Forensicsfatfilesystemforensicextractrepairexplore

fatcat

fatcat is a tool to explore, extract, repair, and perform forensics on FAT filesystems. It supports FAT12, FAT16, and FAT32, allowing users to list files, recover deleted data, backup and hack FAT tables, and more.

Description

fatcat provides comprehensive capabilities for handling FAT filesystems, including getting information, exploring the structure, reading and extracting files or directories, and retrieving deleted items. It enables backing up and restoring FAT tables, hacking entries by modifying clusters and sizes, searching for orphaned files, comparing and merging FAT tables, and repairing unallocated directories and files.

Use cases include digital forensics investigations where FAT filesystem analysis is required, data recovery from damaged or corrupted FAT partitions, and low-level manipulation for repair or testing purposes. The tool is particularly useful for incident response teams dealing with legacy storage media or embedded systems using FAT.

Caution is advised with write operations like patching FATs, writing to clusters, or fixing directories, as they can damage the disk.

How It Works

fatcat operates by parsing the FAT filesystem structure from a disk image or device, supporting FAT12, FAT16, and FAT32 formats. It reads the boot sector for filesystem parameters, navigates the FAT tables (primary and backup), and traverses directory entries and cluster chains. Features like table comparison analyze discrepancies between FAT1 and FAT2, while hacking modes directly modify table entries or directory attributes. Extraction and reading follow cluster chains, with options for offsets, sizes, and deleted file inclusion. Orphan searches scan unallocated clusters for valid entries.

Installation

bash

sudo apt install fatcat

Flags

-idisplay information about disk

-O [offset]global offset (may be partition place)

-F [format]output format (default, json)

-l [dir]list files and directories in the given path

-L [cluster]list files and directories in the given cluster

-r [path]reads the file given by the path

-R [cluster]reads the data from given cluster

-s [size]specify the size of data to read from the cluster

-denable listing of deleted files

-x [directory]extract all files to a directory, deleted files included if -d will start with rootDirectory, unless -c is provided

-Swrite scamble data in unallocated sectors

-zwrite scamble data in unallocated sectors

-@ [cluster]Get the cluster address and information

-2analysis & compare the 2 FATs

-b [file]backup the FATs (see -t)

-p [file]restore (patch) the FATs (see -t)

-w [cluster] -v [value]write next cluster (see -t)

-t [table]specify which table to write (0:both, 1:first, 2:second)

-mmerge the FATs

-osearch for orphan files and directories

-ftry to fix reachable directories

-e [path]sets the entry to hack, combined with: -c [cluster], -s [size], -a [attributes]

-c [cluster]sets the entry cluster

-a [attributes]sets the entry attributes

-k [cluster]try to find an entry that point to that cluster

Examples

Display help and usage information for fatcat

fatcat -h

Display information about the FAT filesystem on disk.img

fatcat disk.img -i

List files and directories in the given path

fatcat disk.img -l [dir]

List files and directories in the given path, including deleted files

fatcat disk.img -l [dir] -d

Read the file given by the path

fatcat disk.img -r [path]

Extract all files to a directory, including deleted if -d is used

fatcat disk.img -x [directory]

Analyze and compare the two FAT tables

fatcat disk.img -2

Search for orphan files and directories

fatcat disk.img -o

Updated 2026-04-16kali.org ↗