Presentation is loading. Please wait.

Presentation is loading. Please wait.

BACS 371 Computer Forensics

Published byDorothy Applebee Modified over 10 years ago

Similar presentations

Presentation on theme: "BACS 371 Computer Forensics"— Presentation transcript:

1 BACS 371 Computer Forensics
File Systems I FAT File Systems

2 File Systems (See http://www.ntfs.com)
A method for storing and organizing computer files and the data they contain to make it easy to find and access them File System Types FAT (File Allocation Table) FAT12 FAT16 FAT32 exFAT NTFS (New Technology File System) Functions Manage “free space” Allocate clusters to file Track time (MAC – Modify, Access, Create)

3 FAT12 & FAT 16 FAT 12 FAT 16 Cluster size = 512 bytes to 8 K bytes
212 addressable clusters 4096 clusters max for max volume size of 32 MB FAT 16 Cluster size 512 bytes to 64 K bytes 216 addressable clusters 65,563 clusters max for max volume size of 4 GB FAT 16 had a limitation of 32 KB cluster size for early Windows programs resulting in a max volume size of 2GB The root directory was limited to 512 entries of 32 bytes each These had no security or user access protection

4 A FAT file system is composed of four different sections.
The Boot Sector (aka Partition Boot Record, BIOS Parameter Block, Drive Parameter Block or Reserved Sector). This is always the first sector of the partition and includes some basic file system information (in particular, its type), pointers to the location of the other sections and the operating system's boot loader code. The FAT Region. This contains two copies of the File Allocation Table for the sake of redundancy, although the extra copy is rarely used, even by disk repair utilities. These are maps of the partition, indicating how the clusters are allocated. The Root Directory Region. This is a Directory Table that stores information about the files and directories in the root directory. With FAT32 it can be stored anywhere in the partition, however with earlier versions it is always located immediately after the FAT Region. The Data Region. This is where the actual file and directory data is stored and takes up most of the partition. The size of files and subdirectories can be increased arbitrarily (as long as there are free clusters) by simply adding more links to the file's chain in the FAT. Note however, that each cluster can be taken only by one file, and so if a 1KB file resides in a 32KB cluster, 31KB are wasted.

5 FAT File System Partition Boot Record FAT 1 FAT 2 (Duplicate)
Root Directory Other folders and all files This is all contained within a partition. Note that the “other folders and files” component is most of the physical disk.

6 Partition Boot Record AKA File System Boot Sector
Within each partition that has a file system, a partition boot record is found. It defines the details of the file system located in the partition. It is 1 sector long and is the first physical sector in a logical volume. C 0, H 1, S 1 for first partition. First sector (plus partition offset) in subsequent partitions. Contains Code File System Specification Information

7 Partition Boot Record (PBR)
BIOS Parameter Block Executable Code Machine Language Code Processor Specific Decodes BPB Searches for OS PBR “Signature” 0x55AA

8 Partition Boot Record (FAT32 File system)
Jump Instruction (3 bytes) OEM ID (8 Bytes) BIOS Parameter Block (BPB) (includes all below plus additional fields) all offsets in this section are from start of the BPB counting from 0 offset 1110 Bytes Per Sector 2 Bytes offset 1310 Sectors Per Cluster 1 Byte offset 2110 Media Descriptor 1 Byte offset 2410 Sectors Per Track 2 Bytes offset 2610 Number of Heads 2 Bytes offset 2810 Hidden Sectors 4 Bytes offset 3210 Total Sectors 4 Bytes Bootstrap Code (448 Bytes) Ends with 55 AA NOTE: Offsets are from start of Partition, not start of Drive!

9 File Allocation Table A partition is divided up into identically sized clusters, small blocks of contiguous space. Cluster sizes vary depending on the type of FAT file system being used and the size of the partition, typically cluster sizes lie somewhere between 2KB and 32KB. Each file may occupy one or more of these clusters depending on its size; thus, a file is represented by a chain of these clusters (referred to as a singly linked list). However these chains are not necessarily stored adjacently on the disk's surface but are often instead fragmented throughout the Data Region. The File Allocation Table (FAT) is a list of entries that map to each cluster on the partition. Each entry records one of five things: the address of the next cluster in a chain a special end of file (EOF) character that indicates the end of a chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused

10 File Allocation Table (FAT)

11 File Allocation Table (FAT)
The first sector in the file is found in cluster 2 in the data area of the disk. The FAT entry in position 02 points to position 03; so the next cluster is found in 03 in the data area of disk. This linked list continues until the ‘FF FF’ in 16 indicates the end of the file is found in that cluster. Start at 02 Continue until 16 2 bytes are used to indicate a cluster address, so ‘0 and 1’ are the 0th position in the FAT. ‘2 3’ are the 1st, and ‘4 5’ is the 2nd. That is why the slide says that it starts at 02.

