Recovering a deleted file from FAT32

Created: Saturday, 25 August 2018
Updated: Wednesday, 12 September 2018

Assume you use a forensic software that has recovered file system metadata of a deleted jpeg file from a FAT32 formatted volume with a cluster size of 2.048 bytes. The forensic software displays that the recovered file has starting cluster number 90 and logical size of 4585 bytes, whereas the physical size shown is 2.048 bytes. By clicking at the entry you see part of the picture. You search its directory entry and you find out that its first byte has value 0xE5.

If you would like to read more about fat32 and forensics in general, I recommend the authoritative book in the field written File System Forensic Analysis by Brian Carrier, be warned though, it has quite a steep learning curve.

How would you comment about this discrepancy?

unallocated directory entryfat32 recovered file

Understanding $DATA attribute

The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals...

Reconstructing a RAID 5 that holds an NTFS volume without knowing its configuration.

To save readers' precious time I would like to emphasize the fact that that this guide applies in raids containing an NTFS formatted...

About

Professional Experience

Since March 2012, I have worked as a Digital Forensics Examiner, handling a...

Built with...

In May 2026, all backend libraries are updated, and the site moved to python3.14 rutime.

In March 2026, all backend and client...

© 2012 - 2026 Armen Arsakian updated atThursday 28 May 2026Contact: contact at arsakian.com

-3256 . 5203