Post on 13-Jul-2020
Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014
Data Recovery FAT32
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• When a file is deleted on a FAT32 system, the following two events occur: – The first character of the filename is changed to a 0xE5. – The clusters assigned to the file are marked as unallocated
(0x00000000).
• What doesn’t happen: – The data is left intact … until the space is needed for
another file.
The Deletion Process
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Mustang.jpg Saved to Local Hard Drive (FAT32)
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Directory Entry for Mustang.jpg
Range Description Example
00 – 00 1st 0x55 = M01 – 10 Characters 2 to 11 of File Name in ASCII ustang.jpg
11 – 11 File Attributes 0x20 = Archive
14 – 17 Created Day & Time 0x9C435A00
20 – 21 High 2 Bytes of First Cluster Address 0x0000
22 – 25 Written Day & Time 0x9C433C00
26 – 27 Low 2 Bytes of First Cluster Address 0x0007
28 – 31 Size of File (0 for Directories) 0x018240
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
FAT32 FSINFO
Range Description Example
488 - 491 Number of Free Clusters 0x000BF4C9 = 783,561492 – 495 Next Free Cluster 0x00000020 = 32
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Lets Delete Mustang.jpg
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
What Happened?✓First Character Changed to 0xE5
✓Data Left Intact
❎ Number of Available Clusters Remained the Same?
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Empty the Recycle Bin!
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
✓First Character Changed to 0xE5
✓ Available Clusters Increased to 783,586 (+25)
✓Data Still Left Intact
Expected Results
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• The first character is changed to any hexadecimal value other than an 0xE5.
• Most forensic software uses the underscore 0x5F (underscore) as the default value, but can be changed in the user settings.
Data Recovery
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Data Recovery
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
The Deletion Process• The boot sector (sector 0 from the volume) is read and the following
information gathered: FAT structures, data area and root directory. • The root directory is searched for the Mustang.jpg entry. • By examining the entry within the FAT structure, the clusters
allocated to the file are changed to 0 (unallocated). • The root directory entry is also unallocated by changing the first
character of the filename to 0xE5.