SANS Digital Forensics and Incident Response Blog: Author - Dave Hull

FAT Directory Entry repair

This is the third installment in a series of posts about FAT file systems. We're using the usbkey.img file that's given to students of SANS Sec. 508. The image has been altered by the suspect. Our goal is to return it to it's unaltered state.

In the second post, we gathered some information about the files on the image and using a hex editor took a look at the two metadata structures for FAT file systems, the FAT Directory Entry and the

FAT and FAT Directory Entries

In the previous post in this Fried FAT series, we gathered some details about an altered FAT partition on a USB key by running fsstat against it. Our goal is to return the USB key image to its unaltered state.

Let's run fls to get some information about the files on the image:fls ouput from usbkey.img

Here we're concerned with the first three entries. We see a regular file that's been deleted, with metadata information at FAT Directory Entry 5. What do we mean by metadata information? Timestamps, file size and the addresses for the clusters that the file occupies on the disk are all


Fried FAT: A look into FAT file systems

Once in a while, a colleague, neighbor or friend will call me in a panic over files they have accidentally deleted from the SSD card in their daughter's camera or worse. In such cases it's often possible to carve out files from the data layer using something like foremost or in a best case scenario, if metadata still exists, sorter can be put to good use to recover the data.

But what about a case where an enterprising perpetrator with above average tech savvy has deliberately altered a partition's metadata in order to inhibit access to the data? I know it's a stretch, but let's say there's a small time drug dealer who carries operational data on a USB stick, but he's altered the metadata in such a way that recovering the files from the USB stick is non-obvious.

During SANS Security 508: Computer Forensics, Investigation and Response, such a case is presented to the


SANS Forensics Road Show

SANS is launching a "Forensics Tour," offering SANS Security 508: Computer Forensics, Investigation and Response as Community level events in cities all over. To find a tour stop near you, take a look at the list of Community Events over at the SANS web site.

Obviously there are benefits to taking advantage of these Community level events. The big one is that you can catch the training in your local area and still get out of the office to focus on mastering the course material and the cost is lower than it is at a SANS conference. Another benefit is networking with professionals in your area. If you're in one of these locations and have been considering taking 508, this is an ideal time. Also if you're in law enforcement, special discount rates are available, please contact Scott Weil at SANS for details ( and Ph: 847


Texas Licensing Issue: HB2287

Last week I wrote about a Texas House Bill that sought to amend the licensing requirements and may impact computer forensic analysts working in that state.

The latest information is that the Public Safety Committee will meet today to consider House Bill 2287, which would exempt computer repair technicians from licensing requirements, but not computer forensic analysts.

If you're concerned with this issue and oppose the current PI licensing requirement for computer forensic analysts, please contact members of the Public Safety Committee (see below for contact information) and let them know you oppose HB2287 in its original form.

Apparently there will be someone at the committee meeting asking for an amendment to the Occupations Code that would include an exemption