Recovering FAT32 With File System Markers

In my last installment, Recovering FAT 32 with File Entry Records, I talked about USB and Fire Wire devices and how they are susceptible to damage. In addition I spoke about the file system used to store data on these devices as being FAT32 in order for the manufacturer to optimize their marketing base. Finally, I spoke about the fact that if the device is formatted by a non-native operating system (non windows) how could the data be recovered if in fact certain critical components were destroyed or masked. As an example I am using a live case for this particular instance. This clients drive lost the MBR, OS Boot Records, and FAT markers by formatting their MyBook usng a Mac. These are major system components with critical data that is necessary to align the drive. What can we now use to bring this FAT file system back into a state where we can recover the data.

In the FAT file system the index records for each file and folder are not stored in one static area. As an example of an alternate technique, if you were to format a drive using Windows XP then, of course, the default file system would be NTFS. One of the characteristics of NTFS is that it uses a Master File Table to store all the information about each file and folder. The MFT is stored almost exclusively in the same place every time a drive is formatted. Normally the MFT will start at cluster 786432 (LBA 6291456 assuming a 4K cluster) and will extend contiguously for several thousand records. In other words, the entire index for your file system is stored in an area approximately 150MB to 200MB in size. If this area were zeroed out it would destroy all of the information as to where your files are stored and in most cases hamstring the end-users ability to recover their data, especially if the data is fragmented. One may think that 200 MB of data is a lot of data to zero out, but I can assure you with Windows XP optimized for disk I/O and hard drives using a blazing fast DMA the destruction of the MFT would almost be transparent. You would never know it happened until it was too late.

That being said, conversely the FAT file system stores their folder and file information in clusters using a file entry record. As the file system matures the clusters that are used move farther down the drive since data is now occupying the clusters closer to the beginning of the drive. The FAT chaining system is used for folders that have more files than can be stored in a single cluster. It is easy to see that the folder information can be scattered across the drive. Although this plays havoc with hard drives and access speeds it makes it difficult to destroy the file system. This cluster scattering was not by design and to this day is considered a drawback to the file system, however, it does make data recovery much easier when major file system components are lost.

So now that we know that file entry records are used to index the file system for FAT the problem arises as to how best to identify a file entry record from the billions of other bytes on the hard drive. In my next installment I will outline a file entry record and reveal the attributes that allow us to filter a folder storing file names from all of the other data.

Related Resources:

Recovering FAT 32 with File Entry Records – the first part of this series.

External Hard Drive Recovery

Hard Drive Recovery

Comments

  1. dancemusicjunkie says:

    I am having the exact same issue..

  2. dancemusicjunkie,

    What problem are you having exactly? We can help you out if you can give us some specifics.

Trackbacks

  1. [...] my last installment Recovering FAT 32 With File System Markers, I offered a brief outline of a case that destroyed a FAT32 file systems major components. This was [...]

  2. [...] Part 2 Recovering FAT 32 With File System Markers [...]

Speak Your Mind