Forensic analysis of FAT disks
CnW Recovery has many tools are reports to assist in FAT investigation. Most of the reports are part of the Forensic Report which is included in the Forensic option of the package
FAT analysis
Before the program attempts to read a FAT disk, the fat is analysed and the following discrepancies are detected - largely related to cluster pointers. When the FAT is updated automatically, these changes are stored in the forensic report section of the log
- Difference between FAT1 and FAT2. If either FAT elements points to the next cluster, this will be assume to be correct
- Cluster points to self. This would cause the program to loop on a single cluster. The value will be overwritten with the next cluster location
- A duplicate cluster value is found. For a valid FAT, there must only ever a single entry for each cluster.
From the directory the following dates are extracted
- Creation date and time
- Modifed date and time
- Accessed date - the time is not part of a FAT directory entry
|