Blog

More huge updates to DiskDigger and FileSystemAnalyzer

I’ve finished some major updates to DiskDigger, as well as its companion tool FileSystemAnalyzer, to support a few more filesystems, some more obscure than others!

ReFS support

One of these filesystems represents a serious and substantial update: DiskDigger now has expanded support for ReFS, the Resilient File System introduced in recent versions of Windows Server and Windows Enterprise editions. ReFS remains totally proprietary and undocumented, so it required quite a bit of reverse-engineering to nail down the structures that it uses. I’m happy to report that DiskDigger now supports versions of ReFS starting from 3.0 (introduced in Windows Server 2016) through the very latest version 3.12 (in the latest insider build of Windows 11 Enterprise).

image

To be clear, DiskDigger had already been able to recover data from ReFS partitions by performing a heuristic (carving) search, which is independent of the actual filesystem on the disk. But now that it understands the data structures of ReFS, it can employ additional specific techniques to recover files more accurately from such partitions.


And on a lighter, more whimsical note, DiskDigger and FileSystemAnalyzer now support two other filesystem types that you’ll likely never encounter in everyday life:

RedSea filesystem

The RedSea filesystem was created by the late Terry Davis as part of his TempleOS operating system. If you’re not familiar with TempleOS, it’s an interesting rabbit hole to delve into. Literally an entire operating system built by a single person over the course of many years, TempleOS is intended to be “god’s third temple” in the form of an operating system, due to the guiding principles behind the operating system that Davis believed he was receiving from god. These principles are largely based around simplicity and purity, which is something that even the most hardened atheist like myself can appreciate. There is an expansive volume of videos in which Davis provides tutorials and explains the various features and design choices of TempleOS.

Terry was a troubled soul: he was living with uncontrolled schizophrenia which led to his eventual demise, and his videos occasionally contain some bizarre and horribly racist commentary, all of which make him more pitiable than admirable as a person. However, he was an undeniable savant at building an operating system, and I will defend the idea that we can learn something from his kernel, his compiler, and his insistence on simplicity. As a tribute to his work, I’m including support for the RedSea filesystem in DiskDigger and FileSystemAnalyzer.

The RedSea filesystem is, in many ways, the simplest filesystem possible:

  • All files are contiguous! There’s no concept of fragmentation.
  • There are no B-trees, no journaling, no symbolic links, no encryption, etc.
  • There’s no concept of clusters; block sizes are the same as sector sizes, i.e. 512 bytes.
  • Directory blocks are just a sequential list of directory entries.
  • For determining where to write new files, there is simply an allocation bitmap, where each bit represents whether the corresponding block is allocated.

image

One other interesting feature of the RedSea filesystem is that it performs a sort of semi-automatic compression of files, using a form of LZW compression. If you give a file a name that ends with a “.Z” extension, it will be compressed when it’s written to the disk, and then uncompressed the next time it’s read from the disk (transparently to the user). This compression is also supported in DiskDigger, i.e. files recovered from a RedSea partition will be automatically uncompressed.

Commodore 64 disk images

As another fun diversion, I also added support for Commodore 64 disk images (D64 files)! The file system on these disks is thoroughly documented, and is also very simple: files are represented as a linked list of blocks (a primitive “block chain”, as it were). If you have these disk images lying around, you can now peruse their contents!

image


As with all filesystems supported by FileSystemAnalyzer and DiskDigger, these additions are read-only, since these are intended to be tools for forensic analysis, and not intended for two-way interoperability.

Brain dump, October 2023

Here’s something that grinds my gears: waiters/waitresses at restaurants who insist on memorizing your order instead of writing it on a notepad. Why do they do this? Does the restaurant require them to have exceptional short-term memory, as if memorizing the order is somehow classier than writing it down? Or do the servers themselves feel so confident in their memory that they forego the notepad? It’s not impressive to me if you can memorize a list of items, and it’s infinitely more annoying if the order comes out incorrectly due to a failure of memory, or if the server comes back to double-check what I ordered. None of this is necessary.

In fact it’s mildly anxiety-inducing when the party at my table lists all the items they’re ordering, and the server does nothing except nod smilingly. It then becomes a minor miracle if the order ends up being fulfilled correctly, which I suppose is a payoff of sorts, but it doesn’t have to be. Just write it down.


Time for a small confession: I watch/listen to ASMR videos before falling asleep. ASMR is very much a real phenomenon, and I respond to certain ASMR triggers very strongly, although not as strongly as I did when I was younger. The first time I experienced it was all the way back in first grade: sitting at my desk in class, a voice started speaking over the PA system, and something about the sound or texture of the voice caused an overwhelming tingling sensation over an entire half of my body, to the point where I could no longer grasp my pencil with my hand to write legibly. This lasted for several minutes afterwards, and abated very slowly until I finally regained control of my hand. I wouldn’t say the sensation was either pleasurable or painful, just very curious and unusual.

