exFAT File Undeletion Utility
PROJECT INFORMATION
Project Title: exFAT File Undeletion Utility
Project Start Date: 2016/11
Project Completion Date: 2016/11
Field of Science or Technology: Software Engineering and Technology
Purpose of work
To achieve technological advancement for the purpose of creating new or improving existing materials, devices, products or processes.
Experimental Development:
Overcoming Uncertainties, Work Performed, Achievements, and Outcome
Part of our data recovery process involves imaging a storage device if it is unstable or contains potential data errors. exFAT is a file system format that is increasingly popular with digital cameras and video devices. The block size (and hence the cluster size) is usually larger than a standard 512 byte per sector seen with standard Windows storage device format in order to support large file system sizes. When the device is imaged to another storage medium (hard disk or image file), the non-standard block size is not recognized by Windows and hence the recovery utilities that we reviewed on the market were not successful in extracting large deleted files from this type of file system. We were required to develop a utility that would recognize the different block sizes and extract deleted video files from the client’s device image using the different parameters of exFAT.
In attempting to develop this utility, we were unsure with the information we could find at the time, whether it was possible to fully recover a deleted file from a file system that was in use for a period of time. We found through information that some pointers and metadata were retained after deletion but it was uncertain how much overwrite that the file system would tolerate before utilizing the deleted space.
We studied the manner in which the file system modified the FAT and metadata when a file was deleted. We found after some study that file metadata (file name, dates, file size, etc) is still retained for a period of time and is only marked as available in the bitmap, but will eventually get overwritten if the directory space is needed. The FAT chain is also retained for a time after deletion but also eventually gets overwritten when the disk storage space is needed. From our observations, the FAT chain was retained longer than file metadata.
Using file system data from a client recovery that contained deleted files, we found that the metadata for requested files for recovery was missing. We then requested video file sample from the video camera that produced the files and performed a scan. We created a utility that scanned for the video headers and recorded the locations. After matching the video headers with valid files that weren’t deleted, we deduced that the remaining file headers that were part of video files that were previously deleted. We matched these file start locations to the related location in the FAT, and if that location showed that it was the beginning of a chain, it was extracted assuming that the FAT was valid. The files were then tested since there was no way to guarantee the file integrity. The end result was a successful tool that is being used in the daily operation.