Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014

Data Recovery FAT32

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

• When a file is deleted on a FAT32 system, the following two events occur: – The first character of the filename is changed to a 0xE5. – The clusters assigned to the file are marked as unallocated

(0x00000000).

• What doesn’t happen: – The data is left intact … until the space is needed for

another file.

The Deletion Process

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

Mustang.jpg Saved to Local Hard Drive (FAT32)

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

Directory Entry for Mustang.jpg

Range Description Example

00 – 00 1st 0x55 = M01 – 10 Characters 2 to 11 of File Name in ASCII ustang.jpg

11 – 11 File Attributes 0x20 = Archive

14 – 17 Created Day & Time 0x9C435A00

20 – 21 High 2 Bytes of First Cluster Address 0x0000

22 – 25 Written Day & Time 0x9C433C00

26 – 27 Low 2 Bytes of First Cluster Address 0x0007

28 – 31 Size of File (0 for Directories) 0x018240

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

FAT32 FSINFO

Range Description Example

488 - 491 Number of Free Clusters 0x000BF4C9 = 783,561492 – 495 Next Free Cluster 0x00000020 = 32

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

Lets Delete Mustang.jpg

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

What Happened?✓First Character Changed to 0xE5

✓Data Left Intact

❎ Number of Available Clusters Remained the Same?

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

Empty the Recycle Bin!

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

✓First Character Changed to 0xE5

✓ Available Clusters Increased to 783,586 (+25)

✓Data Still Left Intact

Expected Results

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

• The first character is changed to any hexadecimal value other than an 0xE5.

• Most forensic software uses the underscore 0x5F (underscore) as the default value, but can be changed in the user settings.

Data Recovery

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

Data Recovery

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

The Deletion Process• The boot sector (sector 0 from the volume) is read and the following

information gathered: FAT structures, data area and root directory. • The root directory is searched for the Mustang.jpg entry. • By examining the entry within the FAT structure, the clusters

allocated to the file are changed to 0 (unallocated). • The root directory entry is also unallocated by changing the first

character of the filename to 0xE5.