Recover an 8.3 filename from a FAT directory entry

Overview

Copy 8 bytes (base) + 3 bytes (ext) out of the entry, swap leading byte for _ on deleted entries, trim spaces, join with . when ext is non-empty.

Why it matters

Recognising the 0xE5 trick is how every FAT forensic tool lists deleted files.

Lesson

Why this matters

On FAT12 / FAT16 / FAT32, a file is deleted by rewriting the first byte of its directory entry to 0xE5. The rest of the name bytes remain on disk. Forensic tools can list deleted files because of this property.

What the entry looks like

offset  size  field
0       8     name (space-padded, ASCII; byte 0 == 0xE5 → deleted)
8       3     extension (space-padded, ASCII)
11      1     attributes
...

So the 8.3 short name is reconstructed from bytes [0..11].

Your job

Implement int recover_8_3(const uint8_t *entry, char *out).

• entry must be non-NULL; out must be non-NULL.
• Output must be at most 8 + 1 + 3 + 1 = 13 bytes including NUL.
• If entry[0] == 0xE5, substitute '_' for the first character (the original byte is gone; the leading _ is our convention).
• Trim trailing spaces from the base and the extension.
• If the extension is all spaces, omit the dot.
• Return the number of bytes written (excluding NUL), or -1 on NULL.

Common mistakes

• Forgetting to trim trailing spaces. FAT names are space-padded.
• Including the dot even when there is no extension.
• Writing past the 13-byte output (use a fixed-size buffer).

What this is NOT

• A LFN (long filename) parser. LFN entries are a separate exercise if/when we add one.
• A cluster walker. We only read the directory entry itself.

Summary

Fixed 8+3 layout, leading-byte rule, trim, optional dot.

Practice with these exercises

• Recover an 8.3 filename from a FAT directory entry