tags:

views:

326

answers:

4
+1  Q: 

Deleting files on FAT32 USB changes the first cluster information

i have made a file recovery software, which reads the FAT32 directory entry and identifies the first cluster of the file and attempts to recover the data, it is supposedly to be working fine however when i try on a fat32 usb disk the following happens.

The Cluster number assigned to a file when it is not deleted is different from the cluster number, immediately after it is deleted. I used Disk Investigator and Tune Up Undelete to verify this, none of them w.ere able to recover the file. It was the common problem that, usually upon deleting the file's name first character is changed to 0xE5 and rest remains intact, but this is changing it's cluster information too.

Any help? Can you try with your FAT32 USB and tell me what is happening?

My OS is Windows Vista, Pen Drive is Single Partition FAT32.

+1  A: 
nik  2009-07-18 04:48:47
Dueto that explanation you quoted, the _controller_ on the stick would perform this action, though, meaning the block numbering the OS (Windows) sees would NOT change.dlamblin's explanation is more likely the correct one here.
Thomas Tempelmann  2009-07-18 07:42:10
You are not seeing wear leveling because that happens at the physical level and not the logical level. See Thesis: Recovery of Deleted Data from Flash Memory Devices, James Regan, Naval Postgraduate School, Master's Thesis, 2009. http://simson.net/clips/students/09Sep_Regan.pdf
vy32  2009-09-24 17:47:31
@simsong, hmmm. Thanks for posting your recent research as a reference. Had not found any clear data on the subject and was under the impression that wear-leveling would interfere with software based recovery. Will check your thesis.
nik  2009-09-25 02:45:43
A: 

To put it shortly: in flash memory, when a block is written to, a cluster of blocks around that block must first be erased, then re-written with the changes to the block taken into account. Therefore, writing to a block whose neighbor is marked as unallocated (though you actually want that data later) might be causing the unallocated block to be written as zeros. Alternatively, the old block might be marked unallocated, and a new block in an already blank cluster could be written to with the changes, and then the block changes would get noted somewhere.

This behavior is not OS specific but actually handled by the USB device itself. We would therefore need to know what kind of device you're using, unless what you are saying is that this happens on all your USB flash devices, which wasn't clear in your question.

The long version is much better explained by Anand Shimpi in his now famous SSD Anthology article (E.G. in the degradation chapter); there's even a detailed follow up if you like that sort of thing.

dlamblin  2009-07-18 05:18:56
This is incorrect. The USB controller hides these physical effects and presents a logical level that is indistinguishable from magnetic storage. See Thesis: Recovery of Deleted Data from Flash Memory Devices, James Regan, Naval Postgraduate School, Master's Thesis, 2009. http://simson.net/clips/students/09Sep_Regan.pdf
vy32  2009-09-24 17:48:21
@simsong Hey I don't mind being corrected, especially if I am wrong, but I can't actually read a fricking post-doc thesis on the subject to figure out which of my three sentences is wrong. Could you summarize a correction for me? Otherwise I won't learn anything. Personally I suspect I'm not wrong and you simply misunderstood what I said because I was summarizing a kind of detailed process in a couple of lines of text.
dlamblin  2009-09-24 20:20:23
nik  2009-09-25 03:02:04
+2  A: 

Perhaps vista really is intentionally changing the first cluster field within the directory entry? What is it actually changing it to? You didn't post any examples with real numbers. If it's overwriting that field with some number like 0 or 0xFFFFFFFF in every case, that's a pretty sure sign Vista is intentionally destroying this information so you can't find the file. If it's changing that field, unnecessarily, to some other valid cluster number, well that's very strange.

Another thing you didn't mention is if the file's data is actually still physically on the disk in the cluster where it was originally located. Seeing actual sector dumps of what is physically stored in the old locations and new location (assuming the new value is a cluster number which really exists) would be interesting. If neither location has the actual file data, you could do a complete capture of all sectors and search. Is the file's original data even still on the drive in any cluster/sector at all?

I know this isn't much of an answer, but with so little information (and not much inclination to actually install Vista and try this stuff), this is about all I can do.

 2009-07-21 13:33:48
Thanks paul, i shall update you tomorrow with the findings.. As far as i remember.. It wasn't 0 or 0xFFFFFFFF, it was another cluster number, which i noticed was being assigned to every file i delete. I didn't check what happens if i delete two files at the same time. Also the physical data was always there at the original location.
Anirudh Goel  2009-07-21 16:42:29
A: 

You probably want to compare the code that you have written to the "icat" and "fls" programs that are part of SleuthKit, the open source computer forensics toolkit. Using SleuthKit you can easily find the directory entries for deleted FAT32 files and then icat the inodes. You can find SleuthKit at http://sleuthkit.org/

vy32  2009-09-24 17:49:36

related questions

.net system tray application to launch when a USB device is plugged in
Mounting/Unmounting USB disks on Windows
Getting gps data from blackberry (pearl) directly from usb interface
Drive a POS printer via USB in c#
How do I add support for a USB-based wireless adapter to an existing Fedora 9 installation?
Problem reading from a device with libusb
USB Driver Development on a Mac using Python
How can I do bi-directional communication with a custom USB device?
How to Execute an application in XP when a particular type of USB device is attached
How do I program a driver for a USB device for windows platform?
How to programatically unplug & replug an arbitrary USB device?
how to determine USB Flash drive manufacturer?
how to find usb drive letter?
How to sniff usb port under Windows?
Using a USB controller as auxiliary keyboard for Visual Studio
Approve USB device after insertion
Safe remove USB-Drive using Win32 API?
Access USB with Java, in order to find thumbdrive manufacturer's serial#/unique-ID
How do I figure out which /dev is a USB device?
Working with USB devices in .NET
Can USB devices directly access hardware?
Windows XP support for Remote NDIS
How should I configure grub for booting linux kernel from a USB hard drive?
Find out which process has an exclusive lock on a USB device handle
Managing Consistant Mounting of External USB Hard Drives in Linux (Centos 5)