John, As I understand, .. Well, first lets set some foundation here. I work in law enforcement. "Computer forensics" means one thing to me but what you are describing is something else. It could be useful in forensic analysis of a computer. It's only a small part. Forensic deals with the application of scientific knowledge to legal issues. The legal part means provable/verifiable in a court of law.
Secondly, and setting aside our different focus on that issue, the recovery of data stored on hard disks requires a basic understanding of how data is laid out on hard disks. I'm not talking about track, sectors, and surfaces. That's more specific to hardware. I'm talking about how Windows (or any other OS for that matter) keeps track of "stuff" it places there. Regardless of the physical/hardware layout of the drive, locations on the drive are identified by a sequential (relative to the beginning of the partition) addressing scheme. Each address identifies a cluster. A cluster is a block of space on the disk. The size of this block is predetermined during format. In Windows OS's generally four points are pre-determined by the size of partition/format of the disk. The starting point of the first directory space cluster, the starting point of the first copy of the File allocation table (FAT), the starting point of the second copy of the File allocation table (FAT), and lastly the starting point of first storage area (rest of partition) cluster. There is a duplicate copy of FAT kept on the disk for data protection. When the Windows OS writes even one byte it writes a whole cluster so files take up the number bytes in the file divided by the number of bytes in a cluster +1 if the result is not even. A FAT is basically a linked list of cluster addresses on the partition. A directory entry identifies a file by name and type and it's starting FAT address along with other metadata such as time, date, security, etc. Also at the beginning of this directory entry is a single byte that represents either the first character of the file name or a 0xE5 (hexadecimal) if the entry is not used or erased. What this means is for an active file stored on the disk the windows OS creates an entry in the directory space table for it then determines the first available cluster entry in the FAT and starts writing the file contents to that referenced cluster. If it fills up, the OS goes back and finds the next available cluster in the FAT, marks that address in the previous FAT location and continues writing the file. This action is repeated until no more bytes are available in the file. At this point the first FAT is copied to the second FAT location. As I understand Microsoft's thinking of this, if a crash occurs or something happens before completely writing the file the two copies of FAT will be different and could (hopefully) be reconciled programmatically. To erase a file, the OS simply changes the first character of the directory entry from whatever character it is to a 0xE5. All the data for the file and the rest of the links in the FAT are still there. Recovery at this point is time critical. As the OS stores new files it will eventually use those freed up clusters and associated FAT entries. I also believe Microsoft purposely uses recently erased file clusters only as a last resort to further the chance of recovery. Recovery of a file simply means changing the 0xE5 at the beginning of its directory entry to some other character (hopefully whatever it was originally). If none of the clusters have been used in the interim, the file is back as it was. This description is similar throughout all the file systems Microsoft uses. The main differences are due to size and the amount/type of metadata stored with each file. Will ----- Original Message ----- From: "John Hebert" <[EMAIL PROTECTED]> To: <general at brlug.net> Sent: Sunday, May 21, 2006 2:16 AM Subject: [brlug-general] forensics question: retrieving deleted data > Howdy, > > I'd like to learn more about computer forensics. I've > read a little bit on it via Google, etc, but I'd like > to learn more. > > I know from personal experience that the best way to > learn something (for me, at least. YMMV) is to create > a project with an achievable short-term goal. So, I'd > like to learn how to retrieve deleted data from a hard > drive that's had its partition table wiped. > > Questions: > 1) Does the Microsoft Windows 'format' command simply > wipe out the partition table? Or does it do more than > that? What exactly? > 2) I believe that the Microsoft Windows 'delete' > command simply removes a file's listing in the FAT. Is > this correct? If not, what does happen? > 3) How would one go about rebuilding a FAT32 > partition? Are there open source apps that will do > that? > 4) Is the FAT required in order to retrieve an entire > file? I think so, but I'm not sure. > > Sorry if my questions don't make sense. Sleepy. :) > > Thanks, > John > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > _______________________________________________ > General mailing list > General at brlug.net > http://brlug.net/mailman/listinfo/general_brlug.net
