How to recover a broken FAT filesystem using FatCat

FatCat is a tool designed to manipulate FAT filesystems, in order to explore, extract, repair, recover and forensic them.

FatCat is developed and mantained by Grégoire Passault, and currently supports FAT12, FAT16 and FAT32.

(more information about FAT filesystem here)

Installation

# git clone https://github.com/Gregwar/fatcat && cd fatcat
# mkdir build && cd build
# cmake ..
# make
# make install

or, on Debian/Ubuntu:

# sudo apt install fatcat

Usage example

Now, using fatcat, let’s try to repair a broken FAT filesystem and recover orphaned files.

Repair a FAT filesystem

1: Backup

If you do have a broken hard drive, you will have to save everything before start a FAT repair.

You can either copy your data to another drive or to a file.
Assuming your damaged hard drive is /dev/sdb, you can do this using ddrescue:

$ ddrescue /dev/sdb disk.img rescued.log

Then you should backup your FAT tables to another file before trying to fix it using fatcat, this can be done with -b:

fatcat disk.img -b backup.fat

This will backup your FAT tables in backup.fat. You can at any moment restore it with -p:

fatcat disk.img -p backup.fat

Note that all operations below will only change your FAT, not your data.

2: Merge FAT tables

FAT tables in a broken disk could differ. You can compare them using -2:

fatcat disk.img -2

This will outputs the differences. You can then try to merge the tables using -m:

fatcat disk.img -m

This is not supposed to be very risked, and you could repair files using this.

3: Fix the FAT

Fatcat can autofix some parts of your FAT tables, to this, you can try -f:

fatcat disk.img -f

This will walk your directories and search for entries (directories or files) which are unallocated in the FAT. Then, it will try to fix the FAT to re-allocate these entries, assuming its contiguous in the disk.

4: Find orphan files/directories

This last step will explore allocated files that are not reachable from your directories.

You can use -o for this:

fatcat disk.img -o

5. Recover orphaned files

Now we’ve fixed the FAT, there may still have data on the disk that are still here but unreachable: there are still allocated, somewhere on the disk, but is no longer reachable, and its name does not exist anymore.

This kind of files and directory are called “orphaned data”

To find this data, fatcat will compare what’s reachable from the root directory (/) and what’s allocated on the disk, and will try to find directories that are allocated but not reachable.

This is done using -o:

$ fatcat disk.img -o
There is 1 orphaned elements:
* Directory clusters 33 to 33: 2 elements, 30B

Estimation of orphan files total sizes: 30 (30B)

Listing of found elements with known entry:
In directory with cluster 33:
f 27/10/2013 16:32:54 orphan_file.txt c=51 s=30 (30B)

This means that there is one directory found that is orphaned.
Now you can list its entry by using -L, which lists a directory using its cluster number:

$ fatcat disk.img -L 33
Listing cluster 33
Directory cluster: 33
d 27/10/2013 16:32:26 ./ c=33
d 27/10/2013 16:32:26 ../ c=0
f 27/10/2013 16:32:54 orphan_file.txt c=51 s=30 (30B)

Inside the orphaned directory there is also an orphan file in it, named orphan_file.txt.

You can use -R and -s, in order to read a file using its cluster number and its size (in this case we read 30 bytes of the file in cluster 51):

$ fatcat disk.img -R 51 -s 30

You can also extract the whole directory using -x and -c:

$ mkdir output/
$ fatcat disk.img -x output/ -c 33

References

Comments