Recovering files from FAT disks and memory chips
When the Recover function is selected from the CnW menu, if it is a FAT32, FAT16 or FAT12 disk, the dialog option box shown below is displayed Many flash memory devices, and camera memories are FAT12, FAT16, and current large devices are FAT32 . Most current hard disk drives are now NTFS but many external hard drives are FAT32 to be compatible with Apple devices. Free demo download.
The CnW FAT recovery software will analyse and recover files from most disks that have been corrupted, or partially failed. Deleted files can also be recovered, including ones on FAT32 disks which is a feature than many recovery programs fail on. (See further down this page)
The screen is in two basic sections. The top part gives the method of recovery, and the lower part gives details of each possible partition on a disk. For a very corrupted disk, or one with a corrupted boot sector, the recovery parameters may be entered by hand.
The recover options are as follows
● Full Recover. This will read the disk in the same way the operating system does
● Recover from directory stubs. In this mode, the program will scan the hard disk drive and find all existing directory stubs, ie clusters that contain directory information. These directories are then read, and files recovered. This will take care of situations when the root directory has been lost or totally erased.
● Recover from FAT. This mode will find possible file starts in the FAT and recover the chain. File names will be be known, but where possible file types will be determined.
● Full recover then from unused FAT. In this mode all known files will be recovered, and then any remaining FAT entries will be processed
Used in conjunction with the above restore options, are various restore modes
● Overwrite existing files. This will overwrite any existing file on the drive that data is being restored to. Without this option, the file names are automatically incremented
● Restore deleted files. This is a mode where the program will attempt to restore a deleted file
● Ignore FAT. If the File Allocation Table is missing, or corrupted, it may be ignored. The program will assume that files are sequential, but on many disks, this will still produce an extremely high success rate. Such a disk in a native PC would be unreadable.
● Recover slack space. This option will save all slack space fragments in files in a directory call slack - in the output directory selected for this job. Each file will be named sectxxxx where xxxx is the number of the first sector in the cluster that contains a partial file. The file will contain just the bytes in the slack section. This option is normally only of interest for forensic investigation of disks.
Analyse disk parameters
Certain disks are unreadable because the start of the disk (or commonly, the memory chip) has been overwritten, or deleted etc. In order to the program to recover data, it is necessary to determine the parameters should above, such as cluster size, directory start, cluster2 location. The FATs are very useful, but may have also been deleted, so the location is not as important. The disk analysis function will try and determine the values and will then display. If a recovery does not work, it may be necessary to check each value, and a bit of trial and error could be tried. For a well used disk, the analysis will very often produce accurate results, for a very empty disk, or memory chip with only one or two subdirectories, the results may be less reliable. The analysis works for FAT12, FAT16 and FAT32, but with FAT 32, the root directory is not in a fixed location and so may need manual adjustment.
Deleted file recovery works with FAT disks by finding the directory entries that have been marked as deleted. For FAT12 and FAT16, the directory stores the start of the file, and so if sequential, the file may be recovered. For FAT32, the pointer to the file is a 32 bit value, and when deleted, the high 16 bits are zeroed, this makes recovery routines rather more complex. CnW has worked on analysis routines to overcome this problem for known file types, something that many other recovery programs fail to do.
Fragmented deleted files
When a FAT file is deleted, so are details of where it was stored. If the file was sequential, then recovery is possible. When a file was fragmented, basic recovery does not work as routines assume the file was sequential. The process that CnW use smart data carving followed by processing of fragments. Routines exist to process JPEG and several common video formats. This is not an exact science so results are varied. However, the results can be impressive and otherwise lost files can be recovered and read/displayed correctly.
The first element in recovering data from a hard disc is the hardware configuration. With data recovery it is important that the disk being recovered is not written to. For this reason, CnW software does not try and access the logical drive C. It also never writes to the physical drive without warning. There is also logic to prevent saving files on the disk being recovered.
