Hello, I'm sort of new to the exciting world of filesystem forensics. I'm
analyzing this relatively simple FAT16 image of a USB drive in TSK and
Autopsy, but there was something confusing. So after examining the FAT16
spec in detail and looking at the 32-byte directory entries in hex, I have
a question.
Some deleted files have two directory entries. I'm not talking about LFN
entries, I see those too. But the entries I'm talking about have attribute
value 0x20 (archive). These entries are very similar, both have the deleted
0x2E flag at byte 0. The dates are different, but the kicker is one of the
entries has the six least significant bits (cluster address and file size)
set to all zeros. The other entry has real values that were the cluster
address and file size of the file.
Why does this happen? Does it have to do with LFN or something about file
deletion? Why are there two attribute 0x20 entries for the same file?
I would appreciate a hint here. Thanks.
Regards,
Alan
|
