After examining PC-based and server-based partitions, the author describes file allocation table
(FAT), NTFS, and Unix file systems, and illustrates the manual analysis of example disk images.
The operating system keeps track of all this in a file allocation table
(FAT), but when you delete a file, you are only deleting the entry in the FAT.
About the time we finally get to feel comfortable with one set of acronyms, another batch of FATs (file allocation table
), BSAs (Business Software Alliance) and SAPs (service access point) comes along to muddle our thinking.
The index (called a File Allocation Table
, or FAT, file) reassembles chapters and pages in the right order by using page number locators or "pointers." Logically accessible data is the easiest data to review, and the investigator will normally examine it first.
"There's a master directory in the computer called the File Allocation Table
. All delete does is remove your file from [it] and tells the operating system that this corner of the disk is available to be rewritten.
Most older computers running DOS or Windows organize their hard disks with a 16-bit File Allocation Table
FAT 32 (File Allocation Table
) uses smaller clusters (4KB) than FAT 16, which uses 16KB.