🗄 File Systems

FAT Data Recovery

FAT32 File Recovery

First, get familiar with the FAT file system. There are some things specific to this FS in the way the files are created and deleted. We basically need to follow the file deletion steps in the reversed order.

• Change 0xE5 values in the directory entry set
• Change FAT table values to indicate allocated (not 0x00000000)
• Use the short file name directory entry (starting cluster and file size)
  • Determine the cluster size using the volume boot record data
  • Calculate the number of clusters needed (int clusters = file_size / cluster_size). Keep in mind, that file size for folders is always 00 00 00 00. So, don’t confuse a file with a folder.
  • Rechain FAT entries of the file

🔎 Intrestingly enough, this method worked on a FAT32 formatted flash drive. Why?

NTFS Data Recovery

Steps

To get familiar with NTFS file creation and deletion, see here. In general, there are resident and non-resident files. Resident files are small and have their contents in the MFT record itself. Non-resident files are bigger and their contents is stored elsewhere on the disk.

⚠️ Since MFT records get reused once they are deallocated on the first-free basis, resident files get overwritten sooner.

For resident files, use a regular expression for finding FILE0 records: \x46\x49\x4C\x45.{18}[\x00\x02] [2]. This will find all the FILE records that are not newly created. Remember, once a file is created its sequence number is 01. Whenever the FILE record is deleted (deallocated, it’s never actually deleted), the sequence number gets incremented. So, if this record was deallocated once, its sequence number will be 0x02. But! This record can be reused multiple times! When I did the lab, one poor record was reused over and over again, and its sequence number got as big as 0x08, imagine that! So, I would fix the regular expression above to address these cases: \x46\x49\x4C\x45.{18}^[\x00\x01] (todo).