This repo contains a crude implementation of a tool created as a part of an assignment during computer forensics course, extracting file metadata based on the user-provided sector contained by the file. Currently (possibly ever) only FAT32 partition format, along with basic (no extended partitions) MBR partition table format is supported.
Use the package manager pip to install required packages:
pip install -r requirements.txtTo use this tool, follow these steps:
python FATTool.py [-h] [-s] filename sector_nrwhere:
-
-h- display help -
-s- sector size (512 by default)
Example:
python FATTool.py -s 512 image.dd 6200-
Reads partition table (only MBR with standard partition type is supported)
-
Checks if partition containing selected sector is formatted according to FAT32, then reads partition info recreating file allocation table as a two way list
-
Calculates cluster number containing the selected sector, retrieves first file sector and traverses directory tree finding a corresponding file metadata