CHAPTER 8 FILE RECOVERY: FINDING “LOST” IMAGES 105
The file allocation table, located next to the boot record, is a database that associ-
ates clusters of disk space with files. For each cluster the FAT stores an entry of 12,
16, or 32 bits. Because the first two entries are reserved for the filesystem, the third
entry and those following are assigned to clusters of disk space, which catalog the
entire data area.
This complex system is designed to know where files are located that are not stored
successively; in other words, some files are often split into pieces and stored in sepa-
rate, noncontiguous clusters in the data area. The operating system must know
where a file’s pieces are located in the data area. This is the task of the File
Allocation Table (FAT).
For any cluster used by a file that is not the file’s last cluster, the FAT entry will con-
tain the number (that is, the location) of the next cluster used by the file. When a
program asks the operating system (OS) to provide the content of a file, the OS reads
the first cluster of a file. It then looks at the corresponding first cluster entry in the
FAT and finds where the file continues (the file’s next cluster number). Now the OS
reads the associated cluster in the data area. After this cluster is read, the OS repeats
the entry check until the whole file is read. This process is called “reading the FAT
chain.”
FAT entries may contain special values called flags, which indicate whether the clus-
ter is occupied, free, or some other condition. Here are some examples of flags for a
FAT16 system:
■ 0000H. The cluster contains one or more sectors that are physically damaged
and should not be used.
■ FFF7H. This cluster is the final cluster in the file.
■ FFF8-FFFFH. End of File (EOF).
But how does the OS know what files are on the disk and where to find the first clus-
ter of a file? This is the reason for the directory entries, which are also stored in the
data area. Each directory entry has a size of 32 bytes and includes information
about the file or directory name, size, first cluster number, and its attributes.
At a higher level, operating systems such as DOS and Windows allow for two types of
drives: physical drives and logical drives. Physical drivesare the actual physical disk
drives installed on your computer. Logical drivesare sections on the physical drive. A
physical drive can have multiple logical drives. For example, you can install a physi-
cal drive on your machine, then partition it into three logical drives, if necessary.
Flash media rarely requires partitions or logical drives. It is basically used for one
thing, so multiple logical drives aren’t required. You will usually see only one drive
letter listed as a drive.