SANS Digital Forensics and Incident Response Blog: Tag - allocated

FAT Directory Entry repair

This is the third installment in a series of posts about FAT file systems. We're using the usbkey.img file that's given to students of SANS Sec. 508. The image has been altered by the suspect. Our goal is to return it to it's unaltered state.

In the second post, we gathered some information about the files on the image and using a hex editor took a look at the two metadata structures for FAT file systems, the FAT Directory Entry and the