I am a second year computing student with my main subject being digital forensics. I have just started doing Digital Forensics this semester, so am relatively new to the subject. I am at the moment finishing an assignment which involves analyzing the fat32 file system. Its being going well up until now. I have a 256 mb pen drive
sector size is 512 bytes
cluster size 2048 bytes
the fat area is 1992 sectors and starts at sector 32
the data area starts at sector 2024
I created a file called file1.txt and copied it to the drive, the fat table updated, the directory entry was created and the data went straight into cluster 2 of the data area at sector 2028
I deleted the file and the data still remained as expected, I then copied a new file to the drive called file2.txt. The fat table was updated and replaced that of the previous file1.txt, a new directory entry was created, but the data went into cluster 2 at sector 2028 and totally overwrite the old data from file1.txt.
This may seem like a stupid question, forgive me, I'm new, Should the data of file2.txt not be allocated to a different cluster and the cluster containing the data of file1.txt should only be overwritten when all other clusters have been used up ?
any help with this would be greatly appreciated, the assignments due in Monday and I cant find any answers
When a file has been deleted, the space is free for any use.
The operating system can do what it wants, and typically, it will use the first free sector. Clever systems might look for free areas to match the file size, but in your case the rest of the drive was free, and so started at the beginning.
If it started at cluster 3 or 4, then the chip would become more fragmented.
You are lucky that FAT often saves the details of a deleted file, the MAC erases that altogether, and Ext4 is pretty bad as well.
As a student you should investigate what happens to the high 16 bits of a FAT32 pointer when a file is deleted, and work out how files can be recovered!! (my website has some clues).
@Dermot29
You failed to specify which OS are carrying your tests under (different OS may have different writing strategies) AND the size of the files involved.
Alternate test (start from a freshly formatted filesystem).
Create (on another disk/partition) 4 files
file1.txt sized 100 Kb
file2.txt sized 200 Kb
file3.txt sized 300 Kb
file4.txt sized 400 Kb
Now
copy to the stick file1.txt, file2.txt, file3.txt (one by one and in this order)
delete from the stick file2.txt
write to the stick file 4.txt
What result do you expect?
What result do you actually get?
jaclaz
Thank you so much for your replies, I can see how its working now. I formatted the pen drive on a windows xp machine because when I did it on my windows 8 laptop, the values in the boot sector where very unpredictable. I used my windows 8 laptop to write the text files to the drive. I can see now that the next unallocated cluster is used. What I don't really know is what determines this, is it the fat32 pen drive or my windows 8 operating system ?
Also I do not know what the first three entries in the fat table are on my pen drive
the first entry is 0x0ffffff8)
the second and third entries are end of file markers (0x0fffffff)
The fourth entry appears when a text file is copied and is also an end of file marker.
This is unusual I know because Its different to all the text books I've been reading.
The only thing I know from the above is that the fourth entry corresponds to the second cluster of the data area because it only appears after I copy a text file to the drive.
Anyone know what the first three entries might correspond to, there is only one text file on the drive taking up one cluster at cluster two of the data area ?
Thank you for your help on my previous question, I will look at your suggestions and try that second test once I get all my assignment work done, back to college Monday after Easter and have loads of assignments due.
Well, no.
Meaning that if you partition/format under different OS the values in the BPB may be different, but they are usually "predictable" (for the given OS)
the first entry is 0x0ffffff8)
the second and third entries are end of file markers (0x0fffffff)
Yes and no, meaning that the 2nd is a "default" and "fixed" (at formatting time ONLY) EOF, the third is actually a EOF marker.
What happens if on a freshly formatted FAT32 filesystem you create a directory (or more than one) in ROOT?
Does the 2nd entry remain always FFFFFFF0 when you add (or delete) files and directories?
Is the behaviour the "same" if the disk is a "removable" device (such as I presume is now your USB stick) or if it is a partition on a "fixed" device?
Which text books are you reading?
Why don't you try something "from the mouth of the wolf"?
http//
jaclaz