File: README.md

package info (click to toggle)
fatcat 1.0.5-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, jessie, jessie-kfreebsd, sid, stretch
  • size: 868 kB
  • ctags: 264
  • sloc: cpp: 2,102; php: 89; sh: 19; xml: 18; makefile: 5
file content (303 lines) | stat: -rw-r--r-- 7,766 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
# fatcat

![fatcat](docs/fatcat.jpg)

This tool is designed to manipulate FAT filesystems, in order to
explore, extract, repair, recover and forensic them. It currently
supports FAT12, FAT16 and FAT32.

[Tutorials & examples](docs/index.md)

## Building and installing

You can build `fatcat` this way:

```
mkdir build
cd build
cmake ..
make
```

And then install it:

```
make install
```

## Exploring

### Using fatcat

Fatcat takes an image as argument:

```
fatcat disk.img [options]
```

You can specify an offset in the file with `-O`, this could be useful if there is 
multiple partitions on a block devices, for instance:

```
fatcat disk.img -O 1048576 [options]
```

This will tell fatcat to begin on the 1048576th byte. Have a look to the [partition tutorial](docs/partition.md).

### Listing

You can explore the FAT partition using `-l` option like this:

```
$ fatcat disk.img -l /
Listing path /
Cluster: 2
d 24/10/2013 12:06:00  some_directory/                c=4661
d 24/10/2013 12:06:02  other_directory/               c=4662
f 24/10/2013 12:06:40  picture.jpg                    c=4672 s=532480 (520K)
f 24/10/2013 12:06:06  hello.txt                      c=4671 s=13 (13B)
```

You can also provide a path like `-l /some/directory`.

Using `-L`, you can provide a cluster number instead of a path, this may
be useful sometime.

If you add `-d`, you will also see deleted files.

In the listing, the prefix is `f` or `d` to tell if the line concerns a file or
a directory.

The `c=` indicates the cluster number, `s=` indicates the site in bytes (which
should be the same as the pretty size just after).

The `h` letter at the end indicates that the file is supposed to be hidden.

The `d` letter at the end indicates that the file was deleted.

### Reading a file

You can read a file using `-r`, the file will be wrote on the standard
output:

```
$ fatcat disk.img -r /hello.txt
Hello world!
$ fatcat disk.img -r /picture.jpg > save.jpg
```

Using `-R`, you can provide a cluster number instead of a path, but the file size
information will be lost and the file will be rounded to the number of clusters
it fits, unless you provide the `-s` option to specify the file size to read.

You can use `-x` to extract the FAT filesystem directories to a directory:

```
fatcat disk.img -x output/
```

If you want to extract from a certain cluster, provide it with `-c`.

If you provide `-d` to extract, deleted files will be extracted too.

## Undelete

### Browsing deleted files & directories

As explaines above, deleted files can be found in listing by providing `-d`:

```
$ fatcat disk.img -l / -d
f 24/10/2013 12:13:24  delete_me.txt                  c=5764 s=16 (16B) d
```

You can explore and spot a file or an interesting deleted directory.

### Retrieving deleted file

To retrieve a deleted file, simply use `-r` to read it. Note that the produced
file will be read contiguously from the original FAT system and may be broken.

### Retreiving deleted directory

To retrieve a deleted directory, note its cluster number and extract it like above:

```
# If your deleted directory cluster is 71829
fatcat disk.img -x output/ -c 71829
```

See also: [undelete tutorial](docs/undelete.md)

## Recover

### Damaged file system

Assuming your disk has broken sectors, you may want to do recovering on it.

The first advice is to make a copy of your data using `ddrescue`, and save your disk
to another one or into a sane file.

When sectors are broken, their bytes will be replaced with `0`s in the `ddrescue` image.

A first way to go is trying to explore your image using `-l` as above and check `-i` to
find out if `fatcat` recognizes the disk as a FAT system.

