FAT: How is testdisk able to retrieve the full file name?

[mb720]

Hi and thanks a lot for testdisk!

I was wondering how testdisk is able to retrieve the full name of a deleted file on a FAT-formatted disk, given that FAT overwrites the first byte of a file with 0xe5 when deleting it.

From Brian Carrier's book "File System Forensic Analysis" on FAT:

When a file is deleted, the first byte of the directory entry is set to 0xe5.

Is the file name stored somewhere else or did I misunderstand the quote?

From my experience with testdisk, using it to undelete files from a flash drive, the full file name is reliably restored (including the file's data).

Is it because the FAT driver can't actually make the flash drive overwrite the byte, because the drive's controller will redirect the write of 0xe5 to some other area of the storage, via the flash translation layer?

[cgsecurity]

With VFAT, long filenames are stored along short filenames (8+3 chars). TestDisk tries to use the long filename to find the overwritten char.