Presentation is loading. Please wait.

Presentation is loading. Please wait.

FAT Concepts and Analysis

Published byTamara Flitter Modified over 9 years ago

Similar presentations

Presentation on theme: "FAT Concepts and Analysis"— Presentation transcript:

1 FAT Concepts and Analysis

2 Acknowledgments Dr. David Dampier and the
Center for Computer Security Research (CCSR)

3 Basic Concepts The FAT file system is one of the most simple file systems and does not clear follow the five category model. It consists of two main data structures: File Allocation Table Directory Entries

4 Basic Concepts Each file and directory is allocated a directory entry, that contains: File name File size Starting address of file content Other metadata File and directory content is stored in clusters If a file or directory needs more than one cluster, those clusters are found in the FAT structure Versions of FAT: FAT12, FAT 16, and FAT32 Difference is the size of entries in the FAT structure

5 Versions of FAT FAT12 FAT16 FAT32
Designed as a file system for floppy diskettes 12-bit cluster addresses FAT16 16-bit cluster addresses FAT32 32-bit cluster addresses (28 bits used) => 228 clusters Drive size up to 8TB with 32KB clusters Can become slow and inefficient Video applications and large databases often exceed FAT32 limitations

6 Layout of a FAT file system
The layout of the FAT file system consists of 3 physical sections: Reserved area – for file system category FAT area – primary and backup FAT structures Data area – clusters used for storing file and directory content Reserved Sector 0 FAT area Data Area

7 FAT File System Data In order to analyze the FAT file system, it is necessary to locate the three physical layout areas. The reserved area starts at sector 0, and its size is given in the boot sector. In FAT12/16, the reserved area is typically only 1 sector, but FAT32 will typically reserve many sectors The FAT area begins in the sector after the reserved area. Its size is calculated by multiplying the number of FAT structures by the size of each FAT, both of which can be found in the boot sector The data area begin in the sector after the FAT area. Its size can be found by subtracting the starting address of the data area from the total number of sectors in the file system, which can be found in the boot sector.

8 FAT System Layout FAT 32 FAT 12/16
Reserved Area FAT Area Root Directory Data Area FAT 32 Reserved Area FAT Area Root Directory Data Area The main difference between these layouts is that FAT 12/16’s root directory is at the beginning of the data sector, while in the FAT 32’s root directory can be anywhere in the data area. The first 36 bytes are the same in all.

9 File System Category The data in the File System Category describes the general file system and can be found in the boot sector data structure. The boot sector is located in the first sector of the volume and is part of the reserved area of the file system.

10 Boot Sector The Boot Sector is contained in the first 512 bytes.
The first 36 bytes of all FAT Boot Sectors contain: 0-2 jump to boot code 3-10 name in ASCII bytes per sector 13 sectors per cluster (powers of 2 < 32KB) size in sectors of reserved area 16 number of FATs, 2 if backup max # of root directory entries bit value of number of sectors in file system 21 media type: 0xf8 fixed disks, 0xf0 removable bit size in sectors of each FAT 24-25 sectors per track 26-27 number of heads 28-31 number of sectors before start of partition bit value of # of sectors in file system, > 0 Bytes 510 and 511 have signature 0x55 and 0xAA

11 Example Image FAT32 (See pp. 216 and 217)
# fsstat –f fat fat-4.dd FILE SYSTEM INFORMATION File system type: FAT OEM Name: MSDOS5.0 Volume ID: 0x4c194603 Volume Label (Boot Sector): NO NAME Volume Label (Root Directory): FAT DISK File System Type Label: FAT32 Backup Boot Sector Location: 6 FS Info Sector Location: 1 Next Free Sector (FS Info): 1778 Free Sector Count (FS Info): File System Layout (in sectors) Total Range: 0 – * Reserved: ** Boot Sector: 0 ** FS Info Sector: 1 * FAT 0: * FAT 1: * Data Area: *** Root Directory: CONTENT DATA INFORMATION Sector Size: 512 Cluster Size: 38 reserved sectors 2 FAT structures

12 Analysis In order to analyze a disk or find hidden data, it is necessary to know the layout of file systems and know which OS formatted the disk Several places not used by the file system could contain hidden data In the reserved area, at the end of the boot sector data and the final signature Between the end of the file system and the end of the volume FAT32 systems have a backup boot sector in sector 6 The primary and backup copies could be compared to find inconsistencies If values in the primary have been changed, the backup may contain original data

13 Analysis Scenario Imagine that the first 32 sectors of a disk are damaged and cannot be read. What do you do? First, find the start of the file system. The signature for a fat file system is 0x55 and 0xAA in the final two bytes of the boot sector. The sigfind tool can be used to look for the signature. When the tool find the signature, additional test can be conducted on a range of values that are valid for a given data structure. For example, byte 13 of the boot sector identifies how many sectors in a cluster, and must have a value that is a power of 2. Any other value would indicate that the sector was not part of a FAT file system boot sector, even though it contained the signature.

