FAT32 Recovery Software

Problems and solutions involved with deleted FAT32 recovery

When files are deleted in the FAT system, the directory entry is marked as deleted, by placing a 0xE5 as the first value of the file name.  Undeleting in the simplest term should the be to replace the first character with a letter, and not 0xE5..  The problem is then to know where the file starts, how long it is, and if it is fragmented.

The directory entry for a FAT disk contains the file length.  This is 4 bytes long, and hence the file length limit of 4GB.  When an entry is deleted, this value is left intact.

The file location is calculated from the cluster number in the directory.  For FAT32, the cluster number is 4 bytes long (32 bits).  The first 16 bits are stored in the same location as on FAT12 and FAT16 disks.  This value is not changed when the file is deleted.  However, the high 16 bits for FAT32 are also stored in the directory entry, but when the file is deleted, these entries are also cleared.  This means that for recovery, only part of the file location cluster number is known which means it is often considered impossible to recover such files.

    00000040   E5 4D 47 5F 32 33 33 32 - 4A 50 47 20 10 64 EB 90    MG_2332JPG d

    00000050   59 3D 59 3D 00 00 73 5D - 71 30 FB 3B 47 79 0A 00    Y=Y=  s]q0;Gy 

    00000060   E5 4D 47 5F 32 33 33 33 - 4A 50 47 20 10 B1 EB 90    MG_2333JPG

    00000070   59 3D 59 3D 00 00 76 5D - 71 30 64 3D 2D 7D 09 00    Y=Y=  v]q0d=-} 

The values above highlighted in blue are the lower 16 bits of the cluster, while those in red are the higher 16 bits of the cluster number.  It can be seen that the higher bits are actually blanked to zero

CnW Recovery software does solve this issue by doing a lot of intelligent examination. As the file name is known, it is often possible to determine the file type, eg a .csv or .pdf file.  It is therefore possible to search the disk for a suitable starting location, with the correct file type based on file signature.  This never going to be 100% fool proof, but it can have a very high success rate. Many recovery programs just do not try, and so a large number of files can not be recovered. This is a very significant advantage of CnW Recovery software.  For certain files, such as JPGs, additional tests are made to try and eliminate false positives, ie the correct file type, but not the actual file.

fat32_LOG1

In the sample above of the log, it can be seen that a FAT32 recovery has been made, and the start sector is 0x3a1fc8.  Cluster 2 on this disk was 0x4000, and cluster size was 8.  For image IMG2332.JPG, the directory points to cluster 0x3BFB.  This would normally convert to sector 0x21FC8  (  (0x3BFB-2) * 8 + 0x4000 ).  The chosen sector is actually 0x380000 sectors higher, or 0x70000 clusters higher.  This indicates that the value required in bytes 0x14 and 0x15 will be 0x7.

The final recovery problem is that of the file allocation table.  This table is used to say how a file is stored on the disk, starting with the first cluster pointed to by the directory. Unfortunately, the only viable first approach is to guess that the file is sequential, and often for short to medium sized files, this is the correct answer. For a long file on a full disk, success is very limited. For some file types, the data carving fragmented routine may well assist.

A very good way to use CnW Recovery to recover deleted files is to scan the whole disk for Directory stubs which will then track any old subdirectories that have become isolated from the main directory tree.

With all undelete problems, it is essential that nothing is done to the disk drive until all files have been recovered. Any writing to the drive can overwrite a file that is required for recovery.

Download the demo now, and see files that have been deleted

 

[CnW Recovery] [Downloads] [Purchase Now] [CnW Wizard] [User Manual] [Main menu] [Partitions] [Logs] [Hard drive recovery] [NTFS data recovery] [FAT data recovery] [Data carving] [exFAT] [CD ROM data recovery] [Photo Recovery] [Damaged disks] [Fragm'ted Files] [File Filter] [Deduplication] [File validation] [Deleted file recovery] [Macintosh] [Unix Recovery] [MTF .BKF] [CD and DVD output] [RAID disks] [Data repair] [Forensic DR] [Video recovery] [Forensic Tools] [What will it do?] [Product Details] [FAQ & Links] [Case Studies] [Technical Notes] [Updates] [Development] [Testimonials] [About us] [Site Map] [Contact Us]