It's entirely a matter of the filesystem layout, how a "file" actually looks on disk, and what remains when a file is deleted. As such, pretty much all you need to understand is the filesystem spec (for each and every filesystem you want to support), and how to get direct block-level access to the HD data. It might be possible to reuse some code from existing filesystem drivers, but it will need to be modified to process structures that, from the point of view of the filesystem, are gone.

这完全取决于文件系统布局、“文件”在磁盘上的实际外观以及删除文件后剩下的内容。因此，几乎所有您需要了解的是文件系统规范（对于您想要支持的每个文件系统），以及如何获得对 HD 数据的直接块级访问。可能可以重用现有文件系统驱动程序中的一些代码，但需要对其进行修改以处理从文件系统的角度来看已经消失的结构。

• NTFS technical reference
• NTFS.com
• FAT32 spec

• NTFS技术参考
• NTFS.com
• FAT32 规范

You should know first how file deletion is done in FAT32/NTFS, and how other undelete softwares work.

您应该首先了解FAT32/NTFS 中的文件删除是如何进行的，以及其他反删除软件是如何工作的。

Undelete software understands the internals of the system used to store files on a disk (the file system) and uses this knowledge to locate the disk space that was occupied by a deleted file. Because another file may have used some or all of this disk space there is no guarantee that a deleted file can be recovered or if it is, that it won't have suffered some corruption. But because the space isn't re-used straight away there is a very good chance that you will recover the deleted file 100% intact. People who use deleted file recovery software are often amazed to find that it finds files that were deleted months or even years ago. The best undelete programs give you an indication of the chances of recovering a file intact and even provide file viewers so you can check the contents before recovery.

Undelete 软件了解用于将文件存储在磁盘（文件系统）上的系统的内部结构，并使用这些知识来定位已删除文件占用的磁盘空间。因为另一个文件可能已经使用了部分或全部磁盘空间，所以不能保证被删除的文件可以恢复，或者如果可以恢复，则它不会遭受某些损坏。但由于空间不会立即重新使用，因此您很有可能会 100% 完整地恢复已删除的文件。使用已删除文件恢复软件的人经常会惊讶地发现它可以找到几个月甚至几年前删除的文件。最好的取消删除程序会告诉您完整恢复文件的机会，甚至提供文件查看器，以便您可以在恢复前检查内容。

Here's a good read (but not so technical): http://www.tech-pro.net/how-to-recover-deleted-files.html

这是一个很好的阅读（但不是那么技术性）：http: //www.tech-pro.net/how-to-recover-deleted-files.html

This is not as difficult as you think. You need to understand how files are stored in fat32 and NTFS. I recommend you use winhex an application used for digital forensics to check your address calculations are correct.

这并不像你想象的那么困难。您需要了解文件在 fat32 和 NTFS 中的存储方式。我建议您使用 winhex 一个用于数字取证的应用程序来检查您的地址计算是否正确。

Ie NTFS uses master file records to store data of the file in clusters. Unlink deletes file in c but if you look at the source code all it does is removes entry from table and updates the records. Use an app like winhex to read information of the master file record. Here are some useful info.

即 NTFS 使用主文件记录将文件数据存储在集群中。Unlink 删除 c 中的文件，但如果您查看源代码，它所做的就是从表中删除条目并更新记录。使用winhex之类的app来读取主文件记录的信息。这里有一些有用的信息。

Master boot record - sector 0 Hex 0x55AA is the end of MBR. Next will be mft File name is mft header. There is a flag to denote folder or file (not sure where). The file located flag tells if file is marked deleted. You will need to change this flag if you to recover deleted file. You need cluster size and number of clusters as well as the cluster number of where your data starts to calculate the start address if you want to access data from the master file table.

主引导记录 - 扇区 0 Hex 0x55AA 是 MBR 的结尾。接下来将是 mft 文件名是 mft 头。有一个标志来表示文件夹或文件（不确定在哪里）。文件定位标志告诉文件是否被标记为已删除。如果您要恢复已删除的文件，则需要更改此标志。如果要访问主文件表中的数据，则需要簇大小和簇数以及数据开始处的簇数来计算起始地址。

Not sure of FAT32 but just use same approach. There is a useful 21 YouTube video which explains how to use winhex to access deleted file data on NTFS. Not sure the video but just type in winhex digital forensics recover deleted file. Once you watch this video it will become much clearer. good luck

不确定 FAT32，但只是使用相同的方法。有一个有用的 21 YouTube 视频解释了如何使用 winhex 访问 NTFS 上已删除的文件数据。不确定视频，但只需输入 winhex 数字取证即可恢复已删除的文件。看完这个视频，就会明白很多。祝你好运

Just watched the 21 min YouTube video on how to recover files deleted in NTFS using winhex. Don't forget resident flag which denotes if the file is resident or not. This gives you some idea of how the file is stored either in clusters or just in the mft data section if small. This may be required if you want to access the deleted data. This video is perfect to start with as it contains all the offset byte position to access most of the required information relative to beginning of the file record. It even shows you how to do the address calculation for the start of the cluster. You will need to access the table in binary format using a pointer and adding offsets to the pointer to access the required information. The only way to do it is go through the whole table and do a binary comparison of the filename byte for byte. Some fields are little eindian so make sure you got winhex to check your address calculations.

刚刚观看了有关如何使用 winhex 恢复在 NTFS 中删除的文件的 21 分钟 YouTube 视频。不要忘记驻留标志，它表示文件是否驻留。这让您对文件如何存储在集群中或仅在 mft 数据部分中（如果很小）有所了解。如果您想访问已删除的数据，则可能需要这样做。该视频非常适合开始，因为它包含所有偏移字节位置，以访问相对于文件记录开头的大部分所需信息。它甚至向您展示了如何为集群的开始进行地址计算。您将需要使用指针访问二进制格式的表，并向指针添加偏移量以访问所需信息。唯一的方法是遍历整个表并对文件名字节进行二进制比较。