dirty marker for fat filesystems
Posted: 06 Jan 2013, 14:14
Hallo all,
i'm linux developer and do some computer forensic as hobby. Currently
i discovered for my self that fat32/16/12 have reserved field which is used by windows to mark probably dirty filesystem. Different version of widnwos handle it in different ways. For example XP and 2000 will set it on write on remove it if write was finished. Win 7 set it on first write and remove it on unmount.
At least Win 7 will warn you if you try to mount fatfs with dirty bit set.
I think it is good if testdisk can recognise this too, and at least inform user. If this bit set, then most probably some data was no completly written to fs - corrupt.
I also was working on patchset for linux kernel to handle this marker. I assume, soon, if this patches will go to kernel master, then you will see this marker bit more frequent:
https://patchwork.kernel.org/patch/1913441/
i'm linux developer and do some computer forensic as hobby. Currently
i discovered for my self that fat32/16/12 have reserved field which is used by windows to mark probably dirty filesystem. Different version of widnwos handle it in different ways. For example XP and 2000 will set it on write on remove it if write was finished. Win 7 set it on first write and remove it on unmount.
At least Win 7 will warn you if you try to mount fatfs with dirty bit set.
I think it is good if testdisk can recognise this too, and at least inform user. If this bit set, then most probably some data was no completly written to fs - corrupt.
I also was working on patchset for linux kernel to handle this marker. I assume, soon, if this patches will go to kernel master, then you will see this marker bit more frequent:
https://patchwork.kernel.org/patch/1913441/