This archive contains two very simple programs I created to help recover
data lost through accident or disaster. The programs require that you have
technical ability to sort through hex dumps and disk sectors. Even if you
do not feel comfortable doing this kind of thing, the programs may still be
useful to you, as you can save the state of your system and then give it
(and the programs) over to someone more knowlegable in data recovery.

-----------------------------------------------------------------------------
SAVERAM.COM is a program which saves the entire contents of DOS memory
(0-640K) to a file. It is purposely made very small and simple, so that
it will not overwrite much memory when it loads.

You should run SAVERAM as soon as possible after any type of accident...

Command line:   SAVERAM filename

SAVERAM will write the entire 640K of DOS memory to the named file. If for
any reason, it cannot access the file, it displays the simple message
"Failed". If the file cannot be entirely written (disk full etc.), SAVERAM
will save as much of the 640K as it can.

NOTE: If there is any possibility that your data may remain on the disk
(which you may recover with NEEDLE.EXE below, you should probably specify
a filename on your FLOPPY drive - Writing ANYTHING to your hard drive may
overwrite unallocated sectors which could contain your data).

SAVERAM is especially useful in situations where the data you have lost may
be retained in RAM. Examples are:

- You exit your editor without saving.
- You exit your editor, and accidently tell it to write only a portion of
  the file back to the disk (this has happened to me).
- You have deleted a file immediately after editing it (or otherwise having
  loaded it into memory).

Note that once SAVERAM has saved the memory image, it's up to you to find
and re-format any data that may be in that image. If you are lucky, your
editor may have stored the file sequentially in memory and all you have to
do is find the start and end. Other text editors allocate blocks in memory
and you will have to find and sort the data. Although this may appear to be
a lot of work, I assure you that retrieving the editor contents from a 640K
RAM image is usually a lot easier than recovering a fragmented file on a
100+ megabyte hard drive.

-----------------------------------------------------------------------------
NEEDLE.COM (named for "finding a needle in a haystack) is a program which
searches your hard drive on a sector by sector basis, looking for sectors
containing a specific data string. It builds and maintains a list of matching
sectors, allows you to view those (and any other) sectors, and write any
sectors you choose to a file.

NEEDLE is especially useful in cases where the data is likely to remain on
your hard drive. Examples are:

- You delete a file, or a directory containing a file.
- You overwrite a file. *
- DOS error/disaster causes files and/or directories to "disappear" or to
  be misallocated (do not contain what they are supposed to).

* If you overwrite a large file with a small one, you should be able to
recover most of the data past the size of the smaller file. Also, since DOS
occasionally relocates files as they are re-written, you may find multiple
copies of the data, and even if you are sure you have completely overwritten
the file, you may find a not-too-old copy of it.

NOTE: In many cases, NEEDLE is used to recover data from disk sectors that
have been marked as "free". It is ABSOLUTELY IMPERITIVE that you DO NOT write
to the hard drive after an "accident" occurs. Any writing to the hard drive
may overwrite the data you are trying to recover!!!

Command line:	NEEDLE [D= F= M= S= T=]

	D=drive		Set source drive(0=A, 1=B, 2=C...) default is '2'
	F=savefile	Set output filename. default is "A:NEEDLE.DAT" *
	M=matchfile Load matchlist from this file
	S=high:low	Set starting sector number. default is 0:0 **
	T=text		Begin searching for this text **

*	To avoid overwriting any data on your hard drive, the F=filename
	should be located on a FLOPPY drive.

**	NEEDLE accepts sector numbers in hexidecimal (0-FFFF), for numbers
	higher than 65535, you can use the form <high>:<low>
	eg: To specify sector # 1,000,000, use: F:4240

***	This causes NEEDLE to automatically begin scanning the disk. To
	stop this, press ESCAPE.

NEEDLE interactive commands:

	K		- Keep this sector (write to file) and advance to next
	N		- advance to the Next sector on disk
	B		- Backup to the previous sector on disk
	V		- View sector match list *
	P[addr]	- Patch sector beginning at address **
	Ghi:lo	- Goto sector
	L[hi:lo]- set drive scanning Limit
	S		- Scan disk (prompts for text) generates a match list ***
	+		- goto next sector in match list
	-		- goto previous sector in match list
	1		- display format 1 - 0000-01FF ASCII only
	2		- display format 2 - 0000-00FF HEX/ASCII
	3		- display format 3 - 0100-01FF HEX/ASCII
	Q		- Quit
	?		- display command list

*	When viewing the match list, you may enter the number of a list entry
	to go directly to that entry. 'Q' quits the listing, and 'Wfile' writes
	the match list to the named file (for later loading by the 'M=' command
	line option). Again, to avoid overwriting data on the hard drive, you
	should specify a file on a FLOPPY drive.

