File System

We know that data is stored in a digital form of series a of ‘1’s and ‘0’s.

But, in order for humans to be able to understand data and how it is organized, we need some an organizing system.

Analyzing file systems is one of the most important tasks a digital forensics investigator must be capable of doing

In order for an investigator to be able to analyze file systems, s/he needs to first understand how file systems work, and know how to interpret those blocks of 0s and 1s, into file system metadata.

Such metadata could help lead to the actual data found in files required for the investigation

So, we need a way to find data within the acquired image, and hey, why not search for deleted data within it too?

when you delete a file, all that is done, is the pointer that is pointing or tracking that file is removed and no longer there.

But, what about the data? It will stay there as long as that location where it is stored has not been used again by another file

FAT File System Analysis

• FAT is a very simple , is one of the oldest file systems used by Microsoft with their MS-DOS operating system.

• FAT uses a simple index table to track files on disks, and that is why it was named File Allocation Table or simply just FAT

• The reason that the FAT file system is studied even today, is not just because you will encounter this type of file system on devices with evidence that you need to acquire and analyze, but it is one of the easiest file systems to study and understand file systems in general.

The FAT file system has different types:

1. FAT12

2. FAT16

3. FAT32

4. Extended File Allocation Table (exFAT)

I assume you are now asking, what about those numbers we saw in the different types (12, 16, and 32)? These refer to the number of bits used for clusters addressing. Which means a 12 bit FAT can have a cluster size of 212

But what is a cluster?

A cluster, is the smallest logical unit a file system can allocate to a file. The cluster size is defined at the time you initialize the partition or volume, which means it is defined when you format the partition.

A cluster can be anything from 512 bytes, up to the limit of the file system used

why does a cluster have the minimal size of 512 bytes? The reason is that the minimum size of a sector is 512 bytes

• A cluster is the smallest logical unit used by file systems for file allocation, and the sector is the smallest physical unit used with disk drives.

• clusters are logical, while sectors are physical.

There are two types of formatting:

1. High Level (Logical)  initializing the disk

2. Low Level  is usually done at the manufacturer

Whenever a file is created, the file system must allocate a number of clusters to it. This is where the number of sectors per cluster is important because the cluster’s size has an impact on both the performance and utilization of the disk.

Using a big cluster might lead to waste in disk capacity and using a small cluster could lead to an overhead!

when we say a cluster could represent a number of sectors, this means they are contiguous. In other words, these sectors follow each other, they are one after the other.

For example, if we have 4 sectors for a cluster, then whenever you create a file, it will be allocated four contiguously allocated sectors. This helps file systems access data easily!

Let’s assume file1 has 512 bytes and file2 has 1024 bytes. The illustration below, will show how this is reflected on the disk. (Note: each green square represents a sector).

assumed there were no files previously created on the disk and that we created file1 and file2 after each other.

How many clusters could each type of FAT file system represent?

Notes:

1. RC means Reserved Clusters

2. FAT32 uses only 28 bits not 32, as four of them are reserved

FAT Structures:

Reserved Area:

The size in sectors of the Reserved Area depends on the type of FAT file system used

just note that the FAT Area in a FAT32 file system has two parts and not one as in FAT12 and FAT16

area depends on the type of FAT used. So, let’s check how this area is structured when we have a FAT12/16 file system

As for the structure of a FAT32 file system, it is like this:

Here is a view of the Boot Sector of a FAT32 volume using a Disk Editor.

If we check the 32 sectors allocated, we find:

• Sectors 0 and 6 are used for the Volume Boot Sector

• Sectors 1 and 7 are used for the File System Information (FSINFO) structure

• Sectors 2 and 8 are used for the Bootstrap Code

• Boot strap sectors will be empty if the volume is non-bootable, but it will still end with a signature (0x55AA).

Boot Sector

It will be different for FAT12/16 and the FAT32. Let’s start with the FAT12/16, which can be seen below

• The sizes for BIOS Parameter Block (BPB), Extended BIOS Parameter Block (EBPB), and the Bootstrap code varies based on the operating system and versions.

Below is the boot sector for the FAT32 file system.

we will focus more on the FAT32 type only

move another step into the BIOS Parameter Block and see how the data structures for it is used

Byte level dissection of the Boot sector of a FAT32 file system.

• Jump Boot Code >> holds the command used to jump to the boot code

• In the example we used, it shows: EB 58 90

• EB 58 is the byte code for the assembly instruction jmp 005A

• 90 is the byte code for the assembly instruction NOP

• OEM Name/Version >> could hold the type of system the disk was formatted for, or the utility used, or even a serial no! In our example it holds: MSDOS5.0

BIOS Parameter Block (BPB)

• Bytes per Sector As the name implies. We have the value 0002 that equals to 512 bytes / sector

• Sectors per Cluster As the name implies. We have two sectors per cluster, based on the value found

• Reserved No. of Sectors Holds the number of reserved sectors. It is variable in a FAT32 file system. Also, we see here that the value FE19 equals to 6654 sectors

• No of FATs Holds the number of FAT Tables.

