Directory Snoop checks under the hood and more

Directory Snoop checks under the hood and more

Program lets you recover deleted files or permanently erase them from hard or removable drives

By William M. Frazier

Special to GCN

Programs that examine the lowest levels of hexadecimal data on a hard drive are much scarcer now than in the days of MS-DOS, because Microsoft Windows purposely shields users from arcane commands.

When I ran across Directory Snoop, it reminded me so much of some of the old MS-DOS utilities that I had to give it a try.

Directory Snoop 3.14 is a cluster-level directory viewer and file uneraser, downloadable from the Web, at www.briggsoft.com. It runs under Windows 9x and can access, at a very low level, any hard or removable drive that is uncompressed and formatted for 12-, 16- or 32-bit File Allocation Table file systems. Directory Snoop cannot access a network drive or a CD-ROM drive, however.

The compressed download is less than 500K, and the installed software takes up less than 1M of storage, including the help file. There's no printed documentation, but the help file answered most of my questions about operating the $29 program.

Directory Snoop not only shows you all deleted files prominently in red, it can recover them. You can view raw directory structures and file clusters. You can search and group files and clusters by content. If you find something on the drive that doesn't belong, you can permanently delete the file or individual clusters with a four-pass wiping function, said to be good enough to frustrate forensic hardware file recovery systems.


Can you read hexadecimal? Directory Snoop shows files in hex, text or directory format.


Directory Snoop displays FAT and can purge erased filenames from the directory structure. It can also step forward and backward through a file's cluster chain.

Flood of information

The first thing you see when Directory Snoop starts up is the main interface with two tabbed notebooklike pages, called the Current Directory and the Global List. Select any available hard or removable drive on the Current Directory page, and you'll see its files and subdirectories in the right pane. All the available information can be viewed in either Raw or Normal mode.

In Normal mode'the default'the display is like that of Windows Explorer but more comprehensive. Fields tell you the first and last record number, whether a file has been erased or not, the long filename, the short filename and all file attributes. You can see the date the file was created, the dates of last access and last modification, and the first disk cluster number for the file. Red-marked filenames that have been deleted show a question mark as their first character.

Raw mode displays the raw 32-byte directory entries in hexadecimal and text format.

The Global List holds any group of files you select from multiple drives and directories. The first field displays the origin drive and directory name. The remaining fields are the same as on the Current Directory page.







Box Score

Directory Snoop 3.14

Briggs Softworks; Houston

www.briggsoft.com

Price: $29 per copay; 250-user license $2,499



+ Recovers lost files and securely wipes unwanted data from hard drives

' Dangerous in the hands of novices


Real-life requirements:

Win9x, 1M of free storage, Internet connection for download



The Global List is useful when you want to collect a group of files and perform the same operation on each one.

The Cluster Window appears when you select a file by double-clicking. You see raw cluster data in the right pane. The left pane displays the cluster chain for the selected file if the Chain tab is selected, or for all clusters on the partition if the FAT tab is selected.

The Cluster Window is an excellent place to recover erased files. Open a new target file and then append data to it from the raw data on the disk. The Append Data dialog box has numerous options to control what data gets written to the new file. You can add a single cluster, a number of clusters or any number of bytes within a cluster.

Serious searching

When selecting more than one cluster, you can choose to advance to the next cluster in the chain, the next cluster in the FAT or the next unused cluster. When you finish appending data to the file, close it by selecting Close Target File.


Directory Snoop shows deleted files in red with a question mark as the first character and can be used to recover them or wipe them from the drive permanently.



To find specific data within a file or cluster, select the Search Clusters menu option. The dialog box that appears lets you find specific string data or hex values within a file. Search controls include first cluster, total number of clusters to search and method of cluster advancement.

You can choose whether to make the search case-sensitive and whether the search should be for string data or hex data. You also can decide whether the search should find all matches within a cluster or stop with the first match.

Finally, you can choose whether to find any data that crosses cluster boundaries.

That's power! Directory Snoop is a terrific utility, but it should only be placed in the hands of technical support personnel and advanced users. Used maliciously or incorrectly, it could corrupt or delete valuable data forever.

inside gcn

  • artificial intelligence (ktsdesign/Shutterstock.com)

    Machine learning with limited data

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group