FAT Forensic

Forensic analysis of FAT disks

CnW Recovery has many tools are reports to assist in FAT investigation. Most of the reports are part of the Forensic Report which is included in the Forensic option of the package

FAT analysis

Before the program attempts to read a FAT disk, the fat is analysed and the following discrepancies are detected - largely related to cluster pointers. When the FAT is updated automatically, these changes are stored in the forensic report section of the log

Difference between FAT1 and FAT2. If either FAT elements points to the next cluster, this will be assume to be correct
Cluster points to self. This would cause the program to loop on a single cluster. The value will be overwritten with the next cluster location
A duplicate cluster value is found. For a valid FAT, there must only ever a single entry for each cluster.

From the directory the following dates are extracted

Creation date and time
Modifed date and time
Accessed date - the time is not part of a FAT directory entry

[CnW Recovery] [Downloads] [Purchase Now] [CnW Wizard] [User Manual] [Forensic DR] [Video recovery] [Forensic Tools] [NTFS Forensic] [FAT Forensic] [Unallocated] [Data carving] [Manual Carving] [Forensic CD] [DVD properties] [Overwritten] [Disk scan] [JPG Size] [Forensic Report] [Forensic Practice] [Forensic XML] [Keyword Search] [Search Disk] [File hashing] [MFT Parse] [Data Fragments] [E01 and Virtual] [What will it do?] [Product Details] [FAQ & Links] [Case Studies] [Technical Notes] [Updates] [Development] [Testimonials] [About us] [Site Map] [Contact Us]