In this course we're covering the fat file system, in this module we're going to look at fat file recovery. We're going to talk about the steps to recover a file in the fat file system. The first step recovering a file and the fat file system is we need to change the first bite in the directory sets from A Hexi five to a different character. If we know the first letter of the file, if the file has a long file name you can get the first letter from that. If it only has a short file name entry, we will change that back to another character. Any keyboard character will work. The next thing we need to do is we name to change the values in the fat table to indicate that the clusters are allocated from the short file name entry. We will be able to get the starting cluster and the file size so we'll know which file injury and the fat table. We need to change to indicate that it's allocated. And we'll know if we need to put an end of file marker there or if the file takes up more than one cluster we would need to put a pointer to that next cluster. So we will determine the cluster size from the volume boot record. Then we will calculate the number of clusters needed. Once we find out how many clusters we need for our file we will divide the file size by the cluster sides and round up. That's how we're going to determine how many clusters we need and once we determine that we can reach ain't our entries in the fat table and then we will have successfully recovered our file some issues with fat file recovery. Well if we have fragmented files it's going to be harder to recover them because if they are not contiguous it's going to be very hard to tell where that file was in the fat table. Another issue is if the directory entry was reused or overwritten and we don't have that short file in that directory entry to find our starting cluster and file size. That will make it very difficult to recover the file. And the other issue we come across is if the data has been overridden out on the disk. So let's start our walk through. We're actually going to recover some files from our NPR Bhd. So we're going to need our NPR Bhd. We're going to need our Windows Explorer and we're going to need active disk editor. So let's start our walk through. Okay, so let's begin or walk through. The first thing we need to do is we have to go attach RVHD. So we're going to bring up dis management, we're going to go to actions, attach a VHD, you're going to navigate out to where the VHD is saved on your drive. You're going to select it and then we're going to click open, once RVHD attach is for this walkthrough. We're going to be using the fat 32100 megabyte volume. That should be the first volume on your disk. Note the dis number in the drive letter for that fat 32100 megabit volume. I want you to open up the volume in Windows Explorer. We're going to create a file. We're going to create a folder on the volume. So new folder, we're going to call this new folder root, and I'm doing this because we're putting it in the root of the volume in the root folder. We're also going to create a file. I'm going to use a text document and I'm just going to call this file in root and now I'm going to open the file and write some data on it. Once you put some data on there, save the file you can close it. I'm also going to create another folder in this directory. So new folder and I'm just going to call this folder inroot and these will have long file name entries as we can see. And in this folder I'm going to put another new text document. I'm just going to call it dark in child and I'm going to open it up and write some data on there and I'm going to save it and we're going to close it now once we've done that, I'm going to go ahead and minimize file Explorer and I'm going to open up active disk editor now. Once active disk editor opens, we want to go ahead and select our volume. Remember we want that 100 megabyte fat 32 volume which should be the first volume on the virtual hard drive. You just mounted the NBRVHD. So I'm going to click open disk and now I'm going to go to volumes. Now Mayan was drive letter A, yours might be different. So once you've located your fat volume go ahead and right click and open in disk editor. Once your volume opens we can see we are again in the volume boot record. So let's take a look here and find out how many sectors per cluster we have on this volume. Remember we have our bytes per sector. Right here in x it's zero B. For a length of two bites. So it's going to be zero B and zero C. And then at 0D we have sectors per cluster. And in this volume we have two sectors per cluster. So 10:24 bytes per cluster. So now I want to navigate to my root directory so we can go ahead and click on navigate. We're going to navigate to the root directory. We're going to change our template to fat directory entry. We can see we have a new entry in here called root. This is that folder we just created at the root of the volume and I want to take a quick look at this. So we're going here right at the beginning of the. Short file name entry for root should be right here, we're going to right click set template position. Now, I want to show you something about a directory entry that's a little different and a regular file. We're going to have the file name which is going to be root because it's a directory, there are no extension, there's no extension on a directory. So we have dot dot dot which is represented by hexidecimal 2 0 2 0 2 0. And we have our attribute, which we could see is 1 0, so if we go ahead into our templates and we expand attributes. We can see that this is a directory, now remember this is a packed bite and we could break this out into binary by hand. And see which bit was turned on but that's how we tell what the attribute is and in this case it is a directory. We still have the reserved, we still have our creation millisecond offset time, we still have creation date and time. We still have last access date, no time. First cluster high word is empty in this case, so there is no high word and then I would have my modified date and time. And then I would have my starting cluster lowered right here and we can see this is cluster 8. Now, if we remember from our last module, there was a file in cluster 8 before we wrote a file. And it was located In cluster 8, so this file has been overwritten by this directory. And we can see the file size is 0, the file size will always be 0 for a directory, I want you to know the file size will always be 0 for a directory. Now we're going to go ahead and look at cluster 8 so, we're going to, go to go to sector and we're going to navigate in hex again. 