In a File Allocation Table (“FAT”) file system each directory is implemented as a list of blocks, where each block includes 32 contiguous bytes. Each 32-byte block is referred to as a directory entry. The directory entries typically contain metadata about, and a pointer to, a file or directory that is in that directory. A directory entry begins and ends on a boundary that is a multiple of 32 bytes. An exemplary layout of a FAT directory entry 100 is shown in FIG. 1. As illustrated, the exemplary directory entry 100 includes a first character/allocation status byte 102, bytes 104 identifying characters 2-11 of the name of a file that is stored on a data store and that is referenced by the directory entry 100, an attribute byte 106, a reserved byte 108, bytes 110 identifying the creation time of the file referenced by the directory entry 100, bytes 112 identifying the last time the file was accessed, bytes 114 identifying the upper storage address for the file stored in the data store, bytes 116 identifying the last time the file was written to, bytes 118 identifying the lower storage address for the file stored in the data store, and bytes 120 identifying the size of the file. Each of these fields provides some metadata describing the file or directory.
When, for example, a file or directory is deleted, a disk is formatted, or other write event occurs, directory entries may be abandoned or lost, from the point of view of the FAT file system. For purposes of forensic analysis of a data store, however, directory entries hold valuable file metadata and may even point to an intact or semi-intact file that has not yet been overwritten.
Many forensic and file recovery tools currently use a very basic approach to lost file recovery for FAT File Systems. The first common method is to narrow the location to search for possible directory entries. This approach leads to a low number of false positives, but has been proven to miss important data that is beyond the algorithm's scope. Another common method is to exhaustively search all unallocated areas of a disk for directory entries. Since it is very difficult to validate that a block is or is not a directory entry, this approach generates a high number of false positives. This approach will find all critical data, but analysis or recovery based on this data may be difficult or even impossible due to the high number of false positives.
There exists a need, therefore, for new and improved methods and systems of recovering directory and file data on a data store.