FAT File System – creation and deletion of files – computer forensics aspect
- Log in to post comments
Computer Forensics Expert Note: Many computers utilize the file allocation table FAT file system. Understanding FAT operations is critical to any computer forensics examiner.
When a file is created:
A 32 byte directory entry is made;
An entry is made in the FAT matching the cluster location in the directory entry from above;
The data is written into the data area.
This part of the process is somewhat straight forward. However, what happens when files are deleted and the process of recovering deleted files is perhaps more important for computer forensics purposes:
When a file is deleted:
The first character of the directory entry is changed to 0xE5. It is only overwritten if/when a new directory overwrites it.
The FAT entry is zeroed out. This means that the cluster is available for use, however, just like above, the data area is only overwritten if/when overwritten by a new file.
Therefore, the process of recovering a deleted file is theoretically simple: Change the 0xE5 character to a legal value and link the FAT per the directory entry.
This computer forensics information is presented by AVM Technology, LLC, a Computer Forensics, E-Discovery, and Computer Security consulting company located in Richmond, VA and serving clients throughout the United States.