Presentation is loading. Please wait.

Presentation is loading. Please wait.

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a."— Presentation transcript:

1 The FAT File System CSC 414

2 Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a file is created, deleted, moved, etc.  Understand what forensic tools show you about the FAT file system and why.

3 First Some Basics  Common Integral Data Types  Little Endian vs. Big Endian  ASCII/Hex/Decimal/Binary/Unicode  MS DOS Date/Time Format

4 Common Integral Data Types BitsBytesNameRange 81Byte or octet Signed: −128 to +127 Unsigned: 0 to +255 162word Signed: −32,768 to +32,767 Unsigned: 0 to +65,535 324 doubleword (dword) or long Signed: −2,147,483,648 to +2,147,483,647 Unsigned: 0 to +4,294,967,295 648 quadruple word (qword) or longlong Signed: −9,223,372,036,854,775,808 to +9,223,372,036,854,775,807 Unsigned: 0 to +18,446,744,073,709,551,615 nnn-bit integer Signed: − 2 n − 1 to 2 n − 1 − 1 Unsigned: 0 to 2 n − 1 Note: different hardware architectures support and use different length integer data types. The above is only intended for the X86 (Intel) platform.

5 Little Endian vs. Big Endian  Little Endian = the first byte of an integer is the one of lowest value, the last byte the one of highest value. So we read the bytes in the reverse order that we see them in a HEX Editor.  Big Endian = the first byte of an integer is the one of highest value, the last byte the one of the lowest value. So we read the bytes in the order you see them in a HEX Editor.  When looking at “Signed Integers”, any multi-byte HEX value starting with the first HEX digit 8-F is a negative value. Any starting with 0-7 as the first digit is a positive value.

6 ASCII/Hex/Decimal/Binary/Unicode  Look at.XLS table of ASCII and Extended ASCII characters.  Make it easy on yourself when converting from one to the other…USE A CALCULATOR!  When using the Windows Calculator, leading 0 digits do not show in Hex, Binary or Decimal.  i.e. 8 Decimal = 00001000 Binary  Shows in Calculator as 1000

7 MS DOS Date/Time Format Format/TypeConceptJune 14, 2010 21:17:14 in this format Used by MS DOS Date & Time (4 bytes) Bits Meaning 27 AA CE 3C 0 – 4 Seconds divided by 2 5 – 10 Minutes 0 – 59 11 – 15 Hours 0 – 23 16 – 20 Days 1 – 31 21 – 24 Months (01 = January 02 = February etc.) 25 – 31 Years since 1980 27 AA CE 3C In Binary: 00111100 11001110 10101010 00100111 = 30 (years since 1980);6;14;21;17;7 (multiplied by 2 to get 14) FAT12 FAT16 FAT32

8 FAT (12/16/32)  Boot Record (boot sector plus any additional reserved sectors)  File Allocation Table 1  File Allocation Table 2  Root Directory  Data Area (divided into clusters, starting with Cluster #2)  In FAT32, the root directory is part of the data area.

9 Boot Sector (FAT 12/16)

10 BIOS Parameter Block (BPB) FAT12/16

11 Boot Sector (FAT32)

12 BIOS Parameter Block (BPB) FAT32

13 FSInfo Sector (FAT32 only)  The FSInfo sector immediately follows the first sector, containing the BIOS Parameter Block, on a FAT32 partition.  The FAT32 boot record is made up of these two sectors and one more reserved sector, though this 3rd sector is not used for anything, that immediately follows the FSInfo sector.  A backup copy of the three sectors that make up the FAT32 boot record exists and is usually located at sector 6 of the partition. Note: with everything you know about FAT boot sectors at this point you should be able to manually search a disk for lost FAT boot records (i.e. for “MS” (4Dh 53h) at sector offset 03h.

14 File Allocation Tables (FAT)  2 (supposedly identical) copies  Copy 1 immediately follows the boot record  Copy 2 immediately follows copy 1  1st entry identifies type of disk (i.e. fixed or removable)  2nd entry identifies whether Chkdsk is set to be run or not.  All other entries either point to the next cluster in a file (NN), identify the end of the file (FF), identify a bad cluster (F7), or identify the cluster as being free (00).

