Chapter 8 File Systems FAT 12/16/32
Defragmentation Defrag a hard drive – Control Panel System and Security Administration tools Defrag hard drive. Defragmentation of a hard drive means actually move the data so that the clusters are physically next to one another. – Improves efficiency and speed
File Systems A file system is a tool used for storing and retrieving data on a computer. It is the tool that tracks the allocation of the clusters, and it allows for a hierarchy of directories, folders, and files. A file system addresses and manages all the clusters contained within a volume.
File Systems File system is defined during the creation of a partition. File system determines how and where files are placed on a hard drive with a goal of trying to optimize data retrieval speed.
Metadata The information contained within this filing system is often referred to as Metadata Metadata consists of information that characterizes data. Whenever an electronic document is created, opened, or saved metadata is altered. Operating System require file systems in order for them to function, and information about these file systems is contained in part in metadata.
Metadata information storage Other information that may be stored with document: – Name – Initials – Company or organization – Computer Name – Network name – Embedded OLE objects – Document revisions or versions – Comments
Examples of Metadata Metadata is often imperative to accessing and identifying the object it defines. When you think of metadata, think of the following: – Card catalog system locating one book out of a thousand. – Longitude and latitude of the earth locating one place out of many File System is different in Windows, Apple, Linux, and Unix.
File System
File Allocation Table (FAT) File System FAT filing system is a bit dated and used in earlier Microsoft operating systems. FAT is used to place files in free clusters of space on the hard drive. Each entry in the File Allocation Table corresponds directly to one cluster, at which point the cluster becomes allocated to that data referenced in the FAT.
Versions of FAT Versions of FAT are 12, 16, 32. A single file is allocated (or saved) to a cluster, even if the file does not completely fill up the entire cluster. A larger file may need to be allocated across multiple clusters.
Filing System Components 3 main components of a FAT filing system. – Volume Boot Record – Directory Entries – File Allocation Table
Volume Boot Record (VBR) Volume Boot Record Volume Boot Sector Volume Boot. This is typically the first sector of a partition. As the Master Boot Record (MBR) defines the partitions of a physical disk, VBR performs a similar function for an individual volume/partition. – It defines the partition type (file system) and holds the parameter information such as bytes per sector and sector per cluster within the volume.
Offset Identifies the file system. – Example: Offset 46 = F 41 = A 54 = T 31 = 1 36 = 6 FAT 16 Need to use ASCII to obtain values
Offset In VBR offset represents bytes per sector. Example use little or 200 convert to 512 bytes per sector.
Sectors per Cluster (Offset 13) The sectors per cluster are also defined here in the VBR. This value is defined in sector offset 13. Example: Offset 13 is 40 HEX convert to decimal sectors per cluster. To figure out bytes per sector take 64 X 512 = 32,768 FAT 16.
Slack File receives the minimum of one cluster the used bytes is called slack.
Example Suppose you had a 5 byte text file that was allocated 32KB of disk space. Regardless of its size, the 5 byte file will get the entire 32,768 byte cluster. As you can image, the FAT 16 file system is inefficient in its use of space. What happens to the remaining space? Nothing! It is allocated space, as part of the cluster assigned to the text document.
Forensics Evidence Suppose you have a large file 29,500 that you sent to the recycle bin to delete freeing up the cluster making it unallocated, later you save the 5KB text document in the same cluster where the large file was located, what happens to the extra space where the large file use to be located? Answer: Some of the large file will still be there that the 5 KB file didn’t write over.
Two types of Slack Space File Slack – When a file is saved it is allocated to a cluster (32,768). Cluster is comprised of sectors. When a file is saved, it will fill the first sector of the cluster and then the second and so on. The unused sectors is called file slack Sector Slack – The unused bytes in a sector is called Sector Slack
Overwritten Slack Space The file assigned to that allocated space is changed and/or made larger in size, thereby writing to the slack space, ( its allocated space). The file, is deleted from the recycle bin, therefore making the entire cluster available or unallocated. This may result in another file being allocated to that cluster. Note – if that new file is the same size or smaller than the previous file much of the data contained within the slack space could remain perserved.
