Presentation is loading. Please wait.

Presentation is loading. Please wait.

FAT File System.

Published byAdéla Svobodová Modified over 4 years ago

Similar presentations

Presentation on theme: "FAT File System."— Presentation transcript:

1 FAT File System

2 Overview History and Usage Structure Forensic Notes about FAT volumes
In Class Problem

3 History and Usage FAT - File Allocation Table
FAT8, FAT12 FAT16, FAT32, exFAT, vFAT (Extension to regular FAT*) Developed in 1977 by Microsoft Corporation Originally intended to be a file system for the Microsoft Disk BASIC interpreter, it was incorporated into MSDOS after Microsoft purchased the rights to QDOS (Quick and Dirty Operating System). Commonly used by removable media (Originally for floppy disks). Used for hard disks up until Windows XP (DOS, 95, 98, ME). Supported by many Operating Systems

4 Structure Boot Sector - Execution is passed from the MBR to the Boot Record contained here. Executable code as well as the OEM identifier, number of FATs, media descriptor (type of storage device), information about the OS to be booted. FAT #1 and #2 - Keeps track of the allocation status of clusters (allocated, unallocated, end of file, bad sector). Usually FAT#2 is a mirror of FAT#1 to provide redundancy but this can be turned off. Root Directory - Contains an entry for each file and directory stored in the file system. Includes information like the file name, starting cluster number, and file size. The root directory has a fixed size of 512 bytes (For a hard disk). Usually right after the FATs but with FAT32 it can be anywhere on the partition. Data Region - Where the files are actually stored.

5 File Systems - FAT Structure
Boot section More reserved sectors (optional) FAT #1 FAT #2 Root directory (FAT 12/16 only) Data region (remainder of disk)

6 Structure Root Directory Entry
Name (8.3) xxxxxxxx.yyy. (88 bits) (Unicode String) Attribute byte (8 bits of information, Type of entry (sub_dir, volume, etc.), is it an archive,system, hidden, read-only) One reserved byte. Create time (24 bits). Create date (16 bits). Last access date (16 bits). Two reserved bytes. Last modified time (16 bits). Last modified date (16 bits). Starting cluster number in the file allocation table (16 bits). File size (32 bits).

7 FAT Entry Each type of FAT file system has a different size for each entry. Each entry contains one of five things the cluster number of the next cluster in a chain a special end of cluster-chain (EOC) entry that indicates the end of a chain a special entry to mark a bad cluster a zero to note that the cluster is unused

8 FAT Entry vFAT or Long Name FAT
Multiple Entries in the directory structure Conventional small file name for backward compatibility with extra attributes to point to the other parts of a file name 13 bytes per directory structure entry

9 File Systems - Fat Structure
Fragmentation Issues and File Slack Space File1.txt 0002 File2.txt 0005 File3.TXT 0007 Address 1 2 3 4 5 6 7 8 Value 0003 0004 FFFF 0006 0008

10 FAT Entry Recovering from slack space
blkls –s imagefile.dd > imagefile.slack #grab all slack from image and output it. By default outputs all unallocated data icat -r -s disk.img <inode> #recover file including data in slack space. -s parameter

11 Forensics Notes About FAT
Time (Sleuthkit) Each file in FAT can store up to three times (last accessed, written, and created). The last written time is the only 'required' time and is accurate to a second. The create time is optional and is accurate to the tenth of a second (Note that I have seen several system directories in Windows that have a create time of 0). The last access time is also optional and is only accurate to the day (so the times are 00:00:00 in The Sleuth Kit).

12 Example Parsing FAT32 root directory structure

13 Questions?

14 Relevant Links file-system

Download ppt "FAT File System."

Similar presentations

Chapter 12: File System Implementation

Chapter 12: File System Implementation
Operating Systems File Management.

Operating Systems File Management.
Text Searches Slack Space Unallocated Space

Text Searches Slack Space Unallocated Space
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
Recap – Intro to Project 3 and FAT32

Recap – Intro to Project 3 and FAT32
The Sleuth Kit Brian Carrier Set of tools to analyze device images.

The Sleuth Kit Brian Carrier Set of tools to analyze device images.
File System Analysis.

File System Analysis.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.

11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Operating Systems File systems

Operating Systems File systems
1 File Management in Representative Operating Systems.

1 File Management in Representative Operating Systems.
1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.

1 Friday, July 07, 2006 “Vision without action is a daydream, Action without a vision is a nightmare.” - Japanese Proverb.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.

1 CSCD 496 Computer Forensics Lecture 7 File Systems – Windows Winter 2010.
Hard Drive Formatting 1. Formatting Once a hard drive has been partitioned, there’s one more step you must perform before your OS can use that drive:

Hard Drive Formatting 1. Formatting Once a hard drive has been partitioned, there’s one more step you must perform before your OS can use that drive:
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Implementing Hard Drives Chapter 10

Implementing Hard Drives Chapter 10
New Technologies File System

New Technologies File System

Similar presentations

Ads by Google