±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34187
New Yesterday: 1 Visitors: 135

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Deleted FAT files first cluster addr high WORD gets cleared?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Deleted FAT files first cluster addr high WORD gets cleared?

Post Posted: Fri Jul 13, 2012 9:18 am

Hi,

I'm running into something I did not expect nor find immediate information on.

In the FAT file system, file/dir entry. When a file gets deleted. Is the WORD that contains the high part of the DWORD first cluster address cleared ?

It looks like it is, or what am I missing ?
I thought only the first byte of the name got changed.

The effect is that all addresses for files at higher address locations seem WORD wrapped, and hence wrong.

Or where can I find alternate data to circumvent this issue, to still puzzle correct addresses together ?

Your input appreciated.
Cheers.  

CyberGonzo
Senior Member
 
 
  

Re: Deleted FAT files first cluster addr high WORD gets cleared?

Post Posted: Fri Jul 13, 2012 10:10 am

This is true for Microsoft. Many data recovery programs do not allow for this. I have seen a video camera that deleted all 32 bits.

The lower bytes dates etc are true. The FAT is also deleted, so receovery intially expects a sequential file.

With my software (see signature) I search all possible locations for a possible file and select one based on matching signature. This only works obviously for files with known signatures.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

mscotgrove
Senior Member
 
 
  

Re: Deleted FAT files first cluster addr high WORD gets cleared?

Post Posted: Fri Jul 13, 2012 10:29 am

Hi Michael,

- mscotgrove
With my software (see signature) I search all possible locations for a possible file and select one based on matching signature. This only works obviously for files with known signatures.


I see, so there is no way around this except for the method you describe.

I do this too btw.

But do you bother to try and match the files with incorrect address in the FAT tables (and how do you decide the address is wrong) to files found based on their signature ? You can never be sure that's the file in question (unless maybe you can see if the lower part of the address matches)  

CyberGonzo
Senior Member
 
 
  

Re: Deleted FAT files first cluster addr high WORD gets cleared?

Post Posted: Fri Jul 13, 2012 11:45 am

I use the lower 16 bits and try possible high values. On most disks/chips there are often less than maybe 10 possible values, although there could be 64K for the 16 bit number.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

mscotgrove
Senior Member
 
 

Page 1 of 1