It didn’t happen as strongly in subsequent instances, and eventually I stopped paying attention when it might have happened again. But in recent years I’ve rediscovered ASMR, thanks to a huge community of ASMR YouTubers who make videos that attempt to trigger these responses deliberately. And for me, certain types of triggers have a very relaxing, even therapeutic effect.

For my money, the best ASMR videos of all time are the “Departure” series, made by a channel called ASMRrequests. Even though there are only two “episodes” of this series, their combination of subtle, understated ASMR triggers with an engaging science fiction roleplay theme, as well as outstanding video production quality, makes them absolute genius-level videos, and I can admit to watching them again and again before going to sleep. Ally Maque, the young woman behind ASMRrequests, has explained that her partner at the time was responsible for the video production (and possibly the script?), but this makes the videos no less impressive. It’s a bit of a shame that the pressures and responsibilities of life seem to have put an end to any future episodes of Departure. If Ally is reading this, and wants to collaborate on additional episodes, hit me up!

Updates to DiskDigger and FileSystemAnalyzer, October 2023

Usually I post updates about DiskDigger on its own website, but my most recent round of updates merits a slight technical digression.

Previous versions of DiskDigger and FileSystemAnalyzer have already had basic support for 4K-native disk drives, i.e. drives that have 4 KiB sectors instead of the usual 512 bytes. However, only recently have I been able to test this support more thoroughly, fixing a few bugs along the way. 4K-native drives have been around for a while, and in fact most modern drives already use 4K sectors natively under the hood, but simply emulate 512-byte sectors to the outside world. However, increasingly we’re seeing more drives that no longer emulate 512-byte sectors (exposing the native 4K sectors to the operating system), as well as users who are opting to reconfigure the firmware of their drive to use 4K sectors instead of 512-byte emulation. DiskDigger and FileSystemAnalyzer can now handle all of these cases when mounting and searching file systems that might be present on such disks (FAT, NTFS, ext4, etc).

I did most of my testing and experimenting using a real 4Kn drive, but some testing I did with emulated disk images. Here is how you can configure qemu to treat a disk image as a 4Kn drive:

qemu-system-x86_64.exe -machine q35 -m 8G -boot d -cdrom "linux.iso" -drive file=mydisk.vdi,if=none,format=vdi,id=D24 -device nvme,drive=D24,serial=1234,logical_block_size=4096,physical_block_size=4096

The above example boots qemu from an ISO file, which can be a Linux live DVD, and makes the hard disk become a NVMe device, which allows us to configure its physical and logical block size, which we set to 4096. Linux should detect this NVMe device automatically, which will then let you create partitions and file systems on it for experimentation.


The other interesting update has to do with ancient retro file systems that are supported by FileSystemAnalyzer (and by extension DiskDigger). By coincidence, I’ve been contacted by multiple people in a short span of time regarding recovering data from Xenix file systems which they’ve saved as binary disk images. One image is from an Intel System 320 Multibus System owned by Herb Johnson of retrotechnology.com, and another is from an owner of an Altos 586 system in New Zealand.

image

Each of these images used a slightly different version of the Xenix file system, each of which use a different structure for their superblock (and each of which is different from the Xenix/SysV support that’s built into the current version of the Linux kernel). This took a bit of effort to reverse-engineer, but ultimately wasn’t too difficult to crack and integrate into FileSystemAnalyzer. The nice thing about dealing with very old data formats is that they’re usually very simple, not to say primitive. Best of all, these Xenix images contain C header files that actually describe their own filesystem structure (can I call them eigenheaders?), which I was able to use for refining and solidifying support for these file systems.

image

I even learned something else that was new to me: in addition to little-endian and big-endian byte orders, there’s also something called “middle-endian” or “PDP-11-endian”, where 16-bit values are stored in native little-endian order, but 32-bit long integers are composed of two 16-bit words in big-endian order (while the numbers in both 16-bit halves are still little-endian). This was the encoding used by the PDP-11 system, and apparently also by the Altos 586 system which was running this version of Xenix. All of these variations are now supported in FileSystemAnalyzer.

Brain dump, September 2023

I finally did something I’ve been meaning to do for a long time: get the final version of the ftape driver to work on a Linux distro that I can use in my data recovery workstations. This is for the purpose of using Linux to dump the contents of QIC-80 and similar tapes, using “floppy tape” drives, i.e. tape drives that connect to the floppy disk controller on the motherboard.

Up until this point, I’ve been using an old version of Ubuntu that has ftape pre-packaged into the kernel. The problem with this is that this version of ftape is not the latest. Development of ftape seemed to continue independently of the version that was included with the kernel. And the “last” version of ftape that is available (version 4.04a, from around July 2000) contains many enhancements over the version that was in the kernel, which seems to be 3.04, specifically compatibility with parallel port tape drives such as the Iomega Ditto 2GB.

