FAT - recovering fr...
 
Notifications
Clear all

FAT - recovering from deleted file

5 Posts
4 Users
0 Likes
430 Views
(@secureguy)
Posts: 10
Active Member
Topic starter
 

In FAT (FAT12), when a file is deleted (using del command from DOS Win) the Directory entry has first character changed to 0xE5 to indicate the file is deleted, but the original data won't be deleted from the data section.

The Directory entry for the deleted file will still contain first cluster number (index into FAT), and this isn’t lost when file is deleted.
The only change is that FAT entries for file are cleared.

So far so good. Then, how the deleted file can be retrieved if the clusters of the deleted file were scattered on the disk section? The FAT area is the only place that contains the sequence of cluster numbers, but if they are cleared, I just cannot see how the ordering of the cluster sequence would be recovered for the deleted file to be recovered in full except the very first cluster.

My discussion assumes the FAT structure is formed of boot sector, FAT, Directory entry, and data section.
I guess I must miss something very simple, but I just cannot get it.

 
Posted : 27/01/2008 11:59 am
azrael
(@azrael)
Posts: 656
Honorable Member
 

If you have a look in Brian Carrier's book - "File System Forensic Analysis"* - he suggests two methodologies, neither of which is perfect or guaranteed. Both take into account that we know the starting cluster and the file size (from the directory entry).

The first method is to blindly read from the starting cluster the allocated number of bytes, completely ignoring the allocation status of subsequent clusters.**

The second method is similar, starting at the known cluster, and then reading ahead, but only reading from unallocated clusters.

Method two will succeed more often than the first, because you stand a chance of recovering fragmented files.

Hope this helps.

* In my opinion this book is a must have - this section is page 247 in the 2005 edition. It has a diagram, which I won't attempt to reproduce here that makes it very clear _why_ the second method is the most effective.

** Research done by Eoghan Casey, referenced in the book, suggests that WinHex 11.25 uses the first method and EnCase 4 uses the second.

 
Posted : 27/01/2008 1:38 pm
(@secureguy)
Posts: 10
Active Member
Topic starter
 

Thanks,

It looks like it is almost impossible to retrieve the whole content of the original file if a large file is removed from a heavily fragmented hard disk, even though no clusters in that file were overwritten.

 
Posted : 28/01/2008 4:38 am
(@memon)
Posts: 13
Active Member
 

Thanks,

It looks like it is almost impossible to retrieve the whole content of the original file if a large file is removed from a heavily fragmented hard disk, even though no clusters in that file were overwritten.

Not true. Digital assembly has developed techniques for recovering even heavily fragmented files from unallocated space. See http//digital-assembly.com/products/adroit-photo-forensics/

 
Posted : 18/10/2009 6:12 am
(@mscotgrove)
Posts: 938
Prominent Member
 

Don't forget that in FAT32 the high 16 bits of the first cluster number are also cleared down. It is therefore necessary to work out which possible cluster the lower 16 bits are pointing to. Many recovery programs ignore this point.

 
Posted : 18/10/2009 1:44 pm
Share: