Hello guys,

I'm trying to learn VB.NET because i study digital forensics, so i thought it would be nice if i can write my own programs in the future. As a first project i planned to pick something difficult to make because i think it's the best method to learn programming. So, as a first project i thought about making a data recovery program. My only problem is that there isn't much to find about it on the internet. What i want to ask from you guys is if you can help me a little bit starting my project. I'm trying to find some examples or methods to read sectors, NTFS and the master file table. Already searched the whole internet for something like this, but i couldn't find any information about it.

I hope one of you can help me a little bit with this.

Thanks a lot.

Windows Applications do not have permission to directly access any hardware device.
You need a program running at ring 0 level of the operating system (such as drivers) to do that.

VB.NET hence, can only provide a graphical interface to such an application.

The real sector reading program would have to be written in C using the Windows DDK (Driver Development Kit)

Click here for more information on the Windows DDK.
Now called the Windows Driver Kit (WDK)

Ok, and is there a significant difference in this kind of cases between C, C++, C# and .NET? Or is hardcore C the only langauge to accomplish this?

This is not exactly true. When it comes to video and audio, you have to do some backflips because the OS basically owns them. However, low level File I/O has always been available. e.g. http://support.microsoft.com/kb/11988

Of course, for .NET, this would be considered "unmanaged."




Any code is subject to the rules of the Operating System under which it runs. Windows locks down a lot of UI elements. As I mentioned above, file I/O is certainly the most open. There's a Win API function called DeviceIoControl that lets you get down and dirty with everything.

You can all those functions from C, C++, and unmanaged .NET, with equal ease. In .NET, alot of Win API stuff is available through System.Runtime.InteropServices.

You can do a sector read inside Windows. There are other tools that do so, right? I don't have code to hand, but certainly possible.

For byte by byte forensics... you need to know the file system layout. In the old days of FAT, a copy of Norton's Utilities, or any kind of sector editor, and you were off and running. FAT is wonderful to recover from, it's all right there if you know how to read it.

NTFS must still use some kind of partition format to store its data, but they've been less than forthcoming with what that format entails. You can see the bits and bypte, but they're not clearly stored. Some open source projects have black boxed NTFS. Most read reasonably well, but none claim 100% when it comes to writing.

Hope this helps.

I'm afraid that's not true. DeviceIoControl lets you interact with the device driver (which is a .sys file) and not the device itself. Device drivers run in Ring 0 and hence has direct access to the device.

Since default hard-disk Drivers won't give you byte-by-byte access to the sectors (there could be existing functions actually), you'll have to write the driver in DDK and then call it from VB.NET using DeviceIoControl() and IoBuildDeviceIoControlRequest()

I'd really like to know what you find out. I'm more of a VB programmer myself and I'd like to work on a similar project.

I need a program that can scan a drive and document which sectors or "groups of sectors" are bad. I use GetDataBack for NTFS data recovery software but it still hangs sometimes on bad sectors, at least I think that's what it's hanging on.

HK

As I said, you can't do that with standard VB/VB.NET code.
But there are a few libraries for VB and .NET but they aren't free.

You can only write the User Interface in VB, but the sector reading code has to be written in C (compiled as a device driver)