15 File Allocation Tables (FAT)

16 File Allocation Table (FAT12) FAT12 – entries are 12 bits long (little endian) More complicated and harder to visually identify than FAT16 or FAT32, but Runtime Software’s Disk Explorer for FAT does a great job of interpretation! FF8FFFFFF00400500600700800900A 00B00C00D00E00F010011012013014 015FFF017… FFF = eof

17 File Allocation Table (FAT32) FAT32 – entries are 4 bytes (32 bits) long (little endian) 0F FF FF F8 = fixedFF FF FF FF0F FF FF FF = eof00 00 00 00 04 = 4 00 00 00 05 = 500 00 00 06 = 600 00 00 07 = 700 00 00 08 = 8 0F FF FF FF = eof00 00 00 00 = free00 00 00 000F FF FF 0F = eof F8 = fixed media F0 = removable Notice the pattern… Very easy to visually identify on disk.

18 FAT Directory Entries (basic)  32 bytes in length  Subdirectories always have “.” and “..” as the first two entries Note: Knowing the above, you should be able to search a disk for lost directory entries Filename, Ext, Attributes, Uppercase/LFN/lowercase, Create time, fine resolution: 10ms units, values from 0 to 199, Creation Time/Date, Accessed Date, Higher 2 bytes starting Cluster, Modified Time/Date, Lower 2 bytes starting cluster number, File Size

19 FAT Directory Entries (basic) 00100000 = 0x20

20 FAT Directory Entries (VFAT/LFN)

21 LFN Sequence # (bit 6 on for last LFN entry in name – makes the 13 th entry “4D” instead of “0D” Filename in Unicode Attribute – always “0F” for LFN entry Checksum of DOS filename

22 Data Area  FAT 12/16 – Files or Sub-Folders start at “Cluster 2”, the first cluster available for data  On a DOS bootable FAT partition, io.sys must be located at Cluster 2  FAT 32 – The Root Directory starts at Cluster 2. Files/Sub- Folders start after that.

23 FAT File System Operations - Demo  We will now take a look at a FAT file system and what actually happens on your disk when you perform normal file operations, as seen by WinHex and other forensic tools:  Create a file/folder  Rename a file/folder  Move a file/folder  Delete a file/folder  How file/folder fragmentation occurs and what it looks like

24 Questions???  Use the discussion board, as usual…

Download ppt "The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a."

Similar presentations

Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
Operating Systems File Management.

Operating Systems File Management.
Chapter 4 : File Systems What is a file system?

Chapter 4 : File Systems What is a file system?
1 Week 11 FAT32 Boot Sector, Locating Files and Dirs Classes COP4610 / CGS5765 Florida State University.

1 Week 11 FAT32 Boot Sector, Locating Files and Dirs Classes COP4610 / CGS5765 Florida State University.
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
File Systems Examples.

File Systems Examples.
In this assignment you are going to read floppy disk. You can run ‘mdir’ Unix function to see what output your program should give. FAT-12 MS-DOS file.

In this assignment you are going to read floppy disk. You can run ‘mdir’ Unix function to see what output your program should give. FAT-12 MS-DOS file.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.

11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
Assembly Language for Intel-Based Computers, 4th Edition

Assembly Language for Intel-Based Computers, 4th Edition
Ceng Operating Systems

Ceng Operating Systems
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
1 Partitioning a Hard Drive ©Richard Goldman Revised January 8, 2001 Revised December 9, 2002.

1 Partitioning a Hard Drive ©Richard Goldman Revised January 8, 2001 Revised December 9, 2002.
1 File Systems Chapter 6 6.1 Files 6.2 Directories 6.3 File system implementation 6.4 Example file systems.

1 File Systems Chapter Files 6.2 Directories 6.3 File system implementation 6.4 Example file systems.
Objectives Learn what a file system does

Objectives Learn what a file system does
FAT Structure. File Allocation Table (FAT) File Systems Used with all flavors of Windows Supported by all Windows and UNIX varieties Used in flash cards.

FAT Structure. File Allocation Table (FAT) File Systems Used with all flavors of Windows Supported by all Windows and UNIX varieties Used in flash cards.

Similar presentations

Ads by Google