How to recover FAT table?

December 17th, 2015, 13:58

Hey again everyone. I was wondering if anyone knew of any tool which would automatically rebuild a FAT table which has been zeroed out?
Does anyone have any idea how to fill this out?

Attached is an example of what I am talking about

December 19th, 2015, 20:10


December 19th, 2015, 20:42

Which FAT? FAT12, FAT16, FAT32, exFAT.. have you looked for the copy of FAT?

This page may have some info that can help you understand it. http://www.cgsecurity.org/wiki/Advanced_FAT_Repair and http://www.pjrc.com/tech/8051/ide/fat32.html and https://www.pctechguide.com/hard-disks/file-systems-fat-fat8-fat16-fat32-and-ntfs-explained. There are others, just search.

Now.. IMHO, if you are getting into forensics, then it should be assumed that you will need to know the common filesytstems well. This question hints that you have not studied FAT filesystems enough. get a hex editor and a fat explanation guide or tutorial, a disk image and start dissecting.

December 20th, 2015, 13:54

hey HaQue, generous hand there dude, that's the kind of "show of effort" I would have expected from the OP.
You are indeed "the bomb diggity" :D

December 21st, 2015, 17:15

Its FAT 16 for the record guys

December 21st, 2015, 18:04

Not sure what else you need.. maybe http://www.tavi.co.uk/phobos/fat.html

December 21st, 2015, 18:34

Forensic Girl 21 wrote:Its FAT 16 for the record guys

That's obvious. Cluster 0x00C0 points to cluster 0x00C1, cluster 0x00C1 points to cluster 0x00C2, cluster 0x00C2 points to cluster 0x00C3, and so on until cluster 0x00DD, at which point an EOF marker is encountered.

You should compare FAT copy #1 against FAT copy #2. If they are identical, then one legitimate reason for the zeros is that the corresponding files have been deleted. The next step would be to search for deleted files.

When a file is deleted, the first character of its directory entry is replaced with 0xE5, and the file's clusters are zeroed in the FAT. The directory entry still retains the starting cluster number and the file size, so the file can be reconstructed, provided that it is not fragmented. If it is fragmented, then its FAT entries cannot be reliably reinstated.

December 21st, 2015, 19:47

The basic and obvious question has me wondering what the point of all these questions are. seems to be no effort in researching any of it, but just specific pointed questions with 0 indication of any effort. I don't think I will be adding to this anymore

December 21st, 2015, 19:50

I originally ignored this thread because it looked like a homework assignment.
