All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: How to recover FAT table?
PostPosted: December 17th, 2015, 13:58 
Offline

Joined: October 27th, 2015, 8:37
Posts: 10
Location: United States of America
Hey again everyone. I was wondering if anyone knew of any tool which would automatically rebuild a FAT table which has been zeroed out?
Does anyone have any idea how to fill this out?

Attached is an example of what I am talking about


Attachments:
Capture.PNG
Capture.PNG [ 37.59 KiB | Viewed 12828 times ]
Top
 Profile  
 
 Post subject: Re: How to recover FAT table?
PostPosted: December 19th, 2015, 20:10 
Offline
User avatar

Joined: August 26th, 2012, 19:18
Posts: 293
Location: England
yes....

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!


Top
 Profile  
 
 Post subject: Re: How to recover FAT table?
PostPosted: December 19th, 2015, 20:42 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
Which FAT? FAT12, FAT16, FAT32, exFAT.. have you looked for the copy of FAT?

This page may have some info that can help you understand it. http://www.cgsecurity.org/wiki/Advanced_FAT_Repair and http://www.pjrc.com/tech/8051/ide/fat32.html and https://www.pctechguide.com/hard-disks/file-systems-fat-fat8-fat16-fat32-and-ntfs-explained. There are others, just search.

Now.. IMHO, if you are getting into forensics, then it should be assumed that you will need to know the common filesytstems well. This question hints that you have not studied FAT filesystems enough. get a hex editor and a fat explanation guide or tutorial, a disk image and start dissecting.


Top
 Profile  
 
 Post subject: Re: How to recover FAT table?
PostPosted: December 20th, 2015, 13:54 
Offline
User avatar

Joined: August 26th, 2012, 19:18
Posts: 293
Location: England
hey HaQue, generous hand there dude, that's the kind of "show of effort" I would have expected from the OP.
You are indeed "the bomb diggity" :D

generic help guide-

help vampire: elicits least response

Help! how do i do this.... (i have done nothing for myself here and am begging for charity)
---

noob but willing to do some leg work: elicits some help and encouragement

I've been given this as a task. I have a XXGB drive / small sample from a XXGB drive.
So far I think, from looking around the web, that it's FATXX.
Despite finding some paid for programs I think may help, I need to find a free solution.
I found this guide on C Greniers site and need a push in the right direction understanding this part ....
---

sh*t-hot candidate (i'm looking to help others / impress lecturers & prospective employers / anyone else remotely interested): best ROI / help / interest possible.

So, guys, I got this as an assignment/job/selfstart on boot sectors and FAT's and am looking to pass the good news on.
The tutor/employer doesn't trust us to drive Encase/FTK yet so all we have access to is a basic hex editor.

Here's the job detail. (how to get around the zero'd area), but I really think it's an initiative test to see if we can self start.
This is a [hypothetical instance] / [real drive] and [no other data has been provided] / [there are other incriminating artifacts on here].
I've found/begged/borrowed a few spare drives and some old MS install disks i tried Win 95 / 2000 / XP / Vista / 7 and a linux distro installs for good measure.
Also bounced this around a few guys I pulled together at uni/college/work after hours in the workshop.

From the results, (see screenshot) I'm thinking its a XX installation where someone has tried to cover their tracks by ....< means>
It seems there maybe a copy of the FAT someplace and I think I'm on the right track here with ...<blah> but really i just need a way to show i can reconstruct the first few blocks here that have been zeroed.
If anyone can help flesh this out, or correct some of my inevitable mistakes, so others as well as myself may benefit, I'd be grateful.
<blah / gratuities>
-----

again it's worth referencing ESR's guide as a start point for folks looking for help via fora or other social media.
Well worth the investment of time taken in reading it.

K

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!


Top
 Profile  
 
 Post subject: Re: How to recover FAT table?
PostPosted: December 21st, 2015, 17:15 
Offline

Joined: October 27th, 2015, 8:37
Posts: 10
Location: United States of America
Its FAT 16 for the record guys


Top
 Profile  
 
 Post subject: Re: How to recover FAT table?
PostPosted: December 21st, 2015, 18:04 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
Not sure what else you need.. maybe http://www.tavi.co.uk/phobos/fat.html
https://books.google.com.au/books?id=hI3dqOyboegC
http://offog.org/notes/archiving/fat-repair/


Top
 Profile  
 
 Post subject: Re: How to recover FAT table?
PostPosted: December 21st, 2015, 18:34 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
Forensic Girl 21 wrote:
Its FAT 16 for the record guys

That's obvious. Cluster 0x00C0 points to cluster 0x00C1, cluster 0x00C1 points to cluster 0x00C2, cluster 0x00C2 points to cluster 0x00C3, and so on until cluster 0x00DD, at which point an EOF marker is encountered.

You should compare FAT copy #1 against FAT copy #2. If they are identical, then one legitimate reason for the zeros is that the corresponding files have been deleted. The next step would be to search for deleted files.

When a file is deleted, the first character of its directory entry is replaced with 0xE5, and the file's clusters are zeroed in the FAT. The directory entry still retains the starting cluster number and the file size, so the file can be reconstructed, provided that it is not fragmented. If it is fragmented, then its FAT entries cannot be reliably reinstated.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: How to recover FAT table?
PostPosted: December 21st, 2015, 19:47 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
The basic and obvious question has me wondering what the point of all these questions are. seems to be no effort in researching any of it, but just specific pointed questions with 0 indication of any effort. I don't think I will be adding to this anymore


Top
 Profile  
 
 Post subject: Re: How to recover FAT table?
PostPosted: December 21st, 2015, 19:50 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
I originally ignored this thread because it looked like a homework assignment.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group