What a zero in a FAT cell of exFAT would mean is that since the file system was created/last formatted, a fragmented file never used that cluster.
However, if during a forensics analysis you find a zero in the cell, it tells you nothing about the data in the associated cluster, i.e. whether the cluster is allocated, or if allocated how many different files were created and then deleted using that cluster. It is considered "undefined" because the value does not specifically tell you something.
FatEntry[2] ... FatEntry[ClusterCount+ I] Fields
[0175] Each FatEntry field in this array represents a cluster in the Cluster Heap. FatEntry[2] represents the first cluster in the Cluster Heap and FatEntry[ClusterCount+l] represents the last cluster in the Cluster Heap.
[0176] The valid range of values for these fields is:
[0177] Between 2 and ClusterCount+l, inclusively, which points to the next FatEntry in the given cluster chain; the given FatEntry shall not point to any FatEntry which precedes it in the given cluster chain
[0178] Exactly FFFFFFF7h, which marks the given FatEntry's corresponding cluster as "bad"
[0179] Exactly FFFFFFFFh, which marks the given FatEntry's corresponding cluster as the last cluster of a cluster chain; this is the only valid value for the last FatEntry of any given cluster chain.
The above is directly out of the exFAT specification, as provided in one of the Microsoft Patents. Valid values that can appear in a FAT Entry cell is 2-cluster count + 1, and FFFFFFF7 (Bad Cluster) and FFFFFFFF (Eof). This implies that values of 0 & 1 are not valid, and therefore undefined.
↧