XAMINER
by Norman Davies

Xaminer Disk Sector Editor & File Recovery System
        
Xaminer will run on any PC or true compatible operating under
MSDOS 2.11 or above PCDOS or DR DOS and with at least 256K of ram.
It will not run under DOS PLUS but will edit DOS PLUS disks.
It will not recognise fixed disks format to partitions larger
than 32 MB under DOS 4.00 DR DOS etc.

The program automatically detects the type of graphics adaptor
& will use colour if it detects a CGA EGA or VGA. For the benefit 
of those using a colour adapter to drive a mono monitor the program 
may be called with a parameter to force it into mono mode. 
For example XAMINER M.

In order to avoid potential disasters this version of Xaminer
will not write sectors to a fixed disk. You can however use it
to examine and report on fixed disks and to copy sectors from
a floppy disk to a file on a fixed disk.

You should now copy XAMINER.EXE & XAMINER.DOC in that order onto
a blank freshly format disk and follow the instructions below.

Place the disk in selected drive & type XAMINER (XAMINER M for
mono display) then press Enter. When first called the program 
displays its title & asks for the drive letter to be entered. 
Enter the letter of the selected drive then press Enter. It 
then displays a report on the type & size of disk etc & prompts 
for a key to be pressed. When you have finished studying the 
report press a key. When this is done Sector 0 will be displayed. 

The top line on the screen shows the sector number, drive, display
mode & a prompt + - To Change Sector. The next line shows the
selected file, NO FILE in this case. The next line shows the byte
numbers in hex with alternate bytes in different colours. The next
16 lines show the offset from the start of the sector in hex
followed by the contents with the offset repeated. 
Bytes which are displayable characters are shown as characters the 
remainder as hex bytes. Pressing the space bar will switch the display 
to show the complete sector in hex. Try it. Press again to switch back.

Below the sector contents are 20 options one of which BOOT SECTOR
will be highlighted. On the bottom line but one are instructions
on how to move the select bar, select an option, switch display
type & exit. The bottom line shows what the currently selected
option does. Try moving the select bar using the cursor arrow keys
to see what each selection does. If nothing happens check that
Num Lock is not engaged.

At this stage you can try selecting any of the selections other
than FILE UNDELETE, FILE RECOVER & WRITE SECTOR as you can not do
any harm. Even SECTOR EDIT does not change anything on the disk 
until WRITE SECTOR is used. If FILE REPORT offers to recover a
corrupted file allocation table (FAT) or directory entry answer 
no until you have read the remainder of this document.


                              (1)









              The Structure of MSDOS Disks

When a disk is format it is divided into concentric cylinders
or tracks and each track is divided into a number of sectors.
Sectors are not necessarily numbered consecutively on the disk
surface but are given a Logical Sector No at the time when the
disk is format. In future when refering to sector numbers what
is meant is the Logical Sector No. 

All MSDOS disks set aside a number of sectors for the system
area. This consists of the Boot Sector always sector 0, any
further reserved sectors currently nil, the File Allocation
Table (FAT), usually one additional copy of the FAT and finally
the Root Directory. The space after the System area is available
for Files or Sub Directories which are just a special type of
file. The minimum amount of disk space which can be allocated 
to a file is a cluster. The number of sectors in a cluster
depends upon the type of disk.

             
Ignoring 8" disks and earlier single sided and 8 sector double
sided 5.25 disks there are currently 4 different disk types and
each sets aside a different number of sectors for the system area.
Each type has a media descriptor byte which is contained in the first
byte of each copy of the FAT and also in byte 15 Hex of the Boot
Sector.

The Types are:- 

5.25 double sided 9 sector 40 track 360 K.
Media descriptor byte FD Hex.
Bytes per sector 512.
Sectors per cluster 2.
Boot Sector sector 0.
Additional reserved sectors 0.
File Allocation Table sectors 1 and 2.
Second copy of FAT sectors 3 and 4.
Root Directory with space for 112 entries. As each entry requires
32 bytes this requires 7 sectors from sector 5 to sector 11. The
first sector available for storing files or sub directories is
therefore sector 12. 

3.5 double sided 9 sector 80 track 720 K.
Media descriptor byte F9 Hex.
Bytes per sector 512.
Sectors per cluster 2.
Boot Sector secter 0.
Additional reserved sectors 0.
File Allocation Table sectors 1 2 & 3.
Second copy of FAT sectors 4 5 & 6.
Root Directory with space for 112 entries sectors 7 to 13.
First files area sector - sector 14.




