Scribd
Upload
30 views23 pages

Fat File System Forensics

The FAT file system is a simple file system used primarily by Microsoft DOS and Windows operating systems, with versions including FAT12, FAT16, and FAT32. It organizes files using a directory entry structure and allocates data in clusters, with a layout consisting of a reserved area, FAT area, and data area. The document details the configuration, critical fields in the boot sector, and how directory records are structured, including handling deleted files.

Uploaded by

ksharma2be22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
30 views23 pages

Fat File System Forensics

The FAT file system is a simple file system used primarily by Microsoft DOS and Windows operating systems, with versions including FAT12, FAT16, and FAT32. It organizes files using a directory entry structure and allocates data in clusters, with a layout consisting of a reserved area, FAT area, and data area. The document details the configuration, critical fields in the boot sector, and how directory records are structured, including handling deleted files.

Uploaded by

ksharma2be22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 23

FAT File System

Forensics
pd_image1.dd
File Allocation Table (FAT)
• The File Allocation Table (FAT) file system is one of the most
simple file systems found in common operating systems.

• FAT is the primary file system of the Microsoft DOS and


Windows 9x operating systems, but the NT, 2000, and XP line
has defaulted to the New Technologies File System (NTFS).

• FAT is supported by all Windows and most Unix operating


systems.

• FAT is frequently found in compact flash cards for digital


cameras and USB "thumb drives."
• The basic concept of a FAT file system is that each file and directory is allocated a data
structure, called a directory entry, that contains the file name, size, starting address of
the file content, and other metadata.
• File and directory content is stored in data units called clusters.
• If a file or directory has allocated more than one cluster, the other clusters are found by
using a structure that is called the FAT.
• The FAT structure is used to identify the next cluster in a file, and it is also used to
identify the allocation status of clusters. Therefore it is used in both the content and
metadata categories.
• There are three different versions of FAT: FAT12, FAT16, and FAT32. The major
difference among them is the size of the entries in the FAT structure.
The typical layout of the FAT file system has three physical sections to it

The first section is the reserved area. In the reserved area are a backup boot sector and a
FSINFO data structure. In FAT12 and FAT16 this area is typically only 1 sector in size, but
the size is defined in the boot sector. The reserved area starts in sector 0 of the file system,
and its size is given in the boot sector.
The typical layout of the FAT file system has three physical sections to it

The second section is the FAT area, and it contains the primary and backup FAT structures.
It starts in the sector following the reserved area.

Its size is calculated by multiplying the number of FAT structures by the size of each FAT;
both of these values are given in the boot sector.

The allocation status of each cluster can be determined by looking at the cluster's entry in the
FAT. Entries with a zero value are unallocated and non-zero entries are allocated. If we
wanted to extract the contents of all unallocated clusters, we would read the FAT and extract
each cluster with a zero in the table.
The typical layout of the FAT file system has three physical sections to it:

The third section is the data area. It contains the clusters that will be allocated to store file
and directory content. It begins in the sector after the FAT area.

Its size is calculated by subtracting the starting sector address of the data area from the
total number of sectors in the file system, which is specified in the boot sector.
 The layout of the data area is slightly different in FAT12/16 and FAT32.
 In FAT12/16 the beginning of the data area is reserved for the root directory(fixed size in
FAT12/16) , but in FAT32 the root directory (dynamic size ) can be anywhere in the data
area
 The dynamic size and location of the root directory allows FAT32 to adapt to bad sectors
in the beginning of the data area and allows the directory to grow as large as it needs to.
•We can see that there are 545 reserved
sectors until the first FAT. In the reserved
area are a backup boot sector and a
FSINFO data structure.
•There are two FAT structures, and they
span from sectors 546 to 4368 and 4369
to 8191.
•The data area starts in sector 8192, and it
has clusters that are 4096 bytes in size.
To determine the
configuration of a
FAT file system, we
need to process the
first sector of the
disk--->

1F80 * 200=
3F0000
0x00: 3 bytes,
representing the jump
instruction;

0x03: 8 bytes,
representing the
vendor logo and OS
version number;

0x0B: 53 bytes,
representing BPB;

0x40: 26 bytes,
representing extended
BPB;

0x5A: 420 bytes,


representing bootstrap
code;

0x1FE: 2 bytes,
representing the valid
end flag;
Bios
Paramet
er Block
Extended
Bios Parameter
Block used by FAT
36-89 bytes
Some Critical fields
Offset 0x0B contains 2 bytes which
specify the number of bytes per sector.

offset 0x0D contains 1 byte which


specify the number of sectors per
each cluster.

offset 0x0E contains 2 bytes which


specify the number of reserved
sectors in this FAT32 partition. This
gives us 0222 which is in little-
endian. i.e. 546 sectors in reserved

offset 0x10 contains 1 byte which


specify the number of FAT tables
we have in this partition i..e 2

offset 0x11 contains 2 bytes which


specify the maximum number of
file entries available in the root
directory. This applies only to
FAT12 and FAT16 versions of FAT.
offset 0x16 in the boot sector
has 2 bytes which specify the
number of sectors in each
FAT table.

if the location contains all zeros


in those two bytes, that means,
the space is not enough to
specify the information. In that
case, we have to go to the
offset 0x24 and interpret 4 bytes
there. i.e 0000 0E EF = 3823
Sectors in each FAT.

offset 0x2C contains 1 byte


which specify the first cluster
of the root directory. i.e 02 ,
therefore cluster #2 is allocated
to root directory and there are
two clusters in this disk image
before the root directory, namely
cluster #0 and cluster #1.
The root directory is located right
after the two FAT tables.

That means, we just have to walk


through the reserved area from the
beginning of the partition, then
through the FAT1 and FAT2 tables
and there we find the root
directory.

Offset to root directory =


= (number of sectors in reserved
area) + (number of sectors in a FAT
table) x 2
= 546 + 3823 x
2
= 8192
(SECTORS)
=8192 x 512
(bytes)
= 41,94,304
(bytes)
= 40 0000 (hex)
The Root directory
contains entries which
are 32 bytes long.

The first byte of a


root directory entry
is important.

If a file is deleted, the


first byte of a root
directory entry is
simply set to 0xE5.

For ex: in this


pendrive image
A file named
Sliet longowal.pptx
has been deleted.
Directory data is organized in 32 byte records.
At the end of the directory is a record that begins with zero.
All other records will be non-zero in their first byte, so this is an easy way to determine when
you have reached the end of the directory.

The first 11 bytes are the short filename. The extension is always the last three bytes.
If the file's name is shorter than 8 bytes, the unused bytes are filled with spaces (0x20).
The starting cluster number is found as two 16 bit sections, and the file size (in bytes) is found
in the last four bytes of the record.

The first cluster number tells you where the file's data begins on the drive, and the size field
tells how long the file is.
There are four types of 32-byte directory records.
Normal record with short filename : Attrib is normal
Long filename text : Attrib has all four type bits set
Unused - First byte is 0xE5
End of directory - First byte is zero
The Attrib byte has six bits defined, as shown in the table below.

Most simple firmware will check the Attrib byte to determine if the 32 bytes are a
normal record or long filename data, and to determine if it is a normal file or a
subdirectory.

Long filename records have all four of the least significant bits set.

Normal files rarely have any of these four bits set.

You might also like