**	The 'P'atch command allows you to modify the contents of the current
	sector. It prompts with a byte address and current value, and accepts
	the following subcommands:

	Gaddr	- Goto byte address (0-1FF)
	Q		- Quit and throw away changes
	S		- Save sector back to disk and exit
	V[1-3]	- View sector dump (Format 1, 2, 3 as above)
	+		- advance to next byte
	-		- backup to previous byte
	'string	- replace byte(s) with character string
	hexval	- replace byte with hex value (00-FF)
	?		- display command list

	NOTE: 'P'atching disk sectors directly can be *VERY* destructive.
	Do not attempt to do this unless you know EXACTLY what you are doing.

***	Scanning begins at the currently selected sector. Scanning text may
	contain control characters in the form '^A-^Z', or HEX values in the
	form '^0-^0FF' (Leading digit must be numeric). '^' followed by any
	other character "protects" that character from other interpretation.
	ie:	^A   - Control A
		^0A  - Hex (0A) - Line-feed
		^^A  - '^', 'A'

-----------------------------------------------------------------------------
WHAT TO DO WHEN DISASTER STRIKES:

There is no substitute for regular backups. If you are not already doing so,
begin a schedule of backups for your system.

BEFORE a disaster occurs, make a BOOTABLE floppy diskette and put the
SAVERAM.COM and NEEDLE.COM file on it, as well as any other revocery tools
you might wish to use (UNDELETE etc.). Use AS LARGE a floppy disk as possible
so that you will have plenty of room for writing a RAM image and sector
lists etc.

When a disaster strikes, the first thing you should do is insert the above
diskette, then run SAVERAM to save the contents of RAM to the floppy drive:

                  A:SAVERAM A:RAMIMAGE.DAT

DO NOT turn off or re-boot your system before you do this.

Note, if you are running windows, EXIT it before running SAVERAM (complete
EXIT, not just a DOS-BOX). SAVERAM likely won't help you much if you have
problems under windows, since windows uses non-DOS memory, however it's a
good place to start anyway.

If you are not comfortable working with hex dumps and disk sectors, TURN OFF
YOUR SYSTEM and take it to someone who is knowlegable in data recovery. Do
not do ANYTHING else! Otherwise, proceed:

Run CHKDISK without '/F'. This will tell you if the hard drive directory
structure and FAT tables have been damaged.

If CHKDISK does not report errors, then as far as MS-DOS is concerned,
your disk is fine. If you have lost data by accidently deleteing or
overwriting a file, you can use NEEDLE to look for it on the disk, and
possibly reconstruct it. If you have not lost data and CHKDISK seems
happy, your system should be OK, and you can resume using it.

If CHKDISK reports an error, you have two options:

Running CHKDISK/F, which will attempt to fix the errors on your drive.
Double mapped files will be truncated, "lost" sectors (marked as busy in
the bitmap, but not used in any file) will be released etc. Before releasing
"lost" sectors, CHKDISK offers to make them into files. You should do this,
and then look at the resulting FILEnnnn.CHK files in your root directory
with a hex editor/browser, to try and determine what files those sectors
may have belonged to in the past. Once you have identified the program or
data files that the sectors once belonged to, check those applications and
make sure they work correctly, and the valuble data has not been lost.
Often, DOS re-assignes hard drive space as it is moving things around, and
even though the sectors appear to be from file 'xxx', they may be from an
old copy prior to a move. If you have lost (or truncated) files, you will
have to sort through the data in the FILEnnnn.CHK files to try and recover
it. Needle can also be useful here, as unallocated sectors on the disk man
contain your data as well.

If you disk is badle damaged, CHKDSK/F may not be able to repair it. Also,
CHKDSK does not have complete information on how to reconstruct files from
"lost" sectors, and may construct them incorrectly. In these cases, NEEDLE
can often find the data, and is certainly worth a try.
