dirty marker for fat filesystems

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
fishor
Posts: 2
Joined: 06 Jan 2013, 14:03

dirty marker for fat filesystems

#1 Post by fishor »

Hallo all,

i'm linux developer and do some computer forensic as hobby. Currently
i discovered for my self that fat32/16/12 have reserved field which is used by windows to mark probably dirty filesystem. Different version of widnwos handle it in different ways. For example XP and 2000 will set it on write on remove it if write was finished. Win 7 set it on first write and remove it on unmount.
At least Win 7 will warn you if you try to mount fatfs with dirty bit set.
I think it is good if testdisk can recognise this too, and at least inform user. If this bit set, then most probably some data was no completly written to fs - corrupt.
I also was working on patchset for linux kernel to handle this marker. I assume, soon, if this patches will go to kernel master, then you will see this marker bit more frequent:
https://patchwork.kernel.org/patch/1913441/

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: dirty marker for fat filesystems

#2 Post by Fiona »

Might be more dedicated to Christophe.
To get most reported messages, did you check the testdisk log on a dirty file system?

Fiona

fishor
Posts: 2
Joined: 06 Jan 2013, 14:03

Re: dirty marker for fat filesystems

#3 Post by fishor »

Testdisk only recognise that boot sector and backup bootsector are different.

Code: Select all

First sectors (Boot code and partition information) are not identical.
A valid FAT Boot sector must be present in order to access
any data; even if the partition is not bootable.
No information about dirty flag set. Here are two dumps:

Code: Select all

Boot sector                        Backup boot sector
0000 eb58904d 53444f53   .X.MSDOS  eb58904d 53444f53   .X.MSDOS
0008 352e3000 02012000   5.0... .  352e3000 02012000   5.0... .
0010 02000000 00f80000   ........  02000000 00f80000   ........
0018 3f00ff00 3f000000   ?...?...  3f00ff00 3f000000   ?...?...
0020 3a850100 ff020000   :.......  3a850100 ff020000   :.......
0028 00000000 02000000   ........  00000000 02000000   ........
0030 01000600 00000000   ........  01000600 00000000   ........
0038 00000000 00000000   ........  00000000 00000000   ........
0040 000129dc 8ff6c84e   ..)....N  000029dc 8ff6c84e   ..)....N
0048 4f204e41 4d452020   O NAME    4f204e41 4d452020   O NAME
0050 20204641 54333220     FAT32   20204641 54333220     FAT32
0058 202033c9 8ed1bcf4     3.....  202033c9 8ed1bcf4     3.....
0060 7b8ec18e d9bd007c   {......|  7b8ec18e d9bd007c   {......|
0068 884e028a 5640b408   .N..V@..  884e028a 5640b408   .N..V@..
The difference is at 0x41. It is not good ide to just remove this bit. You should run checkdisk btw fsck.vfat or leave it alone.

Locked