Inside FAT: File Search

Read about peculiarities of data recovery from a FAT-formatted device. In 2013, there are plenty of file systems around. There are FAT, NTFS, HFS and many other file systems used by the many different operating systems. And yet, the oldest and simplest file system of them all is still going strong. The FAT system is aged, and has many limitations on maximum volume size and the size of a single file.

Inside FAT: File Search

FAT file system

This file system is rather simplistic by today’s standards. It does not offer any kind of permission management nor built-in transaction roll-back and recovery mechanisms. No built-in compression or encryption either. And yet it is very popular for many applications. The FAT system is so simple to implement, requires so little resources and imposes such a small overhead that it becomes irreplaceable for a wide range mobile applications.

The FAT is used in most digital cameras. The majority of memory cards (for example miniSD, microSD) used in media players, smartphones and tablets are formatted with the FAT. Even Android devices take memory cards formatted with the FAT system. In other words, despite its age, FAT is alive and kicking.

Go to view
How to Recover Files from the Memory Card of Your Camera, Phone, Video or Dashboard Camera 📁🔥⚕️

How to Recover Files from the Memory Card of Your Camera, Phone, Video or Dashboard Camera 📁🔥⚕️

Recovering Information from FAT Volumes

If the FAT system is so popular, there must be need for data recovery tools supporting that file system. In this article we’ll be sharing experience gained during the development of a data recovery tool, Hetman Partition Recovery.

Partition Recovery™ 4.9
The tool recovers data from any devices, regardless of the cause of data loss.
Download

Before we go talking about the internals of the file system, let’s have a brief look at why data recovery is at all possible. As a matter of fact, the operating system (Windows, Android, or whatever system that’s used in a digital camera or media player) does not actually wipe or destroy information once a file gets deleted. Instead, the system marks a record in the file system to advertise disk space previously occupied by the file as available. The record itself is marked as deleted. This way is much faster than actually wiping disk content. It also reduces wear.

As you can see, the actual content of a file remains available somewhere on the disk. This is what allows data recovery tools to work. The question now is how to identify which sectors on the disk contain information belonging to a particular file. In order to do that, a data recovery tool could either analyze the file system or scan the content area on the disk looking for deleted files by matching the raw content against a database of pre-defined persistent signatures.

Go to view
How to Recover Deleted Files from a USB Drive after Formatting the Drive or a Virus Attack 📁🔥⚕️

How to Recover Deleted Files from a USB Drive after Formatting the Drive or a Virus Attack 📁🔥⚕️

This second method is often called “signature search” or “content-aware analysis”. In forensic applications, this same approach is called “carving”. Whatever the name, the algorithms are very similar. They read the entire disk surface looking for characteristic signatures identifying files of certain supported formats. Once a known signature is encountered, the algorithm will perform a secondary check, then read and parse what appears to be the file’s header. By analyzing the header, the algorithm can determine the exact length of the file. By reading disk sectors following the beginning of the file, the algorithm recovers what it assumes to be the content of a deleted file.

If you’re following carefully, you could have already noticed several issues with this approach. It works extremely slowly, and it can only identify a finite number of known (supported) file formats. Most importantly, this approach assumes that disk sectors following the file’s header do belong to that particular file, which is not always true. Files are not always stored in a consecutive manner. Instead, the operating system can write chunks into first available clusters on the disk. As a result, the file can be fragmented into multiple pieces. Recovering fragmented files with signature search is a matter of hit or miss: short, defragmented files are usually recoverable without a sweat, while long, fragmented ones may not be recovered or may come out damaged after the recovery.

In practice, signature search does work pretty well. Most files that are of any importance to the user are documents, pictures, and other similarly small files. Granted, a lengthy video may not be recovered, but a typical document or a JPEG image is usually sized below fragmentation threshold and recovers pretty well.

If, however, one needs to recover fragmented files, the tool must combine information obtained from the file system and gathered during the disk scan. This, for example, allows excluding clusters that are already occupied by other files, which, as we’ll see in the next chapter, greatly improves the chance of successful recovery.

Using Information from the File System

Go to view
How to Fix a Flash Drive for a Computer, TV or Car Audio in 2019 🛠️👨‍💻🤔

How to Fix a Flash Drive for a Computer, TV or Car Audio in 2019 🛠️👨‍💻🤔

As we could see, signature search alone works great if there is no file system left on the disk, or if the file system is so badly damaged that it becomes unusable. In all other cases, information obtained from the file system can greatly improve the quality of the recovery.

Let’s take a large file we need to recover. Suppose the file was fragmented (as is typical for larger files). Simply using signature search will result in only recovering the first fragment of the file; the other fragments will not recover correctly. It is therefore essential to determine which sectors on the disk belong to that particular file.

Windows and other operating systems determine which sectors belong to which file by enumerating records in the file system. File system records contain information about which sectors belong to which file.

Searching for a File System

Hard Drive Partitions

Picture 1. Hard Drive Partitions.

Before analyzing the file system, we must identify and locate one first. But before we start looking for a file system, let’s look at how Windows handles partitions.

