Knowledgebase: E3
FAT Filesystem
Posted by Jack H. Ward, Last modified by Jack H. Ward on 02 February 2018 10:03 AM
File Properties

File properties are displayed in the Properties pane when the file is selected in the Data View pane. File properties are displayed both for existing and deleted files.


Each file has the following properties:

Property

Comments

Filesystem Attributes

Archive

This property is True for the files that were not archived.

When the backup software backs up ("archives") the file, it clears the archive bit (makes it zero). Any software that modifies the file subsequently, is supposed to set the archive bit. Then, the next time that the backup software is run, it knows by looking at the archive bits which files have been modified, and therefore which need to be backed up.

Directory

This property is False for the files.

This is the property that differentiates between entries that describe files and those that describe subdirectories within the current directory.

Hidden

This property is True if the file is Hidden.

Hidden files are hidden from an ordinary directory listing.

Read Only

This property is True if the file is Read Only.

The Read Only files cannot be edited or deleted in a common way.

System

This property is True for the system files.

The System file property is used to tag important files that are used by the system and should not be altered or removed from the disk.

General properties (displayed in the group with the File name)

Allocated Size (bytes)

The allocated length of a file is the amount of disk space the file is taking up. It is a multiple of the cluster size.

Checksum

The file control checksum.

Cluster

Number of the cluster from which the file begins.

Creation Time

File creation time.

Deleted

This property is Yes for the deleted files that were restored.

Directory

This property is always No for files.

Recursive

This property is always No for files.

Last Access Time

Time of the last access to the file.

Last Modification Time

Time of the last file modification.

Long Name

The full file name.

If the file name is not longer than 8 characters then the long filename is absent.

Short Name

The short (DOS) file name (8 characters file name+3 characters extension).

The short file name is always stored in capital letters.

Size (bytes)

File size in bytes.


Structure and Properties

When you click a node, its properties are displayed in the Properties pane. Depending on its type, a node will have the following properties:


Property name

Comments

File system node

Bytes per Cluster

Number of bytes per cluster in a logical disk

Bytes per Sector

Number of bytes per sector in a logical disk

Clusters Number

The number of clusters in a logical disk. Please note, that even if the folder is added as evidence this value corresponds to the entire logical disk.

FAT Sectors number

The number of sectors on logical disk

FAT Size (bytes)

The size of the disk in bytes

Sectors per Cluster

Number of sectors in each cluster

Total Sectors

Total number of sectors on a logical disk

Subfolder node

File System Attributes

Archive

This property is True for the folders that were not archived.

When the backup software backs up ("archives") the file, it clears the archive bit (makes it zero). Any software that modifies the file subsequently, is supposed to set the archive bit. Then, the next time that the backup software is run, it knows by looking at the archive bits which files have been modified, and therefore which need to be backed up.

Directory

This property is True for the folders.

This is the property that differentiates between entries that describe files and those that describe subdirectories within the current directory.

Hidden

This property is True if the folder is Hidden.

Hidden files are hidden from an ordinary directory listing.

Read Only

This property is True if the folder is Read Only.

The Read Only folders cannot be edited or deleted in a common way.

System

This property is True for the system folders.

The System file property is used to tag important folders that are used by the system and should not be altered or removed from the disk.

General properties (displayed in the group with the Folder name)

Allocated Size (bytes)

This value is 0 for the folders.

Checksum

The folder control checksum.

Cluster

Number of the cluster from which the folder begins

Creation Time

Folder creation time

Deleted

This property is Yes for the deleted folders that were restored.

Directory

This property is always Yes for the folders.

Recursive

If this property is Yes, then the folder is a link to the folder of the upper level.

Due to the specific of the Electronic Evidence Examiner interface all folders displayed in it have the Recursive property No.

Last Access Time

Time of the last access to the folder.

Last Modification Time

Time of the last folder modification.

Long Name

The full folder name

Short Name

The short (DOS) folder name (8 characters)

Size

Folder size (generally 0 for existing folders and 1024 for deleted folders)



Attachments 
 
 FAT.png (11.58 KB)
 FAT 2.png (6.75 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)