How does EnCase recover a deleted file in a FAT file system?

In recovering a deleted file on a FAT file system, EnCase relies on information from the directory entry of the file that is marked as deleted. When a file is deleted, the directory entry is typically not immediately erased; instead, the file’s name is often changed to a generic deleted marker, and critical information about the file, such as its starting cluster number and size, is still accessible.

The correct approach involves obtaining the starting cluster number and the size of the deleted file directly from the directory entry. This data allows EnCase to know where to look for the file's actual data on the disk. By identifying the starting cluster, it can then access the corresponding data by reading the necessary number of clusters associated with the deleted file.

This method is efficient because it utilizes the existing information about the file until that area of the disk is overwritten by new data. As long as the physical data blocks of the deleted file remain intact on the disk, EnCase can successfully recover the file by using these details to retrieve the data from the correct locations.