Let’s see how the FAT file system deletes a file using a detailed example.
FAT Initial State
In this example, we are going to delete the file ‘/dir1/file1.txt’.
As shown in the image, the cluster number of the ‘dir1’ is 90. Also, the cluster numbers allocated to the ‘file1.txt’ is 200 and 201.
Deletion Mechanism
The request to delete ‘/dir1/file1.txt’ is sent to the FAT file system.
The following three steps will be taken for the deletion to be complete.
- First, the file path will be parsed.
- Then, the path will be traced.
- Finally, the last component of the path will be deleted.
Parse File Path
The first step that must be taken is to parse the path elements.
The file path ‘/dir1/file1.txt’ will be parsed into three path elements:
- ‘/’
- ‘dir1’
- ‘file1.txt’
Path Traversal
Then, the parsed path elements must be traced and file-related metadata must be acquired for deletion to take place.
The FAT file system needs 2 kinds of metadata to delete a file.
- File parent directory entry
- File disk pointers
The users of a file system access the files by using their paths. The file-related information is acquired using a file’s parent directory.
The directories store one[or more] directory entries per file or directory in it. The FAT parent directory entry contains the name of the file and the starting cluster number.
Therefore, once the parent directory entry is acquired, the deletion will take place by releasing the file-associated clusters as well as deleting its parent directory entry.
| Entry Name | Entry Cluster |
| file1.txt | 200 |
Releasing FAT Clusters
The FAT clusters form cluster chains. To delete a FAT cluster chain, the head of the cluster chain must be known. In the path traversal operation, the deletion candidate file-related metadata is acquired from its parent directory entry.
The starting cluster of the file is 200. Once we check the file allocation table entry 200, we see that it does not have an EOF value in it. It means the file has another cluster allocated to it as well.
We read the value of the file allocation table entry 200 as 201. Therefore, the next cluster is 201. We also read the value of entry 201 from the table. As the value of the fat table entry 201 has an EOF value, this means it is the last cluster allocated to the file.
- Therefore, the file has 2 associated clusters to be deleted.
| Fat Table Index | Value |
| 200 | 201 |
| 201 | EOF |
The release of the file-associated clusters can be done in different ways. But, the end result is that the associated table entries must have a value of 0.
| Fat Table Index | Value |
| 200 | 0 |
| 201 | 0 |
File Data Deletion
Once the clusters are released from the file allocation table by assigning a 0 value to the entries, we assume that the file data is also deleted. But, that’s not the case.
Most often, once the state of the clusters is set as free, the disk data is not overwritten or modified. Until some other file allocates these released clusters and writes some other data, all the file data resides in the clusters.
As the data of the files are not overwritten, they may be recovered. While it is hard to find all the cluster numbers associated with a file once the file allocation table entries are released, but still data can be recovered partly.
- See the FAT forensics section for details.
Here the important point is that, from the perspective of security, the implementation of the FAT file system may overwrite the data. As the FAT standard does not enforce anything in this respect, for a new FAT file system design, the data deletion can be done as an extra step to make sure no data can possibly be recovered by a potential intruder.
FAT Directory Entry Deletion
The deletion of the directory entry is quite simple in FAT. The standard defines the deletion of the FAT directory entry as putting 0xe5 hex value to the first byte of the entry name.
| Entry Name | Entry Cluster |
| _ile1.txt | 200 |
Once the directory entry is deleted by putting 0xe5 into the first byte of the name, the entry became available to allocate
From the perspective of security, the FAT directory entry deletion can be changed. As the FAT file system will look for entries that are either empty or deleted when allocating a new slot, even if the entry has become totally empty by the deletion process, it is totally valid deletion operation.
To increase the security, one can also assign an empty string to the name as well as a 0 cluster value to delete the file when designing a new FAT implementation.
File Deletion
Once the required elements are obtained, the FAT file system will delete the file by deallocating these elements by using the FAT file system’s way of deletion.
File Deletion Example
We now repeat the previous example, but we are going to delete the dir1\file1.txt file.
- We read the boot sector from sector 0 of the volume and locate the FAT structures, data area, and root directory.
- We locate the dir1 directory by processing each directory entry in the root directory and looking for one that has dir1 as its name and that has the directory attribute set.
- We process the contents of dir1’s starting cluster, cluster 90, to find a directory entry that has the name file1.txt. We find that it has a starting cluster of 200.
- We use the FAT structure to determine the cluster chain for the file. In this case, the file has allocated clusters 200 and 201.
- We set the FAT entries for clusters 200 and 201 to 0.
- We unallocated the directory entry for file1.txt by changing the first byte to 0xe5.
This final state can be seen in Figure 9.18 where the pointers that have been cleared have dashed lines and the first letter of the file name is missing.
Figure 9.18 File system state after deleting the ‘dir1\file1.txt’ file.