In Windows, disks are described with a partition system containing one or more tables. Each table describes a single partition. The record contains the partition’s initial address as well as its length. Partition type is also specified.

1. The hard drive is divided into three partitions with corresponding volume labels.

2. This table contains information about the type, beginning and end of each partition.

In order to locate the file system, the data recovery tool must analyze the partition table, if one is still available. But what if there is no partition table left, or what if the disk has been repartitioned, and the new partition table no longer contains information about the deleted volume? If this is the case, the tool will scan the disk in order to identify all available file systems.

Partition Begin End Type
System (С:) 0 199 NTFS
Arhive (D:) 200 399 FAT
Work (E:) 400 599 FAT

Table 1. Partitions Table.

When looking for a file system, the algorithm assumes that each logical volume contained a file system. Most file systems can be identified by looking for a certain persistent signature. For an instance, the FAT file system is identified by values recorded in the 510th and 511th bytes of the initial sectors. If the values recorded in those addresses are 0х55 and 0хАА, the tool will start performing a secondary check.

The secondary check allows the tool ensuring that the actual file system is found as opposed to random encounters. The secondary check validates certain values used by the file system. For example, one of the records available in the FAT system identifies the number of sectors contained in the cluster. This value is always represented with a power of two. It can be 1, 2, 4, 8, 16, 32, 64 or 128. If there is any other value stored by that address, the structure is not a file system.

The article “Algorithm of file recovery from a FAT disk” explains the process of searching for the contents of a deleted file, and provides some examples.

Oleg Afonin

Author: , Technical Writer

Oleg Afonin is an expert in mobile forensics, data recovery and computer systems. He often attends large data security conferences, and writes several blogs for such resources as xaker.ru, Elcomsoft and Habr. In addition to his online activities, Oleg’s articles are also published in professional magazines. Also, Oleg Afonin is the co-author of a well-known book, Mobile Forensics - Advanced Investigative Strategies.

Vladimir Artiukh

Editor: , Technical Writer

Vladimir Artiukh is a technical writer for Hetman Software, as well as the voice and face of their English-speaking YouTube channel, Hetman Software: Data Recovery for Windows. He handles tutorials, how-tos, and detailed reviews on how the company’s tools work with all kinds of data storage devices.

  • Updated:
  • Evaluations:
  • 15
  • /
  • :

Share

Questions and answers

  • What is the FAT file system, and what makes it a popular choice for data storage?

    The FAT (File Allocation Table) file system is a type of computer file system that is used by operating systems such as Windows, Mac OS, and Linux. It is popular because it is simple to use and is compatible with a wide range of devices. The FAT file system stores data in clusters, which are small blocks of data that can be read quickly. The FAT file system also supports long file names, making it easier to store and organize data. Additionally, it is relatively easy to recover data if the drive becomes corrupted or damaged.

  • How do FAT data recovery algorithms work, and what makes them effective in recovering lost data?

    FAT (File Allocation Table) data recovery algorithms work by scanning the hard drive and reconstructing the data from the FAT entries. This is done by scanning the hard drive for the FAT table, which contains information about the location of files, and then using that information to locate and rebuild the files. The algorithms are effective because they can locate and rebuild the data even if it has been corrupted or deleted. Additionally, the algorithms can reconstruct data from fragmented files, meaning that even if parts of the file have been overwritten, the algorithm can still recover the rest of the file.

  • What are some of the common causes of data loss on a FAT file system, and how can they be addressed?
    1. Accidental File Deletion: Accidental file deletion is one of the most common causes of data loss on a FAT file system. This can be addressed by creating backups of important files on a regular basis and using a data recovery tool to recover accidentally deleted files.
    2. Corrupt File System: A corrupt file system can cause data loss on a FAT file system due to bad sectors or other errors. This can be addressed by running disk utilities to check for and repair errors on the drive.
    3. Malware: Malware can also cause data loss on a FAT file system. This can be addressed by keeping anti-virus software up to date and regularly running scans to detect and remove malicious software.
    4. Power Outages: Power outages can cause data loss on a FAT file system due to sudden shutdowns. This can be addressed by using an uninterruptible power supply (UPS) to provide power during outages.
  • How does the algorithm used for FAT data recovery differ from those used for other file systems, such as NTFS or HFS+?

    The algorithm used for FAT data recovery is different from those used for other file systems because it is designed to recover data from FAT file systems specifically. It is optimized to work with the specific structures of the FAT file system, such as the File Allocation Table (FAT) and the Directory Table, to locate and recover lost or deleted files. It is not designed to work with other file systems such as NTFS or HFS+, which have different structures and require different algorithms for data recovery.

  • What role do clusters play in the FAT file system, and how are they utilized in data recovery?

    Clusters are the basic unit of storage in the FAT file system. They are used to store data and are composed of a set of sectors. When a file is created, the operating system assigns a cluster to the file and then stores the data in that cluster. Clusters are also used to keep track of which files are stored on which physical locations on the disk.
    In data recovery, clusters are used to identify and recover lost files. When a file is deleted, its cluster is marked as free space and the data in the cluster is no longer accessible. By scanning through the disk, data recovery software can identify clusters that are marked as free space and attempt to reconstruct the original file from the data stored in those clusters.