Then, you can try to have a look at `-2`, to check if the file allocation tables differs,
and if it looks mergeable. It is very likely that is will be mergeable, in this case, you
can try `-m` to merge the FAT tables, don't forget to backup it before (see below).

### Orphan files

When your filesystem is broken, there are files and lost files and lost directories that
we call "orphaned", because you can't reach them from the normal system.

`fatcat` provides you an option to find those nodes, it will do an automated analysis of your
system and explore allocated sectors of your filesystem, this is done with `-o`.

You will get a list of directories and files, like this:

```
There is 2 orphaned elements:
Directory clusters 4592 to 4592: 2 elements, 49B
File clusters 4611 to 4611: ~512B
```

You can then use directly `-L` and `-R` to have a look into those files and directories:

```
$ fatcat disk.img -L 4592
Listing cluster 4592
Cluster: 4592
d 23/10/2013 17:45:06  ./                             c=4592
d 23/10/2013 17:45:06  ../                            c=0
f 23/10/2013 17:45:22  poor_orphan.txt                c=4601 s=49 (49B)
```

Note that orphan files have an unknown size, this mean that if you read it, you will get
a file that is a multiple of the cluster sizes.

See also: [orphaned files tutorial](docs/orphan.md)

## Hacking

You can use `fatcat` to hack your FAT filesystem

### Informations

The `-i` flag will provide you a lot of information about the filesystem:

```
fatcat disk.img -i
```

This will give you headers data like sectors sizes, fats sites, disk label etc. It
will also read the FAT table to estimate the usage of the disk.

You can also get information about a specific cluster by using `-@`:

```
fatcat disk.img -@ 1384
```

This will give you the cluster address (offset of the cluster in the filesystem)
and the value of the next cluster in the two FAT tables.

### Backuping & restoring FAT

You can use `-b` to backup your FAT tables:

```
fatcat disk.img -b backup.fats
```

And use `-p` to write it back:

```
fatcat disk.img -p backup.fats
```

### Writing to the FATs

You can write to the FAT tables with `-w` and `-v`:

```
fatcat disk.img -w 123 -v 124
```

This will write `124` as value of the next cluster of `123`.

You can also choose the table with `-t`, 0 is both tables, 1 is the first and 2 the second.

### Diff & merge the FATs

You can have a look at the diff of the two FATs by using `-2`:

```
# Watching the diff
$ fatcat disk.img -2
Comparing the FATs

FATs are exactly equals

# Writing 123 in the 500th cluster only in FAT1
$ fatcat disk.img -w 500 -v 123 -t 1
Writing next cluster of 500 from 0 to 123
Writing on FAT1

# Watching the diff
$ fatcat disk.img -2
Comparing the FATs
[000001f4] 1:0000007b 2:00000000

FATs differs
It seems mergeable
```

You can merge two FATs using `-m`. For each different entries in the table,
if one is zero and not the other, the non-zero file will be choosen:

```
$ fatcat disk.img -m
Begining the merge...
Merging cluster 500
Merge complete, 1 clusters merged
```

See also: [fixing fat tutorial](docs/fat.md)

### Directories fixing

Fatcat can fix directories having broken FAT chaining.

To do this, use `-f`. All the filesystem tree will be walked and the directories
that are unallocated in the FAT but that fatcat can read will be fixed in the FAT.

### Entries hacking

You can have information about an entry with `-e`:

```
fatcat disk.img -e /hello.txt
```

This will display the address of the entry (not the file itself), the cluster reference
and the file size (if not a directory).

You can add the flag `-c [cluster]` to change the cluster of the entry and the flag
`-s [size]` to change the entry size.

See also: [fun with fat tutorial](docs/fun-with-fat.md)

You can use `-k` to search for a cluster reference.

### Erasing unallocated files

You can erase unallocated sectors data, with zeroes using `-z`, or using
random data using `-S`.

For instance, deleted files will then become unreadables.

## LICENSE

This is under MIT license