SANS Digital Forensics and Incident Response Blog: Daily Archives: Jul 21, 2009

A big FAT lie

In the last post in our quest to restore the tampered FAT file system to its untainted state, we rebuilt the cluster chain in the File Allocation Table so we could copy out the file from the mounted file system. Let's move on to the next file in our image.fls ouput from usbkey.img

Let's see about "cover page.jpg." For starters, let's copy the file out of the mounted file system: