status.
Most of common Error in Hard Disk Drives are related to Master Boot Record or GPT Corruption.
Reading Master Boot Record in Hex Mode¶
Partition Table¶
Rocket File System View will display Partition Table Result as an expanded Tree and as textual information log.
Hint
To Open File System Content double click on Desired Partition in Partition Tree.
Most of common hard disk devices damages affect Master Boot Record ( sector 0 ).
Please Check Log and Lba Map for errors when opening partitions.
Hint
Lba Errors on Sector 0 can be fixed using Scan For Lost Partition Function
Partition Common Errors¶
If one drive cannot be mounted from os properly or resident operating system cannot boot and you receive it for data recovery, expect to meet errors scenarios.
- Damaged or Missing Master Boot Record
- Damaged or Missing GPT
- Damaged or Missing Main Partition SuperBlock
- Damaged or Missing $MFT Record ( on NTFS File Systems )
- Damaged or Missing Root Node
- Combination of Cases Above
Hint
If in the diagnostic process many damaged block will be discovered, consider to create a complete image of the source drive. This will reduce Damaged Device stress and Risk of Definitive Failure.
Note
Please Refer to Section Data Recovery Samples to solve Partitions Common Errors.
File System View Interface¶
File System view tools¶
File system View offers several analysis utilities, just select file / folders and press right mouse button to open context menu.
- Open File
- Save File
- Evaluate Folder Size
- Check File Consistency
- Read File Chains
- Secure Delete Files Chains
- Build Allocation Bitmap
- Read Bitmap Allocated Sectors
- File Search
- FIle Binary Search
- Hash Calculation
- LBA Map ( related to file chains )
- Move to File Record
- Move to File Offset
- Create Snapshot
- Export File List
- Expand File System
- File Fragment Table
- Display
- Sort Records
- Properties
Open File¶
Save selected Files to Temp Folder and launch associated application. This can be accomplished selecting “Open File” , Double Click on File or pressing Right Arrow on Keyboard.
Note
Big Files cannot be opened to avoid memory saturation.
Save File¶
Save Selected Files and Folders to Target device or location.
This can be accomplished selecting “Save File” or pressing “F2” key on keyboard.
Evaluate Folder Size¶
Evaluating Folder Size can be useful to determine size of a dataset before saving it.
Evaluation does not read files content but metadata only.
Hint
On Huge File Systems could be useful disable LBA Map while evaluating to increase nodes analysis speed.
Check File Consistency¶
Consistency function can be useful to determine quality of a dataset. All selected folders and files content will be read without saving files. If any node will contain bad block, file chain reading process will be interrupted and logged in current test log.
Hint
Using Check File Consistency in a Cloning Task will result in automated transfer of selected File Chains into target device sectors.
This will be really useful while recovering damaged devices.
Read File Chains¶
Like Check File Consistency, all selected File Chains will be read with no process interruption after errors.
This should be used on single Huge Damaged files like Databases and Mailboxes which could be recovered with specialized tools in a second process.
Hint
Using Read File Chains in a Cloning Task will result in automated transfer of selected File Chains into target device sectors.
Secure Delete Files Chains¶
All Selected Files Chains will be Shredded and Erased Permanently.
Secure Delete Files Can be accomplished in several modes:
- SHREDDER TYPE ZERO
- SHREDDER TYPE RANDOM
- SHREDDER TYPE XOR
- SHREDDER TYPE FAST XOR
Build Allocation Bitmap¶
Each File has an allocation and often a fragmented chain.
Reading a file system structure using iNode order usually cause overheads and heads seeking latencies ( devices seeks in several lba areas to rebuild a single file chain ).
Building Allocation Bitmap aims to merge zones of selected files saving allocations information on Task zMap in a linear global allocation.
This will be useful to inspect SLACK SPACE and optimize reading process.
Hint
Build Allocation Bitmap needs Lba Map flag enabled.
Read Bitmap Allocated Sectors¶
Read Bitmap can be launched with a filled bitmap created with function Build Allocation Bitmap to perform disk reading of allocated sectors.
Note
Build Bitmap and Read Bitmap should be used in a cloning or imaging Task.
Like Check File Consistency, all selected File Chains will be read with no process interruption after errors.
This should be used on single Huge Damaged files like Databases and Mailboxes which could be recovered with specialized tools in a second process.
Hint
Using Read File Chains in a Cloning Task will result in automated transfer of selected File Chains into target device sectors.
File Search¶
Searching File is essential in a data recovery Task.
File Search can be performed on global file system ( starting from root node ) or selecting folders to search into.
To launch a File Search Thread just press F3 key or Select Search From Context menu.
You can enter a part of file you are looking for (eg. doc) or simply extension (.doc)
Note
Challenger Rocket has an embedded Search System with Enabled Snapshot. Every File Search performed in a snapshot is Very Fast.