Comments (11)

  • Bob Burkinshaw
    Bob Burkinshaw 5.09.2013 03:51 #
    How can users choose a reliable data recovery tool for FAT file systems, and what factors should they consider when selecting a tool?
    Reply
    • Hetman Software
      Hetman Software 5.09.2013 04:26 #
      1. Users should consider the reputation of the data recovery tool before selecting it. They should read reviews and check the ratings of the tool to make sure it is reliable and trustworthy.
      2. Users should also consider the features and capabilities of the data recovery tool. A reliable data recovery tool should be able to recover files from FAT file systems as well as other file systems such as NTFS, HFS, and EXT.
      3. Users should also consider the price of the data recovery tool. A good data recovery tool should be reasonably priced and offer a money-back guarantee in case the tool fails to recover the data.
      4. Lastly, users should check the technical support offered by the data recovery tool. A reliable data recovery tool should provide timely and effective customer support in case of any issues.
      Reply
  • Bryan Collings
    Bryan Collings 5.09.2013 00:08 #
    What are some of the best practices for preventing data loss on a FAT file system, and how can users protect their data from accidental deletion or corruption?
    Reply
    • Hetman Software
      Hetman Software 5.09.2013 00:22 #
      1. Regularly back up your data. This can be done manually or with an automated backup system.
      2. Use antivirus and anti-malware software to protect against malicious software.
      3. Disable write caching on the hard drive to prevent data corruption.
      4. Use disk quotas to limit the amount of space a user can use on the file system.
      5. Set up user accounts with appropriate privileges to limit access to sensitive data.
      6. Use file encryption to protect sensitive data from unauthorized access.
      7. Regularly check the integrity of the FAT file system using a disk utility program.
      8. Disable auto-run features on removable media to prevent malicious software from running automatically.
      Reply
  • Antony Fitzroy
    Antony Fitzroy 4.09.2013 21:06 #
    How has the FAT file system evolved over time, and what impact has this had on data recovery techniques?
    Reply
    • Hetman Software
      Hetman Software 4.09.2013 21:34 #
      The FAT (File Allocation Table) file system has evolved over time to become more efficient, secure, and reliable. Initially, the FAT file system used a single table to store the information about the files and directories on a disk. This table was limited in size and could not handle large amounts of data. As technology advanced, the FAT file system evolved to use multiple tables to store more information. This allowed for larger amounts of data to be stored and managed more efficiently. Additionally, newer versions of the FAT file system incorporated features such as security, reliability, and error-checking. These advancements have had a positive impact on data recovery techniques. For example, newer versions of the FAT file system have improved data recovery tools that can scan and recover lost or corrupted files. Additionally, newer versions of the FAT file system are more secure, making it more difficult for malicious actors to gain access to data. Finally, newer versions of the FAT file system are more reliable, reducing the chances of data loss due to disk failure or other issues.
      Reply
  • Kenneth Triplett
    Kenneth Triplett 4.09.2013 16:58 #
    What are some of the limitations of FAT data recovery algorithms, and when might they not be effective in recovering lost data?
    Reply
    • Hetman Software
      Hetman Software 4.09.2013 17:33 #
      1. FAT data recovery algorithms are not designed to recover data from severely damaged or corrupt partitions. If the partition structure is too far gone, the data recovery process may not be successful.
      2. FAT data recovery algorithms are not designed to recover data from deleted or reformatted partitions. If the partition has been reformatted or deleted, the data recovery process may not be successful.
      3. FAT data recovery algorithms are not designed to recover data from partitions that have been overwritten or encrypted. If the partition has been overwritten or encrypted, the data recovery process may not be successful.
      4. FAT data recovery algorithms are not designed to recover data from partitions that have been physically damaged or have suffered from a hardware failure. If the partition has been physically damaged or has suffered from a hardware failure, the data recovery process may not be successful.
      Reply
  • Ivy Tomson
    Ivy Tomson 4.09.2013 13:55 #
    How can a fragmented file system impact the data recovery process, and what strategies can be used to address this issue?
    Reply
    • Hetman Software
      Hetman Software 4.09.2013 14:27 #
      A fragmented file system can make data recovery more difficult and time-consuming. When a file system is fragmented, the data is stored in multiple locations on the disk, making it more difficult to locate and recover the data. To address this issue, there are several strategies that can be used. First, it is important to regularly defragment the file system to reduce the amount of fragmentation. This will make it easier to locate and recover data from the disk. Additionally, backup systems should be used to store important data in case of data loss. Finally, disk imaging can be used to create a snapshot of the disk which can then be used to recover data in the event of a failure.
      Reply
  • Hetman Software: Data Recovery
    Hetman Software: Data Recovery 27.04.2018 11:33 #
    Read about deleted file searching in FAT file system. If you do have any questions, don't hesitate to contact our technical support service - we will be happy to help you.
    Reply
Post comment
User
Leave a reply
Your email address will not be published. Required fields are marked *

Recommended For You
This website uses cookies to improve your experience. Description
Hello! This is AI-based Hetman Software virtual assistant, and it will answer any of your questions right away.
Start Chat