[sleuthkit-users] two directory entries for same deleted file in FAT16
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] two directory entries for same deleted file in FAT16
|
From: Alan <ts...@as...> - 2005-02-27 23:04:45
|
Hello, I'm sort of new to the exciting world of filesystem forensics. I'm analyzing this relatively simple FAT16 image of a USB drive in TSK and Autopsy, but there was something confusing. So after examining the FAT16 spec in detail and looking at the 32-byte directory entries in hex, I have a question. Some deleted files have two directory entries. I'm not talking about LFN entries, I see those too. But the entries I'm talking about have attribute value 0x20 (archive). These entries are very similar, both have the deleted 0x2E flag at byte 0. The dates are different, but the kicker is one of the entries has the six least significant bits (cluster address and file size) set to all zeros. The other entry has real values that were the cluster address and file size of the file. Why does this happen? Does it have to do with LFN or something about file deletion? Why are there two attribute 0x20 entries for the same file? I would appreciate a hint here. Thanks. Regards, Alan |
