Home

With a FAT32 disk that contains deleted files recovery is not always totally reliable. Never the less, CnW Recovery program does do much more analysis than many other software programs but below are described fundamental issues.

When a FAT disk file is deleted, two main things happen

• The file entry is marked as deleted, by setting the first character in the file name as a 0xE5
• The File Allocation Table is cleared

On Fat 32, the high order cluster pointer values are also cleared.

A FAT directory always uses a cluster number pointer to indicate where the file starts.  For FAT 12 and FAT 16 this a 12 or 16 bit number, stored in two bytes at offset 0x1a and 0x1b in the directory.  For FAT32, the pointer is 32 bits, with the extra two bytes (16 bits) stored at offset 0x14 and 0x15.  It is these final two bytes which are (for some reason) also cleared when the file is deleted.  Therefore with a FAT32 deleted file, only the lower 16 bits are available to determine where the file starts.

CnW Recovery software does not give up at this point, it will examine the file extension and for many common file type, it will therefore know how a file should start.  For instance, a Zip file always starts with the characters PK. By knowing this, possible file starts can be examined, based on the lower 16 bits of the cluster number and there is a good chance that the required file can be found.  However, without human intervention, this can not be 100% reliable, but it is quick, and automatic.

The second problem with any FAT recovery is that the file allocation table is also deleted.  The initial approach is to assume that the file is sequential, and often this is correct, and so valid files are recovered.  CnW are working on enhancements to this procedure which will increase the likely hood of only getting good files by only recovering files in clusters marked as unused. Some extra fragmented files will therefore be recovered intact.

Which recovery mode to use?

The FAT recovery screen has two useful recovery modes which may produce different results

• Full Recover
• Recover from directory stubs

For a disk that has just had some files deleted, the Full recover will work well.  Deleted files will be recovered and written to the output directory, prefixed by !deleted

For a disk that has been used a lot since files have been deleted, the Recover from directory stubs is more likely to detect and recover all files. This is slightly more exhaustive that the Full recover, as it does not rely on an intact directory structure.  Typically it will find files and subdirectories that can not be placed in a tree, and so files there will be many dirstub dummy directories created.  The log function will indicate which files had been deleted by the 'D' in the flag column.

When the disk is being scanned, the display will indicate the number of Deleted FAT32 files that will be recovered.  These are ones that the program has searched the hard disk for to locate the start of the file, of the correct type, in a known empty location.