|
|
Storing files on FAT filesystem
On the FAT-series filesystems the information on a file is stored in the following way:
-
A short file name, file size, and the number of the first cluster containing file data are stored in the directory entry.
Additionally, the parts of a long file name (if any) may be stored in the additional records.
-
In the File Allocation Table starting with the first cluster specified in a directory entry there is a cluster chain containing
the information on where file content is located on a hard disk.
|
File deletion on FAT filesystem
What happens when you delete a file on the FAT filesystems (FAT16/FAT32):
- The first character of the short file name is overwritten with the character code E5h. In such a way the filesystem labels the file as deleted and the directory entry as available for reuse.
- The same character code E5h is also written to the additional records thus labeling a part of the long file name as deleted.
- The cluster chain of the corresponding file in the FAT table is overwritten with zeros.
|
Undelete on FAT filesystems
Thereby, undelete just boils down to removing the deletion mark for the particular file and restoring the cluster chain as good as possible.
You can remove such a mark just by replacing E5h character with any other character.
Obviously, it is better to replace it with the first character of the original file name.
You can get this missing character from the long file name, otherwise, just use an underscore ("_") as a replacement.
In a similar albeit little more complicated way, you can restore long file name records associated with the file.
On the assumption that the deleted file was not fragmented, the FAT table is updated with supposed values.
If you are not lucky and the file was fragmented, or one of the clusters is currently listed as occupied it is impossible to recover the file.
|
|