FAT12/16/32: replacing 0xE5 with underscore is ambiguous

[msuhanov]

Hello.

If a file is deleted and the first character of its name is 0xE5, it's replaced with an underscore:

https://github.com/sleuthkit/sleuthkit/blob/f2a2ff627739426ef5ebb4872893611b9cf5e0ee/tsk/fs/fatxxfs_dent.c#L293 https://github.com/sleuthkit/sleuthkit/blob/0239c5934e348699d0be38f694fb6320252a91fc/tsk/fs/fatxxfs_meta.c#L554

When deleting a directory, some operating systems (like macOS) don't mark its contained entries as free (by placing the 0xE5 mark). Instead, the directory is marked as free and its clusters are deallocated. If this directory contains previously deleted entries (having the 0xE5 mark stored) and "allocated" entries starting with an underscore, it's impossible to distinguish between them.

Here is a directory index of a deleted directory:

00000000  2e 20 20 20 20 20 20 20  20 20 20 10 00 64 0b b1  |.          ..d..|
00000010  55 54 55 54 00 00 0b b1  55 54 03 00 00 00 00 00  |UTUT....UT......|
00000020  2e 2e 20 20 20 20 20 20  20 20 20 10 00 64 0b b1  |..         ..d..|
00000030  55 54 55 54 00 00 0b b1  55 54 00 00 00 00 00 00  |UTUT....UT......|
00000040  5f 20 20 20 20 20 20 20  20 20 20 10 00 64 17 b1  |_          ..d..|
00000050  55 54 55 54 00 00 17 b1  55 54 04 00 00 00 00 00  |UTUT....UT......|
00000060  e5 20 20 20 20 20 20 20  20 20 20 10 00 00 12 b1  |.          .....|
00000070  55 54 55 54 00 00 12 b1  55 54 05 00 00 00 00 00  |UTUT....UT......|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00004000

The Sleuth Kit (4.11.1) displays two entries using the underscore character:

d/d * 517:	_
d/d * 518:	_

The first name displayed has the "real" underscore (this is a deleted directory having the following name: "_"). While the second name contains an unknown overwritten character replaced with an underscore.