Let's look at sample root directory Original, before file TESTFILE.TXT created: =========================================== First, we find a volume entry: 03fe000: 5472 616e 7363 656e 6420 2008 0000 0000 Transcend ..... ^^^^ ^^^^ ^^^^ ^^^^ ^^^^ ^^ Volume name == "Transcend " ^^ "08" indicates that this is a volume name entry 03fe010: 0000 0000 0000 099d 9134 0000 0000 0000 .........4...... Second, we find a LFN entry that has been deleted: ================================================== 03fe020: e554 0065 0073 0074 0031 000f 00b9 2e00 .T.e.s.t.1...... ^^ "e5" means that this file entry for a LFN has been deleted (would have been the sequence number otherwise) ^^ ^^ "0054" however, since we are using LFN, and this was an ASCII filename, we are able to recover the T! ^^ ^^ "0065" is UTF-16 for "e" (basically, ASCII with leading 0!) ^^ ^^ "0073" is "s" ^^ ^^ "0074" is "t" ^^ ^^ "0031" is "1" ^^ "0f" indicates that this is a LFN ^^ this byte is reserved ^^ checksum, computed from short fname 03fe030: 6200 6900 6e00 0000 ffff 0000 ffff ffff b.i.n........... ^^^^ "0062" is "b" ^^^^ "0069" is "i" ^^^^ "006e" is "n" ^^^^ this is the null termination ^^^^ "ffff" means this is filler for unused space ^^^^ reserved ^^^^ ^^^^ more filler for unused space Third, we find a basic entry has been deleted: ============================================== 03fe040: e545 5354 3120 2020 4249 4e20 0086 114a .EST1 BIN ...J ^^ "e5" means that this basic file entry has been deleted, but notice that virtually all of the important data is still here! ^^ "45" is "E" in ASCII ^^ "53" is "S" in ASCII ^^ "54" is "T" in ASCII ^^ "31" is "1" in ASCII ^^ ^^^^ "20" is space ^^ "42" is "B" in ASCII ^^ "49" is "I" in ASCII ^^ "4E" is "N" in ASCII ^^ "20" is archive ^^ "00" is reserved ^^ ^^^^ "86 114a" is created time 03fe050: 693d 693d 0000 6348 693d 0300 0000 0100 i=i=..cHi=...... ^^^^ created day ^^^^ access day ^^^^ high bytes of cluster address ^^^^ written time ^^^^ written day ^^^^ lower bytes of cluster! ^^^^ ^^^^ size of file (just 1 byte) Fourth, we find a LFN: ====================== 03fe060: 4141 0075 0074 006f 0072 000f 00e0 7500 AA.u.t.o.r....u. 03fe070: 6e00 2e00 6900 6e00 6600 0000 0000 ffff n...i.n.f....... Fifth, the matching basic entry: =============================== 03fe080: 4155 544f 5255 4e20 494e 4620 004f 1a4a AUTORUN INF .O.J 03fe090: 693d 8c3e 0000 9d82 a53c 0300 6700 0000 i=.>.....<..g... After creating a file named "TESTFILE.TXT", we find: The same initial volume entry: ============================== 03fe000: 5472 616e 7363 656e 6420 2008 0000 0000 Transcend ..... 03fe010: 0000 0000 0000 099d 9134 0000 0000 0000 .........4...... A new LFN entry: ================ 03fe020: 4174 0065 0073 0074 0066 000f 0078 6900 At.e.s.t.f...xi. 03fe030: 6c00 6500 2e00 7400 7800 0000 7400 0000 l.e...t.x...t... A new directory entry: ====================== 03fe040: 5445 5354 4649 4c45 5458 5420 0064 ac50 TESTFILETXT .d.P 03fe050: 8c3e 8c3e 0000 ac50 8c3e 8703 1700 0000 .>.>...P.>...... And the rest remains the same: ============================== 03fe060: 4141 0075 0074 006f 0072 000f 00e0 7500 AA.u.t.o.r....u. 03fe070: 6e00 2e00 6900 6e00 6600 0000 0000 ffff n...i.n.f....... 03fe080: 4155 544f 5255 4e20 494e 4620 004f 1a4a AUTORUN INF .O.J 03fe090: 693d 8c3e 0000 9d82 a53c 0300 6700 0000 i=.>.....<..g... Now if we delete that new file, we see that not much has changed! The same volume entry at the beginning: ======================================= 03fe000: 5472 616e 7363 656e 6420 2008 0000 0000 Transcend ..... 03fe010: 0000 0000 0000 099d 9134 0000 0000 0000 .........4...... Notice that we have only changed the first character of the LFN to "e5": ======================================================================== 03fe020: e574 0065 0073 0074 0066 000f 0078 6900 .t.e.s.t.f...xi. 03fe030: 6c00 6500 2e00 7400 7800 0000 7400 0000 l.e...t.x...t... And did the same to the basic entry: ==================================== 03fe040: e545 5354 4649 4c45 5458 5420 0064 ac50 .ESTFILETXT .d.P 03fe050: 8c3e 8c3e 0000 ac50 8c3e 8703 1700 0000 .>.>...P.>...... Remains the same: ================= 03fe060: 4141 0075 0074 006f 0072 000f 00e0 7500 AA.u.t.o.r....u. 03fe070: 6e00 2e00 6900 6e00 6600 0000 0000 ffff n...i.n.f....... Remains the same: ================= 03fe080: 4155 544f 5255 4e20 494e 4620 004f 1a4a AUTORUN INF .O.J 03fe090: 693d 8c3e 0000 9d82 a53c 0300 6700 0000 i=.>.....<..g...