Were looking at the Fat file system in course eight. And in this module, module five we're going to look at fat file creation and deletion. What happens when we create a file and what happens when we don't need it the creation process? What happens when files created on our fat file system? Well a directory entry is written in the parent directory and we looked at our directory entries are short file name and our long final name. Directory entries in our last module, so that directory entry gets written. The data is written to the first available clusters. So the data is going to get written out on the drive and entries are made in the fat the file allocation table to show the chain of clusters used by the file. And if it only uses one cluster we'll have that end of file marker like we saw in our previous module. What happens when we delete a file, the file system? Well the first character of the directory entry set is changed to a hexi decimal E five. And this indicates the file system that the file is deleted. So it just skips it, the clusters in the fat are zeroed out. What this means is those fat directory entries, those fat table entries that we saw in our previous module would be all zeroed out. So we would not be able to look at the fat and see that the cluster was occupied from the fats point of view would be all zeros, and that cluster would be available to be written to. The data that's out on the drive remains unchanged. Nothing happens to the data until another file overwrites it, another file gets assigned. Are allocated to those clusters and overwrites the data. But until that time the data stays out on the drive, it remains unchanged. We're going to actually write some data to RVHDs and take a look at it what active disk editor and see for ourselves what happens. And then we're going to delete it and look at the changes that are made. What we're going to need for this walkthrough is we're going to need active disk editor. We're going to need our MBRVHD and we're going to need Windows Explorer because we're going to be actually writing some data to these VHDs and then deleting it. So let's start our walk through. The first thing we need to do is attach RVHD. So let's open up this management, go to actions, attach VHD navigate out to where you have your MBR VHD saved and select it and click open. Once it opens, it should look like Mayan note the drive number and the volume we're going to be using for this walkthrough is the very first volume on the drive and it should be fat 32. Mayan is disc a yours may be a different disk, but it's the very first fat 32 100 megabyte volume on the drive. So let's open up active disk editor and take a look at this, so active disk editor. We're going to locate our drive a right click and we're going to open in disk editor. Once we've done that, what we're going to do, yeah. Is navigate to our root directory. We can see in our root directory the only thing we have in here is a volume label and a system volume file and a recycle bin entry. So I don't see any user created files on this volume except for the volume label was created by user. So now we're going to bring up going ahead and minimize active disk editor and this management and we're going to bring up file explorer and go to. Where you have that fat 32 volume mounted and we're going to create a file. So go ahead and right click select new. I am going to do a text document, those are easier to read in hex. And now I'm going to go ahead and call this new text document. New tech stock now that I've created it, I'm going to put some data in it. You can write anything you want. I am just going to write this is a new duck. I just created once you put a little bit of data in there, it really doesn't matter for our purposes. Go ahead and save that file and I'm going to close it. You can go ahead and minimize file explore and we will go back and take a look at active disk editor. Go ahead and close the drive. And reopen the drive so you would right click opening this editor and the drive will open back up again. Now let's navigate to the root directory and see what changes there are. Now in my root directory I see a new entry, new text. Make sure we change our templates to root directory. Fat directory entry, highlight the beginning of your directory entry and that will be the DOS alias with the tilde in it should say new text or whatever you named it. Go ahead and right click say set template position. We could see our directory entry here. Well it did write the directory entry and we do have too long file name entries above it. So if we go to the second long file name and you say set template position, it'll show you all through the entries. So we have a long file name entry. We know that by the OF long file name entry. And then we have our dos alias which is our short file them entry which is where we're going to get all the information about the file. We have our last access we would have our name, our extension creation date and time last excess state modified date and time. We have no high word but we do have a lower that says our file starts in cluster a and this will be our file size. Mayan is 32 bytes long so not a big file, so let's go ahead and look at our fat table. Let's look at fat one and let's go ahead and change our view because it makes it so much easier. File preferences we'll change our view to four bites. We just have to change your back when we're done though. Okay bytes per line changes to four and select OK And now we can take a look at our fat table. We have our media descriptor, we have our fat version indicator which shows us this is fat 32. This would represent cluster two, cluster