SANS Digital Forensics and Incident Response Blog: Tag - FAT16

FAT File Sizes

If you're just checking this blog for the first time, you should know that this post is one in a series of posts dealing with a FAT file system that has been tweaked in various ways to make recovery of the data more difficult, if only for the casual observer. Forensics folks like yourselves would have no issue recovering the data, but the point of this series is to learn about the FAT file system and how it works.

In last week's FAT Tuesday post we looked at a file in our usb key image (get it here) called "Scheduled Visits.exe". We looked at the metadata for the file using


Sizing up the FAT

Another Tuesday, another FAT post. If you're just joining us, you can find the whole series of posts here.

Over the last month or two, we've been working with a FAT image that has been modified by the suspect in a case we're working. We have slowly been undoing the changes made by the suspect, one file at a time. We have one file left to make right so let's see what's going on with our third and final file. Recall the output from fls from previous posts:
fls ouput from usbkey.img
We've already recovered the first two files and adjusted the cluster chains in