                              (2)









5.25 double sided 15 sectors 80 track 1.2 Mb
Media descriptor byte F9 Hex (Same as 3.5 720 K.)
Bytes per sector 512.
Sectors per cluster 1.
Boot Sector sector 0.
Additional reserved sectors 0.
File Allocation Table sectors 1 to 7.
Second copy of FAT sectors 8 to 14.
Root Directory with space for 224 entries sectors 15 to 28.
First files area sector - sector 29.

3.5 double sided 18 sectors 80 track 1.4 Mb.
Media descriptor byte F0 Hex.
Bytes per sector 512.
Sectors per cluster 1.
Boot Sector sector 0.
Additional reserved sectors 0.
File Allocation Table sectors 1 to 9.
Second copy of FAT sectors 10 to 18.
Root Directory with space for 224 entries sectors 19 to 32.
First files area sector - sector 33.

Fixed Disks (Hard Disks) have a media descriptor byte F8 Hex.
The number of sectors used by the system area will depend
upon the disk size & number of partitions. Xaminer will produce
a report on the sectors used by the systems area.

On some floppy disks produced by disk copying agencies the Boot
Sector is blank. Usually filled with bytes 00 Hex. On a
normally format disk it contains the name & version of the
program used to format the disk, data on the system area and
the Bootstrap program used to load the operating system on a
bootable disk or to give the familiar error message when you
accidentally switch on with a non system disk in drive A:.
The Boot Sector is of no interest in file recovery so it will
not be described in detail.

Before describing the File Allocation Table it is necessary to
look at how a directory entry is made up. Look at the ROOT
SECTOR on the disk containing XAMINER.EXE & XAMINER.DOC and
switch to Text or Hex display. At offset 0000 Hex bytes 00 to
07 Hex contain the file name padded out to fill 8 bytes by
spaces. Bytes 08 to 0A Hex contain the file extension. If
this was less than 3 characters it would also be padded out
by spaces. Now switch to Hex display. Byte 0B Hex contains
the File Attribute. Each of the 8 bits of the attribute byte
have a meaning when set to binary 1 as follows:-

Bit 0 Read Only. File write protected and can not be written to.
Bit 1 Hidden File not shown by a normal directory.
Bit 2 System File not shown by a normal directory.
Bit 3 Volume Label (Only in Root Directory).
Bit 4 Sub Directory.
Bit 5 Archive Bit set to 1 when file is modified.
Bits 6 & 7 are reserved for future use.


                              (3)








In this case the attribute byte is shown as 20 Hex which
means that it is a normal file with the attribute bit
set to 1. (2 to the power 5 = 32 decimal = 20 Hex)  

The bytes from 0C hex to 15 Hex are unused at present and will
be set to 00 Hex. Bytes 16 and 17 Hex contain the files time in 
a compressed binary format where bits 0 to 4 contain the seconds
in 2 second increments, bits 5 to A contain the minutes & bits
B to F contain the hours. Bytes 18 & 19 contain the files date
in a similar format where bits 0 to 4 contain the day of the
month, bits 5 to 8 contain the month number & bits 9 to F
contain the year number where year 0 = 1980.

The remaining bytes are the ones that are of most interest.
Bytes 1A & 1B contain the cluster number at which the first
section of the file is stored low order byte first. Bytes
1C to 1F contain the files length in bytes once again low
order byte first.

The start cluster for XAMINER.EXE is 0002 Hex but on disks with
less than 4087 clusters which includes all present floppy
disks only the lowermost 12 bits are used so in this case the
cluster number is 002 Hex.  

Now select 1st FAT SECTOR and display in Hex. Byte 0000 is the
media type descriptor F9 Hex if you have used a 5.25 360 K disk.
bytes 0001 and 0002 are alway set to FF Hex so the first FAT
entry is at byte 0003 and the low order 4 bits of byte 0004.
As each FAT entry takes one and a half bytes the files start
cluster number must be multplied by 1.5 to find the offset
into the FAT at which the next cluster or the end of file
marker is stored. The calculator is integer only so instead
of multiplying by 1.5 multiply by 3 and then divide by 2. If
this results in a remainder the cluster number is stored in
the high order 12 bits. If there in no remainder it is
stored in the low order 12 bits.