three, cluster four, cluster five, close to six, close to seven and cluster eight. So going back to our root directory, we're going to go to file preferences again and we're going to change our view back to 16 bytes per line click Ok. We'll navigate back to the directory. And we'll go ahead and look at our entry for the file. We created new text, we'll go ahead and set the template position. We can see our file is in cluster eight. And when we looked at the fats we saw that cluster eight was occupied by a file. So now let's see if the data was written to the drive. We've checked the fats, we've checked the root directory, we can see that those two things did happen. Entry was made in the fat table to show that that cluster was occupied. We have a directory entry set written in the root directory. So we're going to go to, go to sector and we're going to go to sector 0x, we're going to use x here 08 we're going to say okay and we go out. We can see and this is why I used the txt instead of a DOC. Because if you a word document is not as easy to read and x as the text documents are. Because they have other components to them, which we'll talk about later on in this course, like headers and patty. But we can see our text document here and we see this is a new text document. I just created a new tech stock I just created that is what I wrote, so that's all good. Now let's go back out to file Explorer and bring up our drive again. Now let's go ahead, click on this file and let's delete it and see what happens. So go ahead and shift delete, so it doesn't go to the recycle bin. Once we've done that we can see it's gone in file Explorer, file system is no longer seeing the file to minimize this and let's go ahead and close this. We do have to reload our drive inactive disk editor. So close to drive, find your drive again in the tree, right click on it, open and disk editor. And let's go back to our root directory. Now what we see in our directory is we see the hexi five. Make sure we change our templates to fat directory entry. You see the hexi five and that replaces the first letter in our file name, in our short file name entry. But I do have long file name entries, so let's look at the whole directory set. So find the last long file name, directory entry. And how we would do this on a deleted file as you'd find the DOS alias and work your way up with zero 0F, 0F. When I go to the next one I see a 16, so I know this is not another long file name entry associated with this toss alias file name. So this is where I want to be on the E five right click set template position. No I can see even though I lost the first letter right here in my short file name. The long file name entries, don't start with the first letter of the file. The long file name entries start with that status bite remember that told us the sequence, and it indicated when we were at the last directory entry for that file. So I can get the first letter of that file name even though it's been overwritten with a hex E five. Because if I go to my first long file name entry and I go to the first bite, the second bite in I can see it's an end in this case and see it over here in the ask. So if I change that hexi five to a four e. I would be able to start my file recovery which we're going to cover in the next section. But that's how you do it. And then you'd also change that to a 01 in the store 4,2 and you've recovered your directory set. But we will we will get to do that in the next module so I could see that yes the director entry set. All the entries for my file, the long file name and short file name entries have been changed to a heck C5 with the first bite of the viol entry. So let's take a look at the fats so navigate, let's go to fat one and we're going to change our view again. File, preferences let's look at four bytes per line because of fat 32, fat table entry is four bytes per line. So now I see my Meteor Descriptor, my fat type indicator which indicates fat 32. This is cluster two because we start cluster numbering out on the drive with cluster two. Cluster two as an end of file marker in it. My next entry represents cluster three has an end of file my next entry, cluster four. My next fat table entry represents cluster five. My next one will represent cluster six, my next entry represent cluster seven. And when we look at the entry for cluster eight we can see now that it's all zeros, all zeroes before it had in the file marker. And we looked at it, but after we deleted the file, we can see that we have all zeros in that fat table entry representing cluster eight. So let's go ahead and change our view back, so file preferences, bytes per line. We're going to put in 16, I'm going to say okay let's go back to our root directory and let's go back to our dossier eleazar. Short file name entry for the file we just deleted. Let's set our template position and we could see we're going back the first cluster should be close to 08. So we're going to go, go to sector we're going to navigate and hex again. So zero x 08 zero X 08, we're going to say okay and the data hasn't changed. It's exactly the same as before I deleted it, It's still out there so it's very possible to recover this file. Now if we write another file to the drive, it's possible that file will overwrite this one. So just keep that in mind that the data stays until it's overwritten. But once it's overwritten it's gone. This ends our walkthrough for file creation and deletion. In our next module, we're going to talk about recovery files so we're going to change some of that information we saw in the root directory and in the fat tables. And we're going to go ahead and recover the file.
