How to recover FAT table?
December 17th, 2015, 13:58
Hey again everyone. I was wondering if anyone knew of any tool which would automatically rebuild a FAT table which has been zeroed out?
Does anyone have any idea how to fill this out?
Attached is an example of what I am talking about
Does anyone have any idea how to fill this out?
Attached is an example of what I am talking about
- Attachments
-
Re: How to recover FAT table?
December 19th, 2015, 20:10
yes....
Re: How to recover FAT table?
December 19th, 2015, 20:42
Which FAT? FAT12, FAT16, FAT32, exFAT.. have you looked for the copy of FAT?
This page may have some info that can help you understand it. http://www.cgsecurity.org/wiki/Advanced_FAT_Repair and http://www.pjrc.com/tech/8051/ide/fat32.html and https://www.pctechguide.com/hard-disks/file-systems-fat-fat8-fat16-fat32-and-ntfs-explained. There are others, just search.
Now.. IMHO, if you are getting into forensics, then it should be assumed that you will need to know the common filesytstems well. This question hints that you have not studied FAT filesystems enough. get a hex editor and a fat explanation guide or tutorial, a disk image and start dissecting.
This page may have some info that can help you understand it. http://www.cgsecurity.org/wiki/Advanced_FAT_Repair and http://www.pjrc.com/tech/8051/ide/fat32.html and https://www.pctechguide.com/hard-disks/file-systems-fat-fat8-fat16-fat32-and-ntfs-explained. There are others, just search.
Now.. IMHO, if you are getting into forensics, then it should be assumed that you will need to know the common filesytstems well. This question hints that you have not studied FAT filesystems enough. get a hex editor and a fat explanation guide or tutorial, a disk image and start dissecting.
Re: How to recover FAT table?
December 20th, 2015, 13:54
hey HaQue, generous hand there dude, that's the kind of "show of effort" I would have expected from the OP.
You are indeed "the bomb diggity"
generic help guide-
help vampire: elicits least response
Help! how do i do this.... (i have done nothing for myself here and am begging for charity)
---
noob but willing to do some leg work: elicits some help and encouragement
I've been given this as a task. I have a XXGB drive / small sample from a XXGB drive.
So far I think, from looking around the web, that it's FATXX.
Despite finding some paid for programs I think may help, I need to find a free solution.
I found this guide on C Greniers site and need a push in the right direction understanding this part ....
---
sh*t-hot candidate (i'm looking to help others / impress lecturers & prospective employers / anyone else remotely interested): best ROI / help / interest possible.
So, guys, I got this as an assignment/job/selfstart on boot sectors and FAT's and am looking to pass the good news on.
The tutor/employer doesn't trust us to drive Encase/FTK yet so all we have access to is a basic hex editor.
Here's the job detail. (how to get around the zero'd area), but I really think it's an initiative test to see if we can self start.
This is a [hypothetical instance] / [real drive] and [no other data has been provided] / [there are other incriminating artifacts on here].
I've found/begged/borrowed a few spare drives and some old MS install disks i tried Win 95 / 2000 / XP / Vista / 7 and a linux distro installs for good measure.
Also bounced this around a few guys I pulled together at uni/college/work after hours in the workshop.
From the results, (see screenshot) I'm thinking its a XX installation where someone has tried to cover their tracks by ....< means>
It seems there maybe a copy of the FAT someplace and I think I'm on the right track here with ...<blah> but really i just need a way to show i can reconstruct the first few blocks here that have been zeroed.
If anyone can help flesh this out, or correct some of my inevitable mistakes, so others as well as myself may benefit, I'd be grateful.
<blah / gratuities>
-----
again it's worth referencing ESR's guide as a start point for folks looking for help via fora or other social media.
Well worth the investment of time taken in reading it.
K
You are indeed "the bomb diggity"
generic help guide-
help vampire: elicits least response
Help! how do i do this.... (i have done nothing for myself here and am begging for charity)
---
noob but willing to do some leg work: elicits some help and encouragement
I've been given this as a task. I have a XXGB drive / small sample from a XXGB drive.
So far I think, from looking around the web, that it's FATXX.
Despite finding some paid for programs I think may help, I need to find a free solution.
I found this guide on C Greniers site and need a push in the right direction understanding this part ....
---
sh*t-hot candidate (i'm looking to help others / impress lecturers & prospective employers / anyone else remotely interested): best ROI / help / interest possible.
So, guys, I got this as an assignment/job/selfstart on boot sectors and FAT's and am looking to pass the good news on.
The tutor/employer doesn't trust us to drive Encase/FTK yet so all we have access to is a basic hex editor.
Here's the job detail. (how to get around the zero'd area), but I really think it's an initiative test to see if we can self start.
This is a [hypothetical instance] / [real drive] and [no other data has been provided] / [there are other incriminating artifacts on here].
I've found/begged/borrowed a few spare drives and some old MS install disks i tried Win 95 / 2000 / XP / Vista / 7 and a linux distro installs for good measure.
Also bounced this around a few guys I pulled together at uni/college/work after hours in the workshop.
From the results, (see screenshot) I'm thinking its a XX installation where someone has tried to cover their tracks by ....< means>
It seems there maybe a copy of the FAT someplace and I think I'm on the right track here with ...<blah> but really i just need a way to show i can reconstruct the first few blocks here that have been zeroed.
If anyone can help flesh this out, or correct some of my inevitable mistakes, so others as well as myself may benefit, I'd be grateful.
<blah / gratuities>
-----
again it's worth referencing ESR's guide as a start point for folks looking for help via fora or other social media.
Well worth the investment of time taken in reading it.
K
Re: How to recover FAT table?
December 21st, 2015, 17:15
Its FAT 16 for the record guys
Re: How to recover FAT table?
December 21st, 2015, 18:04
Not sure what else you need.. maybe http://www.tavi.co.uk/phobos/fat.html
https://books.google.com.au/books?id=hI3dqOyboegC
http://offog.org/notes/archiving/fat-repair/
https://books.google.com.au/books?id=hI3dqOyboegC
http://offog.org/notes/archiving/fat-repair/
Re: How to recover FAT table?
December 21st, 2015, 18:34
Forensic Girl 21 wrote:Its FAT 16 for the record guys
That's obvious. Cluster 0x00C0 points to cluster 0x00C1, cluster 0x00C1 points to cluster 0x00C2, cluster 0x00C2 points to cluster 0x00C3, and so on until cluster 0x00DD, at which point an EOF marker is encountered.
You should compare FAT copy #1 against FAT copy #2. If they are identical, then one legitimate reason for the zeros is that the corresponding files have been deleted. The next step would be to search for deleted files.
When a file is deleted, the first character of its directory entry is replaced with 0xE5, and the file's clusters are zeroed in the FAT. The directory entry still retains the starting cluster number and the file size, so the file can be reconstructed, provided that it is not fragmented. If it is fragmented, then its FAT entries cannot be reliably reinstated.
Re: How to recover FAT table?
December 21st, 2015, 19:47
The basic and obvious question has me wondering what the point of all these questions are. seems to be no effort in researching any of it, but just specific pointed questions with 0 indication of any effort. I don't think I will be adding to this anymore
Re: How to recover FAT table?
December 21st, 2015, 19:50
I originally ignored this thread because it looked like a homework assignment.
Powered by phpBB © phpBB Group.