We're talking about the exFAT file system here in Course 10, and in this module, module 5, we're going to talk about exFAT file recovery. To recover files in exFAT, we would be looking for those directories that were marked as not in use because if we can find those unallocated directories, we can get all the information we need to recover the files. So we would search for directory entries with the directory entry flags set at not in use. We would also search not only in the root directory, but also in some unallocated clusters, you would search unallocated space disk wide to find those directory entries. Remember, if the parent folder is deleted, the child entries are going to remain unchanged. We would locate the directory entry set and we would use the information contained in the directory entry set to recover the file using file carving. We'd have the file name, the file size and the starting cluster. You could also file curve, which we're going to cover later in this path for the file header. If you knew the type of file that you were looking for, like a JPEG or a document or a PDF. We'll talk about that when we cover some file headers and carving later on in this path. We're going to do a little bit of a walk-through, and I'm going to show you how you would go about carving a file using the directory entry. The items we're going to need, we are going to need active disk editor and our exFAT VHD. We're going to search for unallocated directory entries and then we're going to use that information. I'm going to show you how we would carve the file. So let's get started on our walk-through. Let's get started with our walk-through of the exFAT file recovery. The first thing we need to do is mount our exFAT virtual hard drive. We're going to go into disk management. We're going to go to ''Actions'', attach VHD. We're going to browse to where VHD is saved on our computer. We're going to ''Select'' it and remember it's named exFAT VHD. We're going to go ahead and open it up, and click ''Okay''. Once you click ''Okay'', the drive will mount. Once you've mounted your VHD, go ahead and minimize disk management, but before you do that, make note of the drive number, the physical disk number, and the volume letter, the drive letter. Mine is F, yours will probably be different on your computer. Let me go ahead and minimize disk management. Please open up active disk editor. When active disk editor opens up, we're going to select Open Disk, and from the top menu bar here we're going to select volumes because we want to look at the logical volume, the exFAT volume. We're going to select our exFAT volume from the drive letter we noted in disk management and then we're going to click "Open". As you can see, by default, it opens to the volume boot record, which is logical sector zero of the volume. Now we're going to go ahead and in the toolbar right under the Edit and right next to the Unicode, we're going to open browse file records. We can see we have all of our file records here and we're looking for the root. But before we go there, we do need some information from this volume boot record. What I need to find is I need to know how many sectors per cluster. Remember, that information is over here. So you're going to be looking at offset hexadecimal 6D. We're going to go down six lines from the start, 1, 2, 3, 4, 5, 6 lines down and over to D, and this is where our sectors per cluster is. We see our sectors per cluster is 0, 3. If we remember back that was that shift. That's bytes per sectors per cluster shift. We had to take the 3 and we took the power of 2 times N, and N would be the number that we have in our sectors per cluster shift. Our number is 3, so it would be 2 to the power of 3. Then we don't need to use our calculator, which we don't really have to use a calculator for 2 to the power of 3, it comes out to 8. That's 2 times 2 is 4 times 2 is 8, so that's 8. We have 8 sectors per cluster and our bytes per sector was nine. That would be 2 to the power of 9 and we figured that out, and it was 512. We used our calculator for that, it was 512, so 512 bytes per sector, 8 sectors per cluster. We need to remember that information. You can write it down if you'd like to. Now, let's go into our root directory. From up top where we see our Files listed, we're going to select the root folder, the root directory and this is the directory. Now in the beginning of the root directory member we see our volume labels the first entry, and that's true on all FAT file systems. Then we start to see our directory entry sets after our system files or looking for a directory entry set that starts with hexadecimal 05. Now I can go ahead and look at these manually, which on a large drive is going to be quite tedious. Most of your forensic tools will be able to find these for you. Another way we could find them which still will give us a lot of information, but we could use our search feature and we could simply search for hexadecimal 05. We could do that. We could say find all, and we'll give it a minute to run through and once it runs through, we're going to have a lot of hits and we'll go through them, but it's going to find every hexadecimal 05 on our drive and you can see we have 193 hits. Let's scroll through those and we want to find the file we were working with before which was newdoc1.txt, so we'll scroll through until we get to it and once we get to it, we can see our hit right here. If we click on the root directory, it does highlight in yellow all the 05 entries, which is a little more helpful to us but we see our entry right here and we did pass this entry earlier. But we're going to go ahead and take a look at it again and the main one I'm interested in is going to be the one that starts with hexadecimal 04 because this is the directory entry. If you remember, the directory entry contains all the dates and times in that UTC offset. I want to find the starting cluster in the file size to carve the file and the file name. I'm going to go down to my stream-entry, which is going to be hexadecimal 40 and from here I want to find my starting cluster. If you remember, to find our starting cluster, we would go down one line and over four. It's a 4-byte value and in our hex interpreter, if we look to the right, we can see that the value is hexadecimal 18, so cluster 18 is going to be the starter of this file. Now I need to look at the file size, so I'm going to take a look at my next four bytes, and the file size is 63 bits. I highlight these 4 bytes and look to our hex interpreter. That is a 32-bit unsigned value, and it is 63. My starting cluster, let's just check it one more time. These four bytes right here tell us a starting cluster from 1, 4 to 1, 7 will tell us the starting cluster and it is cluster 18 and then my file size is the next four bytes and remember this is red little-endian and the file size is 63 bytes. Because it's four bytes and each byte is eight bits long, it's a 32-bit value, and it is an unsigned integer, so it is not a negative number. Now what I'm going to do is I'm going to navigate up to cluster 18. So go to "Navigation", go to "Sector" and come down here in the "Cluster", not "Sector", we're going to type in 18 in that box and we're going to say "Okay." Now, this takes me out to where my file is. I'm going to go ahead and right-click and I'm going to tag this as "Beginning of Block." Now, in the FAT file system, we allocate space in clusters, so I know I need to go one full cluster or eight sectors down to find the end of the allocated space for this file. All this stuff is file slack starting from the hexadecimal 65 where I've highlighted right now, all this is file slack, all these zeros are file slack, so that's going to be the beginning of my block. Now I'm going to go down eight sectors and I've reached the end of my file right here, and I'm going to mark this as "End a Block." Now I have the entire space that was allocated to that file highlighted and I could carve this out into a new file. To recover a file, we need to know the file size and the starting cluster or the starting sector depending on how you're navigating. That's one way we could do it. Another way I said is we could search by file headers if we were looking for a certain type of file, and we will cover this later on in the path and file carving. But this is how we would carve out our file. You would not change the data on the drive but you could go and reach in the bitmap and you could go and change all the first hex character of the directory entries back to in use and you could go into the FAT Bitmap and re-change that if you wanted to. But normally you would do it the way I just showed you if you were able to find in unallocated directory entry. If you can't find a directory entry that is still intact but no longer marked as in use, you would have to file carve by file header and that's how you would recover the file. That is file recovery in the exFAT file system. In our next course, we're going to talk about creating a disk image and how we go about doing that.
