From ForensicsWiki
Revision as of 04:36, 17 November 2005 by Jessek (Talk | contribs) (Sigma used for deleted entries)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Recovering directory entries from FAT filesystems as part of Recovering_deleted_data can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.