14 Content Category The Content category comprises of the file and directory content. FAT file systems use the term cluster for its data units in the Data Area A cluster is a group of consecutive sectors, the number of sectors must be a power of 2 (1, 2, 4, ..., 64) Each cluster has an address and the address of the first cluster is 2 (there are no clusters with address 0 or 1) Reserved Sector 0 FAT area Data Area

15 Finding the First Cluster
Finding cluster 2 is not easy, because it is not at the beginning of the file system. Depending on whether it is a FAT 12/16 or FAT 32 system, the procedure is different. FAT 12/16 Reserved Area FAT Area Root Directory Data Area Sector 1224 Sector 1256 Cluster 2 FAT 32 Reserved Area FAT Area Root Directory Data Area Sector 1224 Cluster 2

16 Finding the First Cluster
In a FAT 12/16 system, the number of root directory entries are given in the boot sector, and cluster 2 starts in the next sector. For example, consider a FAT16 file system with 32 sectors allocated for the root directory. If the data area starts in sector 1224, then the root directory spans from sector 1224 to If we have 2048 byte clusters, then cluster 2 would start at 1256 and cluster 3 would start at 1260.

17 Cluster Allocation Status
The status of a cluster (whether allocated or not) is found in the FAT structure. The basic concept of the FAT is that it has one entry for each cluster in the file system. If the table entry is 0, then the cluster corresponding to that table entry is not allocated to a file. All other values mean that the cluster is allocated. Reserved Sector 0 FAT area Data Area

18 Allocation Algorithms
To find an unallocated cluster the OS scans the FAT for an entry with a 0 in it Most operating systems do not clear cluster contents when unallocated 61 62 63 64 65 66 67 X X X X X – allocated 0 - available Last allocated

19 Analysis Techniques When analyzing the content category, there are several places where data could be hidden. Clusters can be marked as ‘bad’, and bad clusters should be examined, because the OS does not look at them. The size of the data are might not be a multiple of the cluster size, so there could be a few sectors at the end of the data area that are not part of a cluster.

20 Analysis Scenario Imagine a FAT 16 file system in which you need to locate cluster 812. The only tool available is a hex editor. First, view the boot sector, which is located at sector 0 of the file system and process it Processing this indicates that there are 6 reserved sectors, two FATS, each FAT is 249 sectors, each cluster is 32 sectors and there are 512 directory entries in the root directory. Sector 6 Sector 255 Sector 504 Sector 536 Sector 568 Sector 26456 Reserved FAT1 FAT2 Root Directory Cluster2 Cluster812

21 Metadata Category This category includes data that describe files and directories in directory entries Where content is stored, dates and times, and permissions In an FAT file system, this information is stored in a directory entry structure. Every file or directory is allocated a directory entry. Exists anywhere in the Data area. Each directory entry is 32 bytes: file attributes, size, starting cluster, dates and times When a new file or directory is created, a directory entry in the parent directory (..) is allocated for it Searched by using full name FAT structure is used to find remaining clusters

22 Directory Entry Structures
Clusters FAT Structure Cluster 34 File1.dat 4,000 bytes Cluster 34 35 34 EOF 35 Cluster 35

23 Directory Entry Data Structure
0 first character of file name in ASCII 1-10 characters 2 to 11 of file name in ASCII 11 file attributes (read only, hidden, volume label etc. ) 13 creation time (tenths of seconds) 14-15 creation time (hours, minutes, seconds) 16-17 creation day 18-19 last accessed day 20-21 high 2 bytes of first cluster address 22-23 written time (hours, minutes, seconds) 24-25 written day 26-27 low 2 bytes of first cluster address 28-31 size of file (0 for directories), max file size 4GB See Table 10.5 and 10.6

24 Directory Entries Directory entries can exist anywhere in the data area. When a new file or directory is created, a directory entry in the parent directory is allocated for it. The 11th byte in the directory entry has an attribute field that can contain 7 different attributes. Directory attribute Long file name attribute Volume label – only one directory entry should have this label Read-only attribute Hidden attribute System attribute Archive attribute The allocation status of a directory entry is determined by using the first byte. With an allocated entry, the first byte stores the first character in the file name, but it is replaced by 0xe5 when the entry becomes unallocated.

