Wednesday, August 17, 2011

More FAT32 delete problems

I have just come across a FAT32 memory chip with deleted files.  There is a well known issue that when FAT32 has deleted files, the upper 16 bits of the cluster address are blanked, though the lower 16 bits remain valid.  CnW has developed routines to make use of the lower 16 bits, and with intelligence can recreate the upper 16 bits for know file types.  The new chip was from a video recorder, and all 32 bits have been deleted.  This means there is no information on the location of the file.

Fortunately the FAT directory entry does contain the file length.  The only way that file names can be associated with files is to data carve the disk and then try and match file lengths.  This is far from optimum, but does provide a partial solution to an other impossible problem.

Fortunately, FAT32 is now largely used for removeable storage and typically for one type of file, eg video, music or photos.  File names are not always critical, and data carving can produce reasonable results.