This meant that I needed to compile the driver from source. Sounds simple enough; the driver is just a couple of loadable kernel modules. However, I would need to compile it for a version of the kernel that can boot nicely on my workstation. Browsing the source code of the driver, it appears to be intended to be compiled for kernel version 2.4.x. As an amateur kernel hacker in a previous job, I knew that even patch version changes (the third version number) in the kernel can break compilation of custom kernel modules. So, I tried to find a Linux distro that uses the earliest possible patch version of the 2.4 kernel, and still runs well on my workstation.

image

CentOS 3.5 to the rescue! I was able to find ISO installation media that I used to install CentOS 3.5 flawlessly onto my recovery workstation. It uses kernel version 2.4.21, which still turned out to be “too new” for compiling ftape successfully. I got a number of compilation errors, but thankfully they were all errors that were comprehensible and easy to remedy by an amateur. After just a few hacky modifications, I got the driver to compile into a loadable module!

And would you look at that – it’s able to communicate successfully with all of my floppy tape drives, as well as my parallel port Ditto 2GB drive!

image

Here’s my repository on GitHub that has the source code for the ftape driver, with my modifications for getting it to build in CentOS 3.5.


In other news, I found and restored an old ThinkPad X131e, which came to me as a Chromebook, i.e. with ChromeOS installed. In order to remove ChromeOS and install a regular Linux distro, I had to overwrite it with custom firmware that allows installing other operating systems. And in order to overwrite the firmware, I had to disassemble it and flip a physical write-protect switch that allows the firmware to be written. Why do they do this?! Anyway, with the latest version of the lightweight Xubuntu installed, this tiny thing works beautifully, and can now have a second life.

image

LK-99: an unintentional social experiment

Whether they intended it or not, the South Korean team that published a preprint describing a room-temperature superconductor kicked off a social experiment that was fun to observe.

In hindsight, the claims surrounding LK-99 had all the hallmarks of pseudoscience. The mechanism for making the superconductor seemed too good to be true: combine a few seemingly boring compounds, heat them up in an oven, and presto – you’ve got a superconductor. The preprint that was published by the researchers had numerous red flags, including a plot of resistivity that was too coarse by many orders of magnitude for demonstrating superconductivity, among other amateurish blunders. When other labs around the world were trying and failing to replicate the superconductivity in LK-99, the reason given was that their process was not quite the same as the process used by the original South Korean team. In other words, only they have the true LK-99, but for some reason they’re not sharing their sample with any other lab. The red flags keep piling on from there.

But the social media storm was not abated. People were latching onto any scraps of validity about LK-99, including dubious replication attempts by anonymous Twitter trolls.

There were a number of videos that circulated, claiming evidence of superconductivity by demonstrating “levitation” properties of LK-99. However, all these videos used a generous definition of “levitation” that doesn’t really mean levitation, where the material is still standing on one corner and not quite fully levitating.

There were indeed videos that were claiming full levitation, but those turned out to be fake. I even contributed to the noise effort of dispelling the hype surrounding LK-99, by creating a fake video of my own, where a chunk of “LK-99” levitates over a neodymium hard drive magnet:

I originally posted the video on Twitter, with the intention of demonstrating how easy it is to fake such videos. The response to the video was very entertaining, and very telling. There were numerous people who immediately assumed the video was real (despite the text of my tweet that explicitly said it was fake). There were people who were genuinely mad at me for getting people’s hopes up, just by posting anything at all about LK-99. This speaks volumes about the average social media user’s attention span, and the user’s lack of willingness to seek out any context surrounding a random video that appears in their feed.

The most satisfying result of my fake video was Sabine Hossenfelder (one of my favorite physics/science YouTubers) using a clip of it in one of her own videos about LK-99, to echo the warning about the ease of producing such fakes.

In general, it seems that the social media fervor over LK-99 reveals that a lot of people are hungry for a scientific breakthrough, and I don’t blame them. There is a growing mood that progress in fundamental science, particularly in physics, has stagnated, and that the rapid-fire achievements in physics that happened in the first half of the 20th century was somehow a unique golden age that won’t be repeated. It is true that fundamental breakthroughs are much more difficult today than they were 100 years ago, simply because the low-hanging fruit has been picked, and the two theories of quantum mechanics and general relativity explain virtually everything in our world with staggering accuracy, despite being wholly incompatible with each other.

Nevertheless I believe there’s still plenty of space for a small team, or even a single person, to make a significant discovery. It’s just that we need to be extra careful about extraordinary claims made on the web, especially claims that play into our expectations of a breakthrough, and then manage our emotional response to those claims accordingly.