Try this with the start cluster for XAMINER.EXE 2 times 3 is
6 divided by 2 is 3 with no remainder. Now look at the entry
in the FAT at offset 0003 and the following byte 0004. It is
4003 once the two bytes have been transposed. As there was no
remainder the top 4 bits can be ignored and the next cluster
is 003. Repeating above to find the next cluster 3 times 3
is 9 divided by 2 is 4 with a remainder. The two bytes at
offset 0004 contain 0040 or 004 in the top 12 bits which is the
number of the next cluster.

Above process can be repeated until a cluster number of
FF8 Hex or above (usually FFF) which signifies that the end
of the file has been reached. Cluster numbers set to 000 are
vacant and those set to FF7 are bad clusters. Valid cluster 
numbers range from 002 to a maximum of FF6 depending the number 
of clusters available on the disk. There is no such thing as 
cluster 000 or 001. A cluster number can be split over 2 bytes
consecutive sectors.


                              (4)








On fixed disks with more than 4086 clusters which use
16 bit FAT entries the process is much simpler. Just multiply
the cluster number by 2 to find the offset into the FAT and
take the value in the byte pointed to as the low order 8 bits
and the value in the next byte as the high order 8 bits of
the cluster number. In this case cluster numbers of FFF8 and
above indicate end of file and FFF7 indicates a bad cluster.

Because XAMINER.EXE and XAMINER.DOC have been stored  on a
freshly format disk they will have been stored in blocks
of consecutive cluster numbers. On disks where files have
been added and deleted there may come a time when DOS can not
find a continuous block of clusters large enough so the file
will be split into sections of one or more clusters. If you
try using FILE REPORT on disks which have had considerable
use you will almost certainly find this to be the case.



                      FILE RECOVERY
                      
The first thing about file recovery is to try your best to avoid
having to do it. Never use disks which format with bad clusters.
You may get away with it for a while but eventually you will be
caught out and the chances are that it will be a file which has
not yet been backed up which becomes corrupted. Use DISK REPORT
to check all your disks and if bad clusters are reported copy
your files onto good disks while you still can.  Do not worry
if a Fixed Disk reports a few bad clusters. They nearly all have
them from the manufacturing stage.

When DOS prompts with the message "Are you sure" always stop and
think before answering "Yes". You will be rather upset if you
accidentally delete all the files in the current directory on
your hard disk when what you meant was drive A. Other common
mistakes are DEL *.BAT instead of *.BAK, changing disks when
the program you are using does not expect this, switching off
or pressing Ctrl Alt Del instead of exiting from a program 
correctly, forgetting that you have used ASSIGN or using FORMAT 
or MORE with the wrong parameters.

We all make mistakes at some time however so if you accidentally
delete or corrupt a file or disk proceed as follows:-

First and this is MOST IMPORTANT never use file recovery or sector
editor programs on the original disk and this includes the DOS utilities
RECOVER and CHKDSK with the /F option. Always use DISKCOPY to make
an exact copy to work on. DISKCOPY entered on its own without
drive specifiers will copy a disk on the currently selected drive
prompting you to change disks as required. This is usefull on
machines with one 5.25 and one 3.5 drive.





                              (5)









If you have accidentally deleted a file or files and have not
written any files to the disk since the files will still be intact
on the disk. The first byte of the file name in the directory will
have been overwritten with E5 Hex and its FAT entries overwritten
by 000 Hex. If you only deleted one file and the file was stored in a 
single block of consecutive clusters FILE UNDEL will undelete it and 
restore the FAT entries. If you only deleted one file try FILE UNDEL.
If it does not succeed it will report "Insufficient Contiguous Clusters 
for Automatic Undelete". It will also report the start cluster and the 
number of clusters required by the file. Use the start cluster to 
calculate the offset into the FAT and look at the FAT at this point. 
Count how many 12 bit entries have been overwritten by 000 Hex. This 
will be the number of clusters in that block. Subtract it from the 
number of clusters required by the file to find out how many more FAT 
entries you have to locate and add it to the file start cluster and then
subtract 1 to get the cluster number of the last cluster in that block 
and make a note of it. Now search the FAT for other 000 Hex entries and 
calculate the cluster numbers to which they refer and make a note of them.
Remember that you require one more entry than the number of clusters in
the file for the file end marker. If you can not find sufficient spare
clusters within the used part of the FAT then the remainder of the file
must start immediately following the last used cluster.

