Re: [sleuthkit-users] two directory entries for same deleted file in FAT16
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] two directory entries for same deleted file in FAT16
|
From: Brian C. <ca...@sl...> - 2005-03-01 06:09:58
|
On Feb 27, 2005, at 6:03 PM, Alan wrote: > Some deleted files have two directory entries. I'm not talking about > LFN entries, I see those too. But the entries I'm talking about have > attribute value 0x20 (archive). These entries are very similar, both > have the deleted 0x2E flag at byte 0. The dates are different, but the > kicker is one of the entries has the six least significant bits > (cluster address and file size) set to all zeros. The other entry has > real values that were the cluster address and file size of the file. > > Why does this happen? Does it have to do with LFN or something about > file deletion? Why are there two attribute 0x20 entries for the same > file? I noticed this same behavior when I was looking at the various FAT allocation strategies for the FSFA book. I found that Windows XP applications would create the basic entry with zero size and starting address and then create a second entry with the size and starting address. Creating a file from the command line or drag and dropping wouldn't do it, but creating the file from a 'save' in an application would. brian |
