RE: [sleuthkit-users] Opening Application Files

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2005-04-21 at 08:56 -0700, Brian Starr wrote:

> Are there any tools that can recover fat32 fragmented files from unallocated
> disk space, outside of what foremost and the sorter can do?

Brian,

This is difficult at best.  Consider what you are asking.  If a file is
deleted, or otherwise "unlinked" from it's directory entry (in the case
of a FAT system), then the ability of the recovery tool to "follow" the
file fragments is severely hampered.

The file allocation table holds pointers that describe a particular
file's cluster location(s).  While (IIRC) the starting cluster is
normally not zeroed from the dir entry, the remaining clusters *are*
(talking about FAT here).  

This makes recovery of fragmented files difficult, *especially* if there
are unallocated clusters from other (deleted) files intermixed with the
one you are looking for.  In that case, even having the starting cluster
and the size of the file does not help.  There's no way for the recovery
tool to "follow the bread crumbs" around the remnants of other deleted
files.

Tools like "dls" can help with this, but in most cases, only when the
fragmented deleted file clusters are surrounded by *allocated* file
clusters.  In which case "icat -r" is easier anyway (assuming the
inode/dir entry info is still there...)

I'm sure this does not help you much, but hopefully you can see why it's
more difficult that it appears.  If my explaination is "clear as mud",
then just ignore the whole thing... ;-)

Barry
-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/