Created: Saturday, 25 August 2018
Updated: Wednesday, 12 September 2018

Assume you use a forensic software that has recovered file system metadata of a deleted jpeg file from a FAT32 formatted volume with a cluster size of 2.048 bytes. The forensic software displays that the recovered file has starting cluster number 90 and logical size of 4585 bytes, whereas the physical size shown is 2.048 bytes. By clicking at the entry you see part of the picture. You search its directory entry and you find out that its first byte has value 0xE5.

If you would like to read more about fat32 and forensics in general, I recommend the authoritative book in the field written File System Forensic Analysis by Brian Carrier, be warned though, it has quite a steep learning curve.

How would you comment about this discrepancy?