Directory Entries The second piece of the FAT Filing system, is the directory entries. Every file and folder/directory is referenced in a separate 32 byte entry called a directory entries. A unique directory entry exists for each file and directory stored on a disk.
Each directory entry contains information 1. Names of the file and directory. 2. Time and data metadata 3. Location – file names have to be linked to the actual data comprising the file. 4. Size of the file – its length
~ symbol Used by FAT to show the file has been deleted. The rest of the file still exists. The file is unallocated and ready to be rewritten to.
File Allocation Table (FAT) FAT can be thought of as a map of all the clusters on the hard drive Cluster – is a smallest unit used to store files on the hard drive. The FAT contains an entry for each available cluster on the disk.
FAT The FAT tracks allocated and unallocated clusters which contains data files. Many times a document may surpass one cluster and have to be stored in many noncontiguous clusters. The FAT will link the noncontiguous clusters. FAT also tracks bad clusters (corrupted or damage)
FAT The FAT for FAT12, 16, 32 begins at a location determined by that drive’s structure, and the length of the table depends on the disk size and formatting. The size of the FAT entries depends upon the version of FAT. In fact, the FAT version (FAT12, 16, or 32) is named after amount of bits contained within each entry of the FAT; FAT12 has 12 bit entries, FAT16 has 16 bit entries, and FAT32 has 32 bit entries.
FAT 12 Each entry is 12 bits in size, and each of these 12 bit entries in the FAT is representative of an actual cluster, the smallest allocation unit on a disk. There are 4,096 values possible with 12 bits. Therefore, if each entry represents a cluster and there are only enough bits (12) to represent 4,096 unique values, therefore a maximum of only 4,096 clusters can be attained in FAT 12.
FAT 16 & FAT 32 FAT 16 is 2 16 or 65,536 cluster FAT 32 is 2 32 or 4,294,967,296
How FAT works A File is called for by file name and path, (aka user clicks on icon). The storage path leads to the location of the parent directory on the hard drive. It is here that the directory entry for that file is located. The operating system looks in this parent directory and reads directory entry. The directory entry provides the starting cluster on hard drive and size of the file. The OS then goes to the starting cluster and begins to read the data. It only reads the data within the cluster up to the size of the file, then the OS stops reading. Any other data in that cluster (slack) is ignored because length have been met.
How Is Cluster Size Determined? (Bytes per Sector) X (Sectors per cluster) = Cluster Size Example: – 512 bytes per sector X 64 sectors per cluster = 32,768 – So 5 byte document will take one cluster – A 48k byte document will take two clusters 32K will be in the first cluster and 16k will be in the 2 nd cluster
Expanded Cluster Size Directory Entries and the FAT – Determine where the File Begins Offset to determine where the file begin (use little endian) – Determine the File’s Size Offset contains the size of the file in bytes – Determine the Number of Clusters Needed The directory entry tells the system the following information about a file: – Where the file starts – The file’s size in bytes – How many clusters to expect – Determine Where the File Ends Using Hex editor group 8 bits HEX characters into pairs – Example 00 2A 002A Beginning of FAT Reserved Cluster 0 and 1. Start at Cluster 3 and convert it to decimal which gives you the offset of where the cluster start. Look at the next because it with give you the next cluster if the file is too big. If the next cluster is FFF8 (65,535) represents the end of a cluster.
Example Suppose Hello2.txt took up 3 clusters: FAT Cluster NumberHEX ValueDecimal Equivalent 2002A42 002B43 FFFF65,535
FAT Filing System Limitations The FAT File System has limitations imposed upon it by various structures: – FAT – Directory entries Pose storage limitations
Questions 1.How many bytes per sector? 512 bytes per sector 2.How many bytes are needed to represent one cluster of a FAT 16 table? 2 bytes per 16 bits (FAT 16) Each FAT entry represents one cluster 3. How many clusters can be represented by the FAT in one sector? A total of 256 clusters, determined by halving the 512 bytes per sector because it takes two bytes to represent one cluster.
Questions How many sectors would the FAT need to track its’ potential maximum size? – First you need to know what is the maximum size for FAT 16 filing system – FAT 16 filing system has 65,536 clusters (little less because some are reserved) this is the size limitation. (Cluster limitation) 256 per sector