We're talking about the exFat File system in course 10. And in this module, module four, we're going to talk about file creation and deletion. Well, when we create a file an exFAT, what happens is the directory entry sets are created and we took a look at those directory entry sets. In the last module, the bitmap entries for the allocation clusters are set to one. The FATs get updated if any of the files are fragmented and data gets written into the clusters that cluster, that data area. When we delete a file, the directory entry set flags get set to not in use. And we did see that in our last walk through. The Bitmap entries from the cluster allocated to the file are set to 0. So the Bitmap entries get set to 0 and then the clusters are marked as available for use. The FATs may or may not be zeroed out depending the file directory data, the data that gets written out in the cluster heat the actual data in the file remains unchanged until it is overwritten by a new file. So that data stays there. The point is to the data, the Bitmap entries go away. The directory flags get set to Not in Use. The directories themselves will not be overwritten unless a new filed directory enter occupies that same space. We're going to do a walkthrough. We're going to create a file and we're going to delete a file and we're going to take a look at Active Disk Editor and see what happens when we do that. The items were going to need for this walkthrough as we're going to need Active Disk Editor are exFAT virtual hard drive in Windows File Explorer. Let's begin our walk through. First thing we need to do if you're VHD is not attached, you need to attach it. You go to Actions, attach VHD navigate out to where you saved the exFAT VHD. You'd select it click Open and then click OK and your VHD will mount. Once your VHD is mounted, make note of the drive number and the drive letter, the volume letter from my and his f yours will probably be different. Now let's open Windows file Explorer and navigate to the exFAT drive. We can see on there there should be two files, one called long file name and one called short file name. What we're going to do is we're going to create a file so you can right click New and we're just going to do a text document and we can call this NewDoc_1. So once you've created it, let's open it up and put some data on it. You can write what you would like. I am just going to write this is a new text document that I have created and will delete. And once you've done that, just save it. Close it and you can go ahead and minimize File Explorer. Now we have Active Disk Editor open, we're going to go ahead and select open disk. We're going to navigate to volumes. So across the top toolbar here we're going to select volumes and we're going to find our exFAT volume. And we're going to double click it when you select it and click Open and it opens to our volume boot record in exFAT. Up here to get on the top toolbar, we're going to select Browse File Records. If you don't see your file record there for your new file, go ahead and close and reopen Active Disk Editor. So close your exFAT volume. Close Active Disk Editor and just go ahead and relaunch Active Disk Editor. Once you have relaunched Active Disk Editor you should see the file NewDoc.txt. And we're going to go ahead and take a look at the file record for that file and we see we have our file records. Go ahead and set your template position. We have the directory entry record below that we have our stream extension and below that we have our file name entry and we went over these in the last block. So here's all our information in our directory entry. We can see that is the entry type is a hexidecimal 85 which tells us that is an allocated file. We have a second count which tells us we have two more directory entries besides this one we're looking at. So we have two additional entries and those are the stream and the file name. We have our checks on for air checking we have our file attributes which if we go ahead on the left hand side expand attributes, we can see that is an archive attribute. Remember all these values are read little indian. We have our reserve bites and then we're going to have our created date and time. Our modified date and time. Our last access date and time. Then we're going to have our created 10 millisecond refinement time. Our last modified 10 millisecond refinement time. And we have our universal time code are UTC offset created modified and last accessed. Moving down to our stream extension and set our template position. An extreme extension, we have our entry type which tells us it is allocated because it is C0. Then we have our secondary flags. And if we go ahead and expand that, that's a packed byte. So we're going to have to look at the bits. And it's a three, so allocation is turned on and now FAT chain is turned on. So we do not have a entry in the FATs which means this file is not fragmented and it is allocated. Then we have our name length, the number of characters in the file name. We have a name, hash we have our valid data length which is are initialized file size. Which is 63 bytes are reserved. Our first cluster number which is cluster 18 hexidecimal 1 2, decimal 18. And we have again our file size which is the actual size of the file and we can see it's 63 bytes in length moving down or a file name entry. Go ahead and set your temple position again we have we can see our file type describes as hexidecimal C1 and we know that it's allocated by that it's in use reserved. And then we have our file name. And we can see the file name and ask it's off to the right NewText_1.txt. So let's go ahead and we're going to close this and we're going to go ahead and close Active Disk Editor. We're gonnna bring up our File Explorer. Now we're going to select NewDoc_1.txt or whatever you named our new document that we just created. We're going to hold down our shift key right click and we're going to delete the file and Windows is going to ask us if we're sure and we're going to say Yes and we no longer see the file there. Let's go ahead now and launch Active Disk Editor now that we've deleted our file. Once Active Disk Editor open select Open Disk. We're going to select volumes because we want to look at the exFAT volume. We're going to select our exFAT volume and click Open once our exFAT volume opens it's going to take us to the volume boot record. But we're going to go ahead and open up Browse File Records and we look in our file records, we no longer see the document NewTextFile_1.txt. So let's go ahead and take a look at the root directory. You can scroll down the root directory and locate some of the unallocated entries. And you can see them because we're looking for this hexadecimal 05 and I locate the directory entry for new text document down here. Then we see the 05 entry with an additional entries of two more entries. And I see the 40 stream extension and the 41 file name and we can see the file name and ask the NewDoc_1.txt is what I name the file. Now an Active Disk Editor, if I set template position it is not reading this correctly. It reads the type and the secondary entry count our check some are hash but now we have accustomed to find but we know these are our file times and they're 4 by 32 bit MSDOS timestamps. Red little indian should be are created time modified. Last access our millisecond time count for created our millisecond time count for modified. And then we have our UTC universal time code offsets in the 15 minute increments. And we just have reserved bites here at the end. These are three UTC offsets for created modified less access and the remainder of the bytes are unused. Moving down to our stream extension which is right here. I'm going to go ahead and set template position anyway even though it's not going to read it correctly. It does tell me the type, the entry type and we can see that is an unallocated stream extension. I do have my secondary flags here so I'm able to open them up and I can see that it is not fragmented. I can see that I have my name length name hash, we need to find the starting cluster for this file. And so we'll find the offset to the starting cluster which we know is 14. So we will go down one line and over 4 and this would be my starting cluster and again this is a 4 byte value, read little indian. So when I looked down at my hexa interpreter I can see my starting cluster is still cluster 18 and then we have our data length which is 63 bytes. So cluster 18, let's see if the data is still there. So we're going to navigate out and we have go to sector but we want to go to cluster 18. So I'm going to type in 18 here, we're going to say okay and we go out to cluster 18. We can see that our data is still there. This is a new text document that we created and we're going to delete. So here's our data out on the drive. So even though I permanently deleted this file, I use shift delete. I didn't send it to the recycle bin. The data remains out on the drive and its directory entry for the most part remains intact. So if we wanted to recover this file we could and we're going to talk about that in the next module. I just wanted to show you how the data changes when we delete a file. What happens to our directory entries? Also keep in mind that when we delete a file, not only do the directory entries change, but the Bitmap entries for the clusters are going to be set to 0. And if this war fragmented file and it did have a FAT table entry, the FATs would be zeroed out. That directory entry will remain unchanged until we make a new file that occupies that space in the root directory. So that directory entry will be there until it is overwritten by a new file directory entry. In our next module, we're going to take a look at exFAT file recovery and how we would go about recovering this file.
