±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 4
New Yesterday: 7
Overall: 27513
Visitors: 40

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

FAT - recovering from deleted file

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

FAT - recovering from deleted file

Post Posted: Sun Jan 27, 2008 12:59 am

In FAT (FAT12), when a file is deleted (using del command from DOS Win) the Directory entry has first character changed to 0xE5 to indicate the file is deleted, but the original data won't be deleted from the data section.

The Directory entry for the deleted file will still contain first cluster number (index into FAT), and this isn’t lost when file is deleted.
The only change is that FAT entries for file are cleared.

So far so good. Then, how the deleted file can be retrieved if the clusters of the deleted file were scattered on the disk section? The FAT area is the only place that contains the sequence of cluster numbers, but if they are cleared, I just cannot see how the ordering of the cluster sequence would be recovered for the deleted file to be recovered in full except the very first cluster.

My discussion assumes the FAT structure is formed of boot sector, FAT, Directory entry, and data section.
I guess I must miss something very simple, but I just cannot get it.  

secureguy
Member
 
 
  

Re: FAT - recovering from deleted file

Post Posted: Sun Jan 27, 2008 2:38 am

If you have a look in Brian Carrier's book - "File System Forensic Analysis"* - he suggests two methodologies, neither of which is perfect or guaranteed. Both take into account that we know the starting cluster and the file size (from the directory entry).

The first method is to blindly read from the starting cluster the allocated number of bytes, completely ignoring the allocation status of subsequent clusters.**

The second method is similar, starting at the known cluster, and then reading ahead, but only reading from unallocated clusters.

Method two will succeed more often than the first, because you stand a chance of recovering fragmented files.

Hope this helps.

* In my opinion this book is a must have - this section is page 247 in the 2005 edition. It has a diagram, which I won't attempt to reproduce here that makes it very clear _why_ the second method is the most effective.

** Research done by Eoghan Casey, referenced in the book, suggests that WinHex 11.25 uses the first method and EnCase 4 uses the second.
_________________
--
Azrael
-- 

azrael
Senior Member
 
 
  

Re: FAT - recovering from deleted file

Post Posted: Sun Jan 27, 2008 5:38 pm

Thanks,

It looks like it is almost impossible to retrieve the whole content of the original file if a large file is removed from a heavily fragmented hard disk, even though no clusters in that file were overwritten.  

secureguy
Member
 
 
  

Re: FAT - recovering from deleted file

Post Posted: Sat Oct 17, 2009 7:12 pm

- secureguy
Thanks,

It looks like it is almost impossible to retrieve the whole content of the original file if a large file is removed from a heavily fragmented hard disk, even though no clusters in that file were overwritten.


Not true. Digital assembly has developed techniques for recovering even heavily fragmented files from unallocated space. See digital-assembly.com/p...forensics/  

memon
Member
 
 
  

Re: FAT - recovering from deleted file

Post Posted: Sun Oct 18, 2009 2:44 am

Don't forget that in FAT32 the high 16 bits of the first cluster number are also cleared down. It is therefore necessary to work out which possible cluster the lower 16 bits are pointing to. Many recovery programs ignore this point.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1