[brlug-general] forensics question: retrieving deleted data

Will Lowe wlowe at cox-internet.com
Sun May 21 13:45:37 CDT 2006 

John,

As I understand, .. Well, first lets set some foundation here. I work in law 
enforcement. "Computer forensics" means one thing to me but what you are 
describing is something else. It could be useful in forensic analysis of a 
computer. It's only a small part.  Forensic deals with the application of 
scientific knowledge to legal issues. The legal part means 
provable/verifiable in a court of law.



Secondly, and setting aside our different focus on that issue, the recovery 
of data stored on hard disks requires a basic understanding of how data is 
laid out on hard disks. I'm not talking about track, sectors, and surfaces. 
That's more specific to hardware.  I'm talking about how Windows (or any 
other OS for that matter) keeps track of "stuff" it places there. Regardless 
of the physical/hardware layout of the drive, locations on the drive are 
identified by a sequential (relative to the beginning of the partition) 
addressing scheme. Each address identifies a cluster. A cluster is a block 
of space on the disk. The size of this block is predetermined during format. 
In Windows OS's generally four points are pre-determined by the size of 
partition/format of the disk. The starting point of the first directory 
space cluster, the starting point of the first copy of the File allocation 
table (FAT), the starting point of the second copy of the File allocation 
table (FAT), and lastly the starting point of first storage area (rest of 
partition) cluster.  There is a duplicate copy of FAT kept on the disk for 
data protection. When the Windows OS writes even one byte it writes a whole 
cluster so files take up the number bytes in the file divided by the number 
of bytes in a cluster +1 if the result is not even.



A FAT is basically a linked list of cluster addresses on the partition. A 
directory entry identifies a file by name and type and it's starting FAT 
address along with other metadata such as time, date, security, etc. Also at 
the beginning of this directory entry is a single byte that represents 
either the first character of the file name or a 0xE5 (hexadecimal) if the 
entry is not used or erased. What this means is for an active file stored on 
the disk the windows OS creates an entry in the directory space table for it 
then determines the first available cluster entry in the FAT and starts 
writing the file contents to that referenced cluster. If it fills up, the OS 
goes back and finds the next available cluster in the FAT, marks that 
address in the previous FAT location and continues writing the file. This 
action is repeated until no more bytes are available in the file. At this 
point the first FAT is copied to the second FAT location. As I understand 
Microsoft's thinking of this, if a crash occurs or something happens before 
completely writing the file the two copies of FAT will be different and 
could (hopefully) be reconciled programmatically.



To erase a file, the OS simply changes the first character of the directory 
entry from whatever character it is to a 0xE5. All the data for the file and 
the rest of the links in the FAT are still there. Recovery at this point is 
time critical. As the OS stores new files it will eventually use those freed 
up clusters and associated FAT entries. I also believe Microsoft purposely 
uses recently erased file clusters only as a last resort to further the 
chance of recovery. Recovery of a file simply means changing the 0xE5 at the 
beginning of its directory entry to some other character (hopefully whatever 
it was originally). If none of the clusters have been used in the interim, 
the file is back as it was.



This description is similar throughout all the file systems Microsoft uses. 
The main differences are due to size and the amount/type of metadata stored 
with each file.



Will



----- Original Message ----- 

From: "John Hebert" <johnahebert at yahoo.com>

To: <general at brlug.net>

Sent: Sunday, May 21, 2006 2:16 AM

Subject: [brlug-general] forensics question: retrieving deleted data



> Howdy,
>
> I'd like to learn more about computer forensics. I've
> read a little bit on it via Google, etc, but I'd like
> to learn more.
>
> I know from personal experience that the best way to
> learn something (for me, at least. YMMV) is to create
> a project with an achievable short-term goal. So, I'd
> like to learn how to retrieve deleted data from a hard
> drive that's had its partition table wiped.
>
> Questions:
> 1) Does the Microsoft Windows 'format' command simply
> wipe out the partition table? Or does it do more than
> that? What exactly?
> 2) I believe that the Microsoft Windows 'delete'
> command simply removes a file's listing in the FAT. Is
> this correct? If not, what does happen?
> 3) How would one go about rebuilding a FAT32
> partition? Are there open source apps that will do
> that?
> 4) Is the FAT required in order to retrieve an entire
> file? I think so, but I'm not sure.
>
> Sorry if my questions don't make sense. Sleepy. :)
>
> Thanks,
> John
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://brlug.net/mailman/listinfo/general_brlug.net

More information about the General mailing list