Fatback is a forensics tool used for file carving.
Since Windows changed to NTFS with XP it has little use on the OS Drive.
Most users still format USB sticks in the FAT format so has use for this.
1. Find the directory location of your fat drive.
root@bt:~# fdisk -l
Device Boot Start End Blocks Id System
/dev/sdb1 * 1 1011 1002881 c W95 FAT32 (LBA)
2. Fatback options.
root@bt:~# fatback
Usage: fatback [FILE] -l [LOG] [OPTION]...
Undelete files from FAT filesystems.
Fatback v1.3
(c) 2000-2001 DoD Computer Forensics Lab
-o, --output=DIR specifies a directory to place output files
-a, --auto auto undelete mode. non-interactively
recovers all deleted files
-l, --log=LOGFILE specifies a file to audit log to.
-v, --verbose display extra information to the screen.
-p, --partition=PNUM go directly to PNUM partition
-d, --delprefix=PREFIX use PREFIX to signify deleted files instead
of the default "?"
-s, --single force into single partition mode
-z, --sectsize=SIZE adjust the sector size. default is 512
-m, --mmap use mmap() file I/O for improved performance
-h, --help display this help screen
Report bugs to
3. Use I created a folder called USB_Output in my root directory for the output.
root@bt:~# fatback -a /dev/sdb1 -o /root/USB_Output
No audit log specified, using "./fatback.log"
/ (Done)
4. Open the folder /root/USB_Output to see your deleted files.
myexploit 