Problems and solutions involved with deleted FAT32 recovery
When files are deleted in the FAT system, the directory entry is marked as deleted, by placing a 0xE5 as the first value of the file name. Undeleting in the simplest term should the be to replace the first character with a letter, and not 0xE5.. The problem is then to know where the file starts, how long it is, and if it is fragmented.
The directory entry for a FAT disk contains the file length. This is 4 bytes long, and hence the file length limit of 4GB. When an entry is deleted, this value is left intact.
The file location is calculated from the cluster number in the directory. For FAT32, the cluster number is 4 bytes long (32 bits). The first 16 bits are stored in the same location as on FAT12 and FAT16 disks. This value is not changed when the file is deleted. However, the high 16 bits for FAT32 are also stored in the directory entry, but when the file is deleted, these entries are also cleared. This means that for recovery, only part of the file location cluster number is known which means it is often considered impossible to recover such files.
00000040 E5 4D 47 5F 32 33 33 32 - 4A 50 47 20 10 64 EB 90 åMG_2332JPG dë
00000050 59 3D 59 3D 00 00 73 5D - 71 30 FB 3B 47 79 0A 00 Y=Y= s]q0û;Gy
00000060 E5 4D 47 5F 32 33 33 33 - 4A 50 47 20 10 B1 EB 90 åMG_2333JPG ±ë
00000070 59 3D 59 3D 00 00 76 5D - 71 30 64 3D 2D 7D 09 00 Y=Y= v]q0d=-}
The values above highlighted in blue are the lower 16 bits of the cluster, while those in red are the higher 16 bits of the cluster number. It can be seen that the higher bits are actually blanked to zero
CnW Recovery software does solve this issue by doing a lot of intelligent examination. As the file name is known, it is often possible to determine the file type, eg a .csv or .pdf file. It is therefore possible to search the disk for a suitable starting location, with the correct file type based on file signature. This never going to be 100% fool proof, but it can have a very high success rate. Many recovery programs just do not try, and so a large number of files can not be recovered. This is a very significant advantage of CnW Recovery software. For certain files, such as JPGs, additional tests are made to try and eliminate false positives, ie the correct file type, but not the actual file.
In the sample above of the log, it can be seen that a FAT32 recovery has been made, and the start sector is 0x3a1fc8. Cluster 2 on this disk was 0x4000, and cluster size was 8. For image IMG2332.JPG, the directory points to cluster 0x3BFB. This would normally convert to sector 0x21FC8 ( (0x3BFB-2) * 8 + 0x4000 ). The chosen sector is actually 0x380000 sectors higher, or 0x70000 clusters higher. This indicates that the value required in bytes 0x14 and 0x15 will be 0x7.
The final recovery problem is that of the file allocation table. This table is used to say how a file is stored on the disk, starting with the first cluster pointed to by the directory. Unfortunately, the only viable first approach is to guess that the file is sequential, and often for short to medium sized files, this is the correct answer. For a long file on a full disk, success is very limited. For some file types, the data carving fragmented routine may well assist.
A very good way to use CnW Recovery to recover deleted files is to scan the whole disk for Directory stubs which will then track any old subdirectories that have become isolated from the main directory tree.
With all undelete problems, it is essential that nothing is done to the disk drive until all files have been recovered. Any writing to the drive can overwrite a file that is required for recovery.
Forensic analysis of FAT disks
CnW Recovery has many tools are reports to assist in FAT investigation. Most of the reports are part of the Forensic Report which is included in the Forensic option of the package
Before the program attempts to read a FAT disk, the fat is analysed and the following discrepancies are detected - largely related to cluster pointers. When the FAT is updated automatically, these changes are stored in the forensic report section of the log
● Difference between FAT1 and FAT2. If either FAT elements points to the next cluster, this will be assume to be correct
● Cluster points to self. This would cause the program to loop on a single cluster. The value will be overwritten with the next cluster location
● A duplicate cluster value is found. For a valid FAT, there must only ever a single entry for each cluster.
From the directory the following dates are extracted
● Creation date and time
● Modifed date and time
● Accessed date - the time is not part of a FAT directory entry
Download the demo now, and see files that have been deleted