Deleted FAT files f...
 
Notifications
Clear all

Deleted FAT files first cluster addr high WORD gets cleared?

4 Posts
2 Users
0 Likes
967 Views
CyberGonzo
(@cybergonzo)
Posts: 100
Estimable Member
Topic starter
 

Hi,

I'm running into something I did not expect nor find immediate information on.

In the FAT file system, file/dir entry. When a file gets deleted. Is the WORD that contains the high part of the DWORD first cluster address cleared ?

It looks like it is, or what am I missing ?
I thought only the first byte of the name got changed.

The effect is that all addresses for files at higher address locations seem WORD wrapped, and hence wrong.

Or where can I find alternate data to circumvent this issue, to still puzzle correct addresses together ?

Your input appreciated.
Cheers.

 
Posted : 13/07/2012 3:18 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

This is true for Microsoft. Many data recovery programs do not allow for this. I have seen a video camera that deleted all 32 bits.

The lower bytes dates etc are true. The FAT is also deleted, so receovery intially expects a sequential file.

With my software (see signature) I search all possible locations for a possible file and select one based on matching signature. This only works obviously for files with known signatures.

 
Posted : 13/07/2012 4:10 pm
CyberGonzo
(@cybergonzo)
Posts: 100
Estimable Member
Topic starter
 

Hi Michael,

With my software (see signature) I search all possible locations for a possible file and select one based on matching signature. This only works obviously for files with known signatures.

I see, so there is no way around this except for the method you describe.

I do this too btw.

But do you bother to try and match the files with incorrect address in the FAT tables (and how do you decide the address is wrong) to files found based on their signature ? You can never be sure that's the file in question (unless maybe you can see if the lower part of the address matches)

 
Posted : 13/07/2012 4:29 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

I use the lower 16 bits and try possible high values. On most disks/chips there are often less than maybe 10 possible values, although there could be 64K for the 16 bit number.

 
Posted : 13/07/2012 5:45 pm
Share: