Remember that a FAT directory is just a special file entry; it exists on a FAT file system as a file entry but in terms of recovery exists just as a file.You can recover a deleted FAT partition by finding the first sector of the partition and using your forensic tools to reconstruct it. For a FAT partition, the first sector, or the volume boot sector, of the file system will begin with ëX MSDOS or ëR MSWIN4.1 and end with hex characters 55 AA. For FAT32, a backup of the volume boot sector also is
present, so if the volume boot sector is overwritten or physically damaged you can still recover the partition.
Recover FAT Partitions in EnCase
Here’s how you can recover FAT partitions using EnCase:
- Load your image in EnCase.
- Create a new keyword: MSWIN4.1
- Search the image for the keyword you just created.
- View the hits in the disk view.
- If the last four hexadecimal characters of the sector are 55 AA, right-click the sector in the disk view and choose Add Partition, as shown in Figure 6-2.
- In the Add Partition dialog box, accept the defaults and click OK as shown below
Recover FAT Partitions in SMART
- To recover FAT partitions using ASR Data’s SMART, simply load your image into SMART.
- The program will scan the image and find the partitions itself.