File Recovery software and Defining Cluster Chains on FAT16

User's guide:

Example of defining cluster chains on FAT16

Here is a further examination in this example for a deleted file called MyFile.txt (from a previous example).

Here is a scanned folder which contains a record for this file:

0003EE60 E5 4D 00 79 00 46 00 69 00 6C 00 0F 00 BA 65 00 aM.y.F.i.l...?e.
0003EE70 2E 00 74 00 78 00 74 00 00 00 00 00 FF FF FF FF ..t.x.t.....yyyy
0003EE80 E5 59 46 49 4C 45 20 20 54 58 54 20 00 C3 D6 93 aYFILE TXT .AO"
0003EE90 56 2B 56 2B 00 00 EE 93 56 2B 03 00 33 B7 01 00 V+V+..i"V+..3·..

The size of the deleted file can be calculated based on the root entry structure. The last four bytes are 33 B7 01 00. By converting them to a decimal value (changing the byte order), the result is 112435 bytes. The previous 2 bytes (03 00) is the number for the first cluster of the deleted file. Repeating the conversion operation, the result is 03 - this is the start cluster of the file.

This is what is in the File Allocation Table for the above example:

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000200 F8 FF FF FF FF FF 00 00 00 00 00 00 00 00 08 00 oyyyyy..........
00000210 09 00 0A 00 0B 00 0C 00 0D 00 FF FF 00 00 00 00 ..........yy....
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Zeros! This is good - it means that these clusters are free, i.e. the file has most likely not been overwritten by another file's data. Now, with the chain of clusters, 3, 4, 5, 6, the file is ready to be recovered.

Some explanations:

By starting to look from offset 6 (because each cluster entry in FAT16 takes 2 bytes), the file starts from the 3rd cluster, i.e. 3*2=6.
Consider the 4 clusters because the cluster size on the drive is 32 Kb, the file size is 112, 435 bytes, i.e. 3 clusters*32Kb = 96Kb plus a little more.
It is assumed that this file was not fragmented, i.e. all clusters were located consecutively. 4 clusters were needed, and 4 free consecutive clusters were found. The assumption seems reasonable although realistically it may be not always be true.

Note

There are many cases where a file's data cannot be successfully recovered because a cluster's chain cannot be defined. This mostly occurs when other data (files, folders) are written onto the same drive where deleted files exist. Attempting to recover such a file may result in a warning to appear as in with Active@ File Recovery.

You can try to define a cluster chain manually by using low-level disk editors; however, it's much simpler to use a data recovery tools, like Active@ File Recovery.

Example of defining cluster chains on FAT16

Example of defining cluster chains on NTFS

This document is available in PDF format,
which requires Adobe® Acrobat® Reader
(Free download):

USER'S GUIDE (PDF)

Define cluster chains

User's guide:

Example of defining cluster chains on FAT16

Note