25 Directory Entries ... ... Sector 520 Sector 1,376 Each 512 byte sector
can store 16 directory entry structures ... ... FAT Area Data Area Carrier Figure 9.12

26 Cluster Chains If a FAT entry is non-zero, it contains the address of the next cluster, an EOF, or a bad sector indicator. FAT Directory Entry 39 File1.dat Start: 40 Size: 6,013 41 40 44 41 EOF 42 We know from the file size how many clusters are needed 43 EOF 44

27 Creation times in directory entries
Cluster 110 Cluster 256 Name Created Cluster Name Created Cluster Dir2 3/30/08 01:02:03 128 . 4/01/08 05:14:00 256 Dir1 4/03/08 11:12:13 256 .. 4/04/08 05:14:00 110 File8.dat 5/24/08 12:12:12 512 File1.dat 4/03/08 12:12:12 208 The created time in the directory entry for the directory does not match the . and .. entries Carrier Figure 9.10

28 Directories When a new directory is created a cluster is allocated and wiped with zeros The size field is always zero To find the size of the directory, go to the starting cluster and follow the cluster chain until EOF The first two directory entries in a directory entry are: Current directory (.) Parent directory (..) Time fields may be used to verify creation time of a directory However we cannot confirm the last written date because . and .. entries are not updated for each directory modification

29 Directory Entry Allocation
Unallocated Directory Entry #2 Allocated Directory Entry #3 Directory Entry #4 Last Allocated ... Entry 3 was unallocated after entry 4 was allocated Directory Entry #5 Directory Entry #6 Carrier’s Observations: Windows 98 uses a first-available allocation strategy and starts from the beginning Windows XP uses next-available and starts from the last allocated directory entry

30 Searching for deleted directories
When unallocated, the first letter of a file name is changed to _ (0xe5) Thus, if two files had similar names: A-1.dat and B-1.dat, they would now both be _-1.dat When a directory is deleted and its entry is reallocated, the cluster for that directory is orphaned To find orphan files, every sector of the data area needs to be examined... See figure 9.11

31 Analysis Scenario Imagine that there is a FAT file system has been recently formatted and we need to recover the directories from before the format. That means, we need to look at all the unallocated space and see if there is any directory information in there. Using TSK, we can extract the unallocated space using dls.

32 Analysis Contd. - Search for Unallocated Space and then Search for Directories
dls allows us to extract the unallocated space. #dls –f fat Fat-10.dd > fat-10.dls sigfind can be used to search for a signature. Example: the first 4 bytes of a directory is always “. “ (period followed by 3 spaces – current directory) which has the hex code of 0x2e202020 #sigfind –b 512 2e fat-10.dls Block size: Offset: 0 Block: 180 (-) Block 2004 (+1824) Block 3092 (+1088) Block 3188 (+96) Block (+15840) ...says that this signature occurred in sector 180 and others

33 Viewing the contents of Sector 180
#dd if=fat-10.dls skip=180 count=1 | xxd : 2e daf ]. : 3c23 3c daf 3c23 4f <#<#..].<#0.... : 2e2e daf ]. : 3c23 3c daf 3c23 dc0d <#<#..].<#0.... : e549 4c e ILE1.DAT : d u!u!.....u!V..... Three entries are shown here. The first two are for the . and .. entries. The . entry points to cluster 6,479 (0x194f) The .. entry points to cluster 3,548 (0x0ddc) The third entry is for a file that starts in cluster 6,486 (0x1956) with a size of 53, 248 bytes (0xd000). File recovery could be performed on this file now that we know its starting address and size.

34 File Name Category FAT does not differentiate between a file name address and metadata address, and this is the same as what was there in the metadata category. So far, what we saw were filenames with 8 characters plus a 3-character extension (SFN) SFN entry contains time, size, and starting cluster information A file may also have a longer, more descriptive file name, LFN If there are > 13 characters, more LFN entries are used...see figure 9.15

35 Finding Hidden Data Unused sectors in the reserved area
Between the end of the file system and the end of the volume Compare the number of sectors in the file system (given in boot sector) with the number of sectors in the volume to find volume slack The total number of sectors value can be easily changed in the boot sector

36 Finding more hidden data...
Between the last entry in the primary FAT and the start of the backup copy or between the last valid entry in the backup FAT and the start of the data area Compare the size of each FAT with the size needed for the number of clusters in the file system Someone could create a directory with only a few files and use the rest of the directory space for hiding data Compare the allocated size of the directory to the number of allocated files

37 The Big Picture Boot Sector Data Area FAT Root Directory Cluster 90
This is the content of a file that I just created File1.txt 200 dir1 90 201 200 EOF 201 Cluster 201 This is the content from the rest of the file that didn’t fit in the cluster

Download ppt "FAT Concepts and Analysis"

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Variations of the Turing Machine

Variations of the Turing Machine
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
1. HDD Partition Setup Insert Booting Diskette to A: drive and turn on the power. Then it will be boot by floppy diskette. 1 Type FDISK and press Enter.

1. HDD Partition Setup Insert Booting Diskette to A: drive and turn on the power. Then it will be boot by floppy diskette. 1 Type FDISK and press Enter.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
Chapter 6 File Systems 6.1 Files 6.2 Directories

Chapter 6 File Systems 6.1 Files 6.2 Directories
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
BACS 371 Computer Forensics

BACS 371 Computer Forensics

Similar presentations

Ads by Google