FAT File System.

Slides:



Advertisements
Similar presentations
Chapter 12: File System Implementation
Advertisements

Operating Systems File Management.
Text Searches Slack Space Unallocated Space
SEMINAR ON FILE SLACK AND DISK SLACK
Recap – Intro to Project 3 and FAT32
The Sleuth Kit Brian Carrier Set of tools to analyze device images.
File System Analysis.
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Operating Systems File systems
1 File Management in Representative Operating Systems.
1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.
Hard Drive Formatting 1. Formatting Once a hard drive has been partitioned, there’s one more step you must perform before your OS can use that drive:
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics
Implementing Hard Drives Chapter 10
New Technologies File System
Objectives Learn what a file system does
FAT Structure. File Allocation Table (FAT) File Systems Used with all flavors of Windows Supported by all Windows and UNIX varieties Used in flash cards.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
LIS508 lecture 5: storage devices Thomas Krichel
Disk Structures. CTEC 1102 Formatting a Disk Two parts to formatting a disk:  Low-level (physical) formatting  High level (logical) formatting Low-level.
BACS 371 Computer Forensics
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Operating System Concepts and Techniques Lecture 17
Windows NTFS Introduction to Operating Systems: Module 15.
The disk surface is divided into tracks. into tracks. 1.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
File Systems in Real-Time Embedded Applications March 5th Eric Julien Understanding How the File Allocation Table (FAT) Operates 1.
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
DISK THEORY. Disk Theory n How information is stored on disk n How we can take advantage of that when bad things happen.
1 Floppy Drive Formatting ©Richard Goldman February, 2001.
OPERATING SYSTEMS Frans Sanen.  Analyze a FAT file system manually  FAT12 first and simplest version  Still used on smaller disks (e.g. floppies) 
University of Pennsylvania 10/31/00CSE 3801 Windows File System - FAT originally invented as a method for storing data on floppy disks. later used by MS-DOS.
FAT File Allocation Table
Lecture 10 Page 1 CS 111 Summer 2013 File Systems Control Structures A file is a named collection of information Primary roles of file system: – To store.
Computer Forensics Hard Drive Format.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Adding a Hard Drive. BIOS / UEFI The Unified Extensible Firmware Interface (UEFI) defines a software interface between an operating system and platform.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
File system and file structures
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
File System Department of Computer Science Southern Illinois University Edwardsville Spring, 2016 Dr. Hiroshi Fujinoki CS 314.
Master Boot Record (MBR)
Advanced Computer Forensics
EXT in Detail High-Performance Database Research Center
UMBC CMSC 421 Spring 2017 The FAT Filesystem.
Computer Forensics NTFS File System.
Working with Disks Lesson 4.
File System Structure How do I organize a disk into a file system?
A “Walk Through” Experiment
Windows XP File Systems
Introduction to Computers
File Management.
File Structure 2018, Spring Pusan National University Joon-Seok Kim
FILE SYSTEM ANALYSIS Dr Fudong Li
Computer Forensics NTFS File System.
Disk Structure Analysis
Department of Computer Science
Recap – Intro to Project 3 and FAT32
Chapter 5 File Systems -Compiled for MCA, PU
Presentation transcript:

FAT File System

Overview History and Usage Structure Forensic Notes about FAT volumes In Class Problem

History and Usage FAT - File Allocation Table FAT8, FAT12 FAT16, FAT32, exFAT, vFAT (Extension to regular FAT*) Developed in 1977 by Microsoft Corporation Originally intended to be a file system for the Microsoft Disk BASIC interpreter, it was incorporated into MSDOS after Microsoft purchased the rights to QDOS (Quick and Dirty Operating System). Commonly used by removable media (Originally for floppy disks). Used for hard disks up until Windows XP (DOS, 95, 98, ME). Supported by many Operating Systems

Structure Boot Sector - Execution is passed from the MBR to the Boot Record contained here. Executable code as well as the OEM identifier, number of FATs, media descriptor (type of storage device), information about the OS to be booted. FAT #1 and #2 - Keeps track of the allocation status of clusters (allocated, unallocated, end of file, bad sector). Usually FAT#2 is a mirror of FAT#1 to provide redundancy but this can be turned off. Root Directory - Contains an entry for each file and directory stored in the file system. Includes information like the file name, starting cluster number, and file size. The root directory has a fixed size of 512 bytes (For a hard disk). Usually right after the FATs but with FAT32 it can be anywhere on the partition. Data Region - Where the files are actually stored.

File Systems - FAT Structure Boot section More reserved sectors (optional) FAT #1 FAT #2 Root directory (FAT 12/16 only) Data region (remainder of disk)

Structure Root Directory Entry Name (8.3) xxxxxxxx.yyy. (88 bits) (Unicode String) Attribute byte (8 bits of information, Type of entry (sub_dir, volume, etc.), is it an archive,system, hidden, read-only) One reserved byte. Create time (24 bits). Create date (16 bits). Last access date (16 bits). Two reserved bytes. Last modified time (16 bits). Last modified date (16 bits). Starting cluster number in the file allocation table (16 bits). File size (32 bits).

FAT Entry Each type of FAT file system has a different size for each entry. Each entry contains one of five things the cluster number of the next cluster in a chain a special end of cluster-chain (EOC) entry that indicates the end of a chain a special entry to mark a bad cluster a zero to note that the cluster is unused

FAT Entry vFAT or Long Name FAT Multiple Entries in the directory structure Conventional small file name for backward compatibility with extra attributes to point to the other parts of a file name 13 bytes per directory structure entry

File Systems - Fat Structure Fragmentation Issues and File Slack Space File1.txt 0002 File2.txt 0005 File3.TXT 0007 Address 1 2 3 4 5 6 7 8 Value 0003 0004 FFFF 0006 0008

FAT Entry Recovering from slack space blkls –s imagefile.dd > imagefile.slack #grab all slack from image and output it. By default outputs all unallocated data icat -r -s disk.img <inode> #recover file including data in slack space. -s parameter

Forensics Notes About FAT Time (Sleuthkit) Each file in FAT can store up to three times (last accessed, written, and created). The last written time is the only 'required' time and is accurate to a second. The create time is optional and is accurate to the tenth of a second (Note that I have seen several system directories in Windows that have a create time of 0). The last access time is also optional and is only accurate to the day (so the times are 00:00:00 in The Sleuth Kit). https://wiki.sleuthkit.org/index.php?title=FAT_Implementation_Notes http://www.forensicswiki.org/wiki/FAT

Example Parsing FAT32 root directory structure

Questions?

Relevant Links https://support.microsoft.com/en-us/help/154997/description-of-the-fat32- file-system https://technet.microsoft.com/en-us/library/cc938438.aspx http://www.forensicswiki.org/wiki/FAT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.