0x 08, we're going to say, okay and we can see that our file that previously occupied this space has now this cluster has now been overwritten. But one thing I want you to know about a directory is when you look at a directory. The first entry, the very top right here, is going to be a dot and then the next entry will be a double dot. The first entry right here, this dot entry, it's red the same way we would read an entry in the root directory. So, we're going to go ahead and set template position but this dot entry points to itself. What I mean by that is if you look at the starting cluster, it's going to say cluster 8, which we are in cluster 8. So, this first entry is going to point to itself, it's saying this is me and cluster 8. It will have times, it will have an attribute which indicates it's a directory. It'll still have the millisecond offset time for file creation, last access date, only modified date and time, starting cluster low word in its file size will still be 0. The entry below this, we're going to set template position, I'm going to look at this this century points to the parent of this directory. In this case the parent is the root directory so, you're always going to see 0 0, if the parent is the directory right here for the first cluster. It will tell you the information about the parent, this is the parent's millisecond, offset creation, date and time, last access date. Last modified date and time and if you see 0 0, you know, you need to go to the root directory to find the parent of this directory. That we're in right now in cluster 8, it will also list the files that were created in the directory. And we created a file and a folder and they show up in our directory, now let's go back to the root directory, so we'll go to navigate directory. And we can see our document is deleted. We're going to set template manager. We see, it's still telling us the first cluster is cluster 8, this would be one of those limitations in the fact file system. Because we know cluster 8 is now occupied by root. We just went and looked at it and if we look at the facts would also see the cluster 8 is occupied, marked as allocated being used. So this is what would happen when a file gets overwritten in the fact file system. Let's create a new document in the root of the directory, so let's bring up our File Explorer. We're going to go to the root of the directory and we're going to create a new file. I'm going to create a new text document and I'm going to call it to delete me. I'm going to open it up and put some data on it. Doesn't matter what you write, I just wrote this is a doc, I will delete and I'm going to go ahead and save this file and close it now. I'm going to minimize this, I'm going to reload my drive and active disk editor Right click on the volume, open in this editor again we open at the volume boot record but we've already looked at this and we know we have two sectors per cluster. So I'm going to use navigate and I'm going to go to my room directory, I'm going to change my template view too root directory, fat directory entry and we can see our file that we just created to leave me. So I'm going to set my template position what's one down? I'm going to set my template position, I can see the starting cluster Is close to 12 so first cluster cluster 12 and above it you can see we have the long file name entries. We have a 01 and a 42 so we have to long file name entries above my short file name alias for delete me. Check our cluster high word just to make sure we have no cluster high word so we know that are starting cluster is going to be cluster 12 or heck suggestible Zero C. So I'm going to go ahead and get again, go to navigate, go to sector and I'm going to say zero X to signify hex and then I'm going to say zero C. I'm going to say okay and we can see the data is written out on the cluster We're in cluster 12. No, I want to take a look at the fat table So again I'm going to use going to navigate and the menu of the Fat one. I'm going to go to file preferences to change my view And I'm going to have four bytes per line. Change bytes per aligned to four I'm going to click OK now what I want to do Is look at the entry for cluster 12. So we talked about our first entry is the media descriptor this is our the next entries are fat file type indicator And then the 3rd entry represents cluster too, so this is cluster too. Next entry represent cluster 3, the next entry, cluster 4, cluster five, cluster 6, cluster seven, cluster 8 cluster 9, cluster 10, cluster 11. And the entry, the directory entry right here or the fat file table entry for cluster 12 shows that it is occupied and it shows it has an end of file marker So we know the file that is occupying. Cluster 12 only takes up one cluster because there's no pointer to the next cluster so now I'm going to go back to file Preferences. I'm going to change my view from four back to 16 and I'm going to say okay so we've created a file, we've looked at the data, we've looked at the root directory and we've looked at the fat table. So now we're going to go ahead and bring up file explorer again and I am going to delete, I'm going to right click and shift delete to leave me. It's going to ask me if