• In our example, it holds the value 02. This means we have 2 FAT Tables

• Number of root directory Entries >> Holds the number of directory entries, it will be zero for FAT32.

• In the example we used, it shows: 0000

• Total number of sectors in the filesystem >> Holds the total number of sectors in the file system. It will be zero for FAT32. In the example we used, it shows: 0000

• Media Type > Holds the media descriptor, which would be f0 for floppy and f8 for hard disk

• In our example, we found: F8.

• No of sectors per FAT >> Holds the number of sectors assigned for each FAT. This would be zero for FAT32. In our example we truly did find 0000.

• Number of sectors per track >> These 2 bytes speak for them self. We found 3F00, which means 63 sectors/track.

• Number of heads >>These 2 bytes holds the no. of heads in the drive. We found 4000, which means we have 64 heads

• Number of hidden sectors >> 4 bytes holding the no. of sectors preceding the partition. Here we found: 800000, which means we have 128 sectors

• Total number of sectors in the filesystem >> 4 bytes holding the total no. of sectors in the file system. The no. found was 00200300 which means we have 204800 sectors. And, we can say this partition is 104857600 bytes or 102400 Megabytes (~100MB).

• Sectors per FAT >> 4 bytes holding the no. of sectors in each FAT. We found 01030000 which means we have 769 sectors per FAT; remember these bytes

• Extended flags >> 2 bytes holding the no. of active FAT. In our example we have zero, which means: • Bits 0 – 3 no. of active FAT (if bit 7 is 1) • Bits 4 – 6 reserved • Bit 7 one means we have a single active FAT, zero means all FATs are updated at runtime • Bits 8 – 15 reserved

• Filesystem Version >> 2 bytes holding FAT file system version. We found 0000

• First cluster of root directory >> 4 bytes holding the cluster number of the first cluster in the root directory. This is usually two, and in our example, we found 02000000 which is two

• File System Info. Sector >> 2 bytes holding the filesystem information sector number in FAT32 reserved area, which is usually 1. In our example it was 0x0100, meaning it’s one

• Backup boot sector location >> 2 bytes holding the backup boot sector location. The value found would be either 0 or 0xffff if no backup used, but it is usually 6. We found 0x0600, meaning the backup is found at sector no. six

  

• Reserved >> 12 bytes that are simply just reserved. They will be all zeros, and we truly found 0x000000000000000000000000 that in our example.

Extended BIOS Parameter Block

• Phys Disk No >> 1 byte holding the physical drive no. used by the INT 13. We found 0x80, meaning 128

• Not used >> 1 byte reserved and not used. We found 0x00

• Signature >> 1 byte indicating there are three other sections to follow (check the next slide). We found 0x29, which means 41

• Volume Serial Number (ID) >> 4 bytes holding the serial no. of the partition/volume. We found 0x9B2CF1EC.

• Volume Label >> 11 bytes holding the volume label. We found 0x4E4F204E414D4520202020. which means we found the label “NO NAME”.

• File System ID >> These final 8 bytes hold the file system type. Here we found FAT32

FSINFO Sector

Details found with explanations: • FSInfo signature 0x52526141 >> RRaA • Second signature 0x72724161 >> rrAa • No. of free clusters 0x155C0100 >> 89109 • Next free cluster 0xED230000 >> 9197

Let me explain the No. of free clusters in the next slide a little bit further for you.

the no. of free clusters found was 0x155C0100. This is a little endian value, so we must translate it first in order to calculate the final value properly. With that done, we get 0x00015C15. Now if you translate this hexadecimal value to decimal, you will find that this leads to 89109 of free clusters.

But hey, we’re not finished yet! How many free bytes do we have here? Multiplying this value with 512 bytes is wrong! You must first check how many sectors per cluster

Now, if we go back to the Boot Sector of this partition, we will find at offset 13 the value 02. Which means we have two sectors per cluster.

So what we need to do is first multiply the number 89109 with 2, and this gives us 178218, which refers to the number of free sectors.

And, just to make sure that our calculations are accurate, let’s multiply this with 512 (size of sector in bytes), which was found at offset 11 (2 bytes). We get the number 91247616 bytes.

we were accurate with our calculations

Boot Strap Sector & Reserved Sectors

There isn’t much to be said about the Boot strap sector, as it has nothing useful. But, the sector does end with the end of sector signature 0x55AA

After that comes the reserved sectors, which are usually all zero