| FinalRecovery :: Recover file from FAT volume | 
|
Support Center |
|
|
|
Sales & Service Inquiry If you have any questions and concerns, please fill in the form below and we'll get back to you as soon as possible. |
In this section, we'll explain the principle of FAT file recovery, and the precondition of successful file recovery.
 |
To purchase file recovery, undelete software, please click here.
In FAT32 volume, drive space are divided to a series of blocks. These blocks are named Cluster. The file data are stored in a series of clusters. In order to locate file data in FAT32 file system, there are 2 data structures are introduced: FAT (file allocation table) and FDT (file directory table). FDT entry is a 32 bytes record. It contains information such as File Name, Attribute, File Size, and also the most important information - First Cluster Number of the file. FAT consists of a series of 4 bytes cluster numbers, and every cluster number is correspond to a cluster in the drive.
Now, let's analyze what will happen while file "child.jpg" was deleted:
| high word of cluster number | fat entries belong to the file | |||
| low word of cluster number | file size |
1. FDT entry before deletion
Offset |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
|||||||||||||||||
00000000 |
43 |
48 |
49 |
4C |
44 |
20 |
20 |
20 |
4A |
50 |
47 |
20 |
18 |
B8 |
A5 |
5A |
C |
H |
I |
L |
D |
J |
P |
G |
Z |
||||||||
00000010 |
26 |
3A |
26 |
3A |
0D |
00 |
9A |
8C |
53 |
37 |
7C |
00 |
41 |
DF |
00 |
00 |
& |
: |
& |
: |
S |
7 |
A |
||||||||||
First Cluster Number = 0x000D007C
2. FAT entries before deletion
Offset |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
|||||||||||||||||
003445E8 |
FF |
FF |
FF |
0F |
FF |
FF |
FF |
0F |
7D |
00 |
0D |
00 |
7E |
00 |
0D |
00 |
|||||||||||||||||
003445F8 |
7F |
00 |
0D |
00 |
FF |
FF |
FF |
0F |
FF |
FF |
FF |
0F |
FF |
FF |
FF |
0F |
|||||||||||||||||
Cluter Number Chain of the file: 0x000D007D, 0x000D007E, 0x000D007F, 0x0FFFFFFF. It means file "child.jpg" is stored in number 0xD007C, 0xD007D, 0xD007E and 0xD007F cluster. 0x0FFFFFFF is the termination flag of the Cluster Number Chain.
3. FDT entry after deletion
Offset |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
|||||||||||||||||
00000000 |
E5 |
48 |
49 |
4C |
44 |
20 |
20 |
20 |
4A |
50 |
47 |
20 |
18 |
B8 |
A5 |
5A |
? |
H |
I |
L |
D |
J |
P |
G |
Z |
||||||||
00000010 |
26 |
3A |
26 |
3A |
0D |
00 |
9A |
8C |
53 |
37 |
7C |
00 |
41 |
DF |
00 |
00 |
& |
: |
& |
: |
S |
7 |
A |
||||||||||
First byte of FDT entry was changed to 0xE5. It means "child.jpg" has been deleted.
4. FAT entries after deletion
Offset |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
|||||||||||||||||
003445E8 |
FF |
FF |
FF |
0F |
FF |
FF |
FF |
0F |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
|||||||||||||||||
003445F8 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
FF |
FF |
FF |
0F |
FF |
FF |
FF |
0F |
|||||||||||||||||
The FAT entries of the file has been released.
5. Usually, the data of the file will not be cleared after deletion.
As you can see, although the first byte of the FDT entry has been changed, the FDT entry isn't cleared. File recovery software can find this FDT entry, and then pick up First Cluter Number and File Size from it. Following cluster numbers of the file cannot be taken because FAT entries of the file have been cleared during deletion procedure.
In above example, Bytes/Cluster = 16384, First Cluster Number is 0x000D007C, and File Size is 0x0000DF41(57153 bytes). This file occupied 4 clusters becase 57153/13684 = 3.488. File recovery software assume that 4 cluster numbers are consecutive, and the data of the lost file are stored in number 0xD007C, 0xD007D, 0xD007E and 0xD007F cluster. Now file recovery software can save the data of those clusters to a new file. Thus deleted file has been recovered successfully.
 |
To learn how to recover deleted file by using FinalRecovery, please click here. |
 |
To purchase FAT recovery, undelete software, please click here. |