I want to permanently delete it and I'm going to say okay and now from the view of the file system that file is no longer exists. So let's bring up active disk editor again, let's close our volume and reload it once our volume reloads let's navigate to the root directory. So we're going to use the navigate button and we're going to go to the root directory of our volume now make sure we change our template view too fat directory entry. Now we're going to scroll down and we're going to find the short file entry, short file name entry for the file was just deleted which was delete me dot txt. And we can see it down here at the very bottom and we look above it, we can see our long file name entry and we can see the file name to lead me txt. Now we need to change this Hexi decimal E five to the first letter of the file name. Now because we have the long file name entry, we know the first letter of the file name because of the long file name entry, the first bite has changed the five but that's our status bite. That's what tells us our sequence number of our long file entry and it also indicates when we've reached the last long file name entry for that file name, directory entry. So we need to go into edit mode, so we're going to go up to our menu bar I'm going to click edit and down here, you see allow edit content. We're going to check that now just know that you would not do this on real evidence, you would do this. If you made a copy of your image, your working copy and you would work off of that, it would be a copy of a copy, never the original evidence and never your only copy of the original evidence. Remember this is a short file name alias so it has to be a capital letter even though I named it with a small d, it still has to be a capital letter here. So we're going to go to the ask E and write a capital d, capital D and lower case d are not the same packs a decimal E. You would have to look that up in an a ski chart to find out what a capital D is but you're able to right in the ass key capital D and it'll automatically write the correct text value for that. Now our long file name entry, let's take a look, we look at the attribute bite and it is a long file name entry and we can see the long file name. An ASCII tests off at the right, just to make sure that's our last one, let's look again at offset 0B, of the file entry above it, the file directory entry and we don't see, a 0F. A hexidecimal 0F so we know, that is not a long file name entry. So we know we need to change our E5 for indicating the last long file name entry in the directory set in one because it's also the first one so 41. So we've changed our directory entries which was the first step recovering our file. Now, let's take a look at the short file name directory entry, so go ahead and set your template position, We want to know the starting cluster and the size of the file. Starting cluster is 12, and the size of the file, is 27 bytes. We know from our volume boot record, that our cluster size was two sectors which would be 1024 bytes, so we know we're only going to need one cluster to write this 27 byte file. And we know we need to go out to cluster 12, and show it as allocated in the end of file. So now let's navigate to the FATs, let's navigate to FAT one, let's change our view to make this easier. So File > Preferences, change this to four bytes per line, click OK, and now let's take a look at our FAT table. We have our media descriptor right here at the top, which is the first four byte entry. The second four byte entery in the FAT table is going to be the FAT type indicator, which shows us it's FF FF FF which indicates FAT32. Our next entry in our FAT table is going to show us the entry for cluster two, because we start at cluster two. And cluster too has an end of file marker as we move down to cluster 3, we're going to move down to cluster 4, 5 cluster 6, cluster 7, cluster 8, cluster 9, cluster 10, cluster 11, cluster 12, this is where we want to be cluster 12. because it was 0C and 0C in hex would be 12, so we need to put an end of file marker in here. So we're going to simply type FF, FF, FF, 0F, so we're going to go over to Edit now, and get out of edit mode so uncheck, Allow Edit Content. Now we're also going to go to File > Preferences and go back to 16 Bytes per line. The last thing we're going to do is we're going to go to go to Sector, And we're going to go to cluster 12, so we're going to type in hex 0X to indicate hex and then 0C and we're going to click Enter, and we can see our data is out on the drive. So now if I went to browser and then went to File Preview, I'd be able to see my data here. Close this we have to close active disk editor in order for it to save the changes. So we're going to close the drive first, so we close the drive and it's going to ask us you've modified this drive, do you want to save the changes and we're going to say yes. Now go ahead and close active this editor, now we're going to bring up file explorer again. And when we refresh it, we see our deleteme.txt is in the file explorer and we double click on it, we can see then it comes up, This is a doc I will delete. So we have completely recovered deleteme.txt and we followed the steps, we fixed the root directory entries, we changed the hexi decimal E5 back to the first letter of the file name. Because we knew the first letter of the file name because it had a long file name entry and we were able to see the D in the long file name entry. And then we were able to retain the short file name entry, because we changed the hexi five to a D. And in the long file name entry, we changed the status byte to a 4 indicating it was the last one in the sequence and a 1, because it was also the first long file name entry. And we verified that that long file name entry belonged to that file. That takes us to the end of our FAT file course in our next course, we're going to be talking about the NTFS file system.