12 FAT Entry Values FAT12 FAT16 FAT32 Description 0x000 0x0000 0x?0000000
Free Cluster 0x001 0x0001 0x? Reserved Cluster 0x002 – 0xFEF 0x0002 – 0xFFEF 0x? x?FFFFFEF Used Cluster, value points to next Cluster 0xFF0 – 0xFF6 0xFFF0 – 0xFFF6 0x?FFFFFF0 - 0x?FFFFFF6 Reserved values 0xFF7 0xFFF7 0x?FFFFFF7 Bad Cluster 0xFF8 - 0xFFF 0xFFF8 - 0xFFFF 0x?FFFFFF8 - 0x?FFFFFFF Last Cluster in File Source: Wikipedia ? – 4 reserved bits, usually 0

13 Directory Content The Directory is a Database of:
File names Directory names Date and time stamps (MAC) Modify Access Create Starting cluster number Attributes Archive Hidden System Read Only Located on outermost track of disk

14 Directory table A directory table is a special type of file that represents a directory (nowadays commonly known as a folder). Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records the name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory. Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region. Legal characters for DOS file names include the following: Upper case letters A-Z Numbers 0-9 Space (though trailing spaces are considered to be padding and not a part of the file name)  ! # $ % & ( ) ^ _ ` { } ~ ' Values

15 Directory to FAT interaction

16 Root Directory

17 FAT32 32-bit Cluster Numbers Only 28 bits actually used
228 Addressable Clusters (~ 268,435,438) Drive sizes ~ 1TB (228 clusters * 4096 Bytes per cluster ~ 1.1TB) WinXP limited to 32GB using FAT32 Max file size in FAT32 is bytes ~ 4GB No security, anyone can access anything The root directory is an ordinary cluster chain so there is no limit on its size Limited error correction Files per volume: FAT12 – 4096 FAT16 – 65536 FAT32- 4,177,920

18 Long File Names “Trick”
FAT 12 and FAT 16 were limited to 8.3 file names (that is, 8 character name with 3 character suffix) This was a significant limitation, so FAT 32 fixed it. Phony entries are added to the Directory Tables Entries are marked with a volume label attribute Each phony entry can contain up to 13 UTF-16 characters (26 bytes)

19 Long File Names Entries
Long Name 8.3 Entry Red entries are short file name entries. Blue are for a long file name. Read the long filename entries from the bottom to the top. Note that first byte in each group of long filenames are 01, 02, 03, 04, 05, and 06 (or’ed with 40 to indicate the last segment). Filename entries have 0F in 12th byte. Directory entries have a 10 in this position (indicating a directory). This gave the flexibility to read the 8.3 names (for older programs) or the new long names using the same general directory structure.

20 FAT32 Root Directory Volume ID Directory Entry
Single Directory Entry for a file with a “short” filename. Multiple Directory Entries for a file with a “long” filename. There are 4 entries to contain the long file name, and 1 entry to contain the complete set of file information including the “short” file name. Designates Attribute Bits 0x08 = Volume Label 0x20 = Archive 0x0F = Long File Name The first nibble of the extended directory entries indicates which record in the series it is. 01 is the first, 02 the second, and so on. The last one is ‘ored’ with 40, so instead of being 05, it is 45. The 0F at position 6 is the extended directory record indicator. Note how the short file name does not have it. 20 is the indicator of the original 8.3 directory entry.

21 Advantages of FAT32 over FAT16
FAT32 offers smaller cluster sizes -> less wasted space FAT32 systems can reallocate and change the size of the root directory FAT32 drives can contain a copy of the boot record(s) –> less prone to failure Allow for long file names

22 File System Comparisons
Criteria NTFS5 NTFS FAT32 FAT16 Operating System Windows 2000 Windows XP Vista, Win 7 Windows NT Windows 2000 Windows XP Windows 98 Windows ME Windows 2000 Windows XP DOS All versions of Microsoft Windows Limitations Max Volume Size 2TB 2GB Max Files on Volume Nearly Unlimited ~65000 Max File Size Limit Only by Volume Size 4GB Max Clusters Number 65535 Max File Name Length Up to 255 Standard Extended - up to 255

23 Criteria NTFS5 NTFS FAT32 FAT16
File System Features Criteria NTFS5 NTFS FAT32 FAT16 Unicode File Names Unicode Character Set System Character Set System Records Mirror MFT Mirror File Second Copy of  FAT Boot Sector Location First and Last Sectors First Sector File Attributes Standard and Custom Standard and Custom Standard Set Alternate Streams Yes No Compression Encryption Object Permissions Disk Quotas Sparse Files Reparse Points Volume Mount Points File Names 256 Char 8.3 Names

24 Overall Performance Criteria NTFS5 NTFS FAT32 FAT16 Built-In Security
Yes No Recoverability Performance Low on small volumes High on Large Low on small volumes  High on Large High on small volumes Low on large Highest on small volumes Low on large Disk Space Economy Max Average Minimal on large volumes Fault Tolerance Minimal

Download ppt "BACS 371 Computer Forensics"

Similar presentations

Chapter 6 File Systems 6.1 Files 6.2 Directories

Chapter 6 File Systems 6.1 Files 6.2 Directories
NTFS - The workhorse file system for the Windows Platform

NTFS - The workhorse file system for the Windows Platform
BASICS OF MSP430 & INTERFACING MICRO-SD CARD WITH IT.

BASICS OF MSP430 & INTERFACING MICRO-SD CARD WITH IT.
Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:

Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:
Chapter 12: File System Implementation

Chapter 12: File System Implementation
File and Disk Maintenance

File and Disk Maintenance
4.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 4: Organizing a Disk for Data.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 4: Organizing a Disk for Data.
File Management.

File Management.
Lecture 13 storage management

Lecture 13 storage management
Windows File Systems CGS2564. Who Cares? C:\Documents\Taxes\Tax04.DOC.

Windows File Systems CGS2564. Who Cares? C:\Documents\Taxes\Tax04.DOC.
Chapter 6 File Systems 6.1 Files 6.2 Directories

Chapter 6 File Systems 6.1 Files 6.2 Directories
COMP091 – Operating Systems 1

COMP091 – Operating Systems 1
Operating Systems File Management.

Operating Systems File Management.
FAT Concepts and Analysis

FAT Concepts and Analysis
Chapter 4 : File Systems What is a file system?

Chapter 4 : File Systems What is a file system?
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
File Systems Examples.

File Systems Examples.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)

FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

Similar presentations

Ads by Google