If you find exactly the right number of entries in a single additional block 
you now know the clusters on which the file is stored. If they are in more 
than one additional block you know the clusters used but not the order in 
which they are used. If this is the case calculate the sector number on which 
each block of clusters starts using the formula:- 

(Cluster No - 2) * Sectors per Cluster + Reserved Sectors + Sectors per Fat 
* No of copies of FAT + Root Directory Entries / 32. 

Use the Editor to examine the sectors to see if you can make out the order in 
which the blocks of clusters occur in the file. If it is a text or word 
processor file this should be relativly simple. If it is a data base or 
spreadsheet file more difficult depending upon what recognisable text you can 
find. If it is an executable program file other than a batch file almost 
impossible. If it is not possible to determine the order in which the blocks
of clusters should go the only answer is to put the file back together in
every possible combination until the correct one is found.

The file can be recovered by restoring the FAT entries and the first
byte of the file name manually using the Editor. Remember to write the 
directory sector and the FAT sector or sectors back to the disk after 
editing. An easier way is to write the blocks of clusters to a file on 
another disk using FILE RECOVER. To use the latter method get the start 
sector of the first block from the directory & calculate the start sectors
of the remaining blocks also calculate the number of sectors in each block
(number of clusters * sectors per cluster). You can now use FILE RECOVER
to write these groups of sectors to a file but it must be on another disk
preferable in a different drive or to a fixed disk. If you only have a 
single drive FILE RECOVER will prompt you to change disks as each sector
is first read and then written but this obviously takes a lot longer.



                              (6)









If you have deleted more than one or possibly all the files on a disk
the proceedure is the same except that although FILE UNDEL may say it
can undelete a file and appear to do so it may get the clusters wrong.
If this happens re-format the disk and start again but this time use
the manual method. One more reason for always working on a copy rather
than the original disk.

Problems other than the accidental deletion of files can occur such as
accidental corruption of the directory structure or FAT. If FILE REPORT
finds that the first copy of the FAT is corrupted it will attempt to
find the remaining file clusters using the second copy. If this works
you will be offered the option of restoring the first copy. This is
always worth a try but can not be guaranteed as both copies may be
corrupted but in different places. Another good reason for not using
the original disk. If it finds that the number of clusters in the FAT
do not agree with the file length in the directory it will offer to
change the length in the directory to agree with the number of clusters
in the FAT. This may enable some data files to be read at least in part
by the program which wrote them. It all depends upon the file format
used. Once again it is worth trying before using the manual method of 
file recovery. If the directory is corrupted but at least one copy
of the FAT is intact you can still locate all clusters used by files 
and recover the files using FILE RECOVER. The only problem then is
to discover which is which and rename them to their original name
and extension. 

If the directory and both copies of the FAT are corrupted you may still 
be able to find files in sub directories using SEARCH TEXT and at least 
find the cluster on which the file starts. You can find the start of 
.EXE files by using SEARCH HEX to search for the EXE file signature 4D5A 
which are always the first two bytes. If you find these as the first two 
bytes of a cluster it is almost certain to be the start of an EXE file. 
Most applications programs use some form of header at the start of files
written by them. Try looking at the first sector of a number of such
files to see if you can find a common combination of bytes which can be
used in a search. In the worst case try to recover as much information
as possible from a corrupted file or disk using PRINT SECTOR as necessary.
PRINT SECTOR outputs a form feed after printing the contents of a sector.
This is quite deliberate to leave space for any notes or manual decoding
which may be required. If the recovered data has to be input manually this
will still be a bonus if you do not have any other record of it. 

Xaminer and this DOC file only scratches the surface of what can be
involved in data recovery. One of these days if I ever have time I may
write a book on the subject. Xaminer should however enable you to recover
from simple errors and give you an insight into the way DOS stores files 
on disk. I hope you find it useful.

Norman V Davies.



PC & PCDOS are registered trade marks of International Business Machines 
Corporation
MSDOS is a registered trade mark of Microsoft Corporation
DOS PLUS and DR DOS are registered trade marks of Digital Research 


                              (7)