Add to collection(s) Add to saved
  1. No category
Uploaded by repp1043

SANS - FAT Filesystem

advertisement 
FAT Filesystem
Appendix D
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
Windows File System Evolution
FAT 16
• MS-DOS, Win95/98/NT/2000
FAT 32
• Win95 (OSR 2), NT using 3rd-party driver,
Win2000
• WinXP/2003/Vista
NTFS
• Win NT/2000, Win95 using 3rd-party driver
• WinXP/2003/Vista
exFAT
© SANS,
All Rights Reserved
• Win XP with KB Q955704
• Vista/2008 with SP1 (UTC with SP2)
Appendix D - FAT Filesystem
FAT Filesystem
• The FAT file system has been around since the early
1980s and is one of the most simple file systems
• It contains no security features
• There are three variations of FAT:
– FAT12
– FAT16
– FAT32
• The major difference in each is the size of addressable
entries into the file allocation table (FAT)
• The exFAT (Extended FAT file system) is the latest
version released with Vista SP1 and Windows CE 6.0
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT 12 and 16
• FAT12
– Cluster Size = 512 bytes to 8 KB
– 212 addressable clusters
– 4096 clusters max for a maximum volume size of 32 MB
• FAT16
– Cluster Size = 512 bytes to 64 KB
– 216 addressable clusters
– 65,536 clusters max for a maximum volume size of 4 GB
• Win95, 98, ME do not allow larger than 32 KB cluster sizes.
• Limitation resulted in a max volume size of 2 GB
• Limited root directory – 512 entries – 32 bytes each
• No security - user access
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT 32
• FAT32
– Cluster Size = 512 bytes to 32 KB
– 32 bit cluster numbers
• Reserves the high 4 bits it really has a 28-bit cluster identifier
– 228 addressable clusters
– 268,435,456 clusters max for a theoretical maximum volume size of
8 Terabytes
• Windows will only allow you to format a disk up to 32 GB
• Windows will recognize disk larger than 32 GB formatted on other operating
systems
• MBR Limitations only allow partitions that are 2 TB in size
• No security - anyone can access every file
• Root directory ordinary cluster chain - no limit on size
• Limited error recovery
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT 12/16/32 Limits
• File Size Limit
– 4 GB – 1 byte (232 bytes minus 1 byte)
• Maximum volume size
– FAT12
– FAT16
– FAT32
32 MB
4 GB
32 GB
• Theoretical Max is 8 TB; MBR limitations places limit at 2 TB
• Windows will strictly allow a user to format a partition at 32GB. However,
Windows can recognize larger partitions created by other operating
systems.
• Files per volume
– FAT12
– FAT16
– FAT32
© SANS,
All Rights Reserved
4096
65536
4,177,920
Appendix D - FAT Filesystem
FAT Format
Reserved
Sectors
Data
Area
Fat Area
Cluster 2 location in FAT12/16
Boot
Root
FAT Table 1 FAT Table 2
Directories/Files
Sector
Dir
Cluster 2 location in FAT32
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT Boot Sector
•
•
•
•
•
Name of the operating system
Sectors per cluster
Maximum number of root directory entries
The volume name
The serial number
• Can determine size of disk using
– Size of each sector (512 Bytes)
– Total number of sectors
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT12/16 Boot Sector
Instruction
Total
Sectors
OEM ID
Number of
Number of
Jump
FAT Tables Root Entries
© SANS,
All Rights Reserved
Bytes Per Sectors Per
Sector
Cluster
Sectors in Volume Volume
Name
ID
each FAT
Appendix D - FAT Filesystem
Number of
Reserved Sectors
System ID
FAT12/16
FAT 32 Boot Sector
Jump
Instruction
Number of
Root Entries
OEM ID
Bytes Per Sectors Per
Sector
Cluster
Number of Total Number Sectors in
FAT Tables
© SANS,
All Rights Reserved
of Sectors
each FAT
Volume
ID
System ID
FAT32
Appendix D - FAT Filesystem
Number of
Reserved Sectors
Volume
Name
FAT Directory Entry Types
(Metadata Layer)
Short Entry – Must Exist
• File Name, 8 main letters and 3 for the extension
(exe, txt, doc etc.)
• Modified, Access, and Creation Date/Times
• File Size (4 GB Filesize limit) – 4 Byte Value
• First Cluster Number of the Data Area
Long Entry File Name (Optional)
• Unicode filename (larger than 8.3)
• Grows “Up” above Short Entry
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT Timestamps
• Creation Time(Creation Time)
– Time file was created
• Data change time (Modification)
– Time the data layer was last modified
– Rounded to even second
• Last accessed date (Access Date)
– Date when the data layer was last accessed.
– Accessed date does not show the hour or the minute a file was created
File
Syste
m
Time
Stored
Time
Resolution
M
A
Modifie
d (2
sec)
Accessed
Date
(1 day)
Created
(10 ms)
Created
FAT
Local
Jan 1, 1980
©exFAT
SANS,
UTC
10 ms since Modifie
Accessed
Appendix D
Jan 1, 1601
d - FAT Filesystem
All Rights Reserved
C
B
FAT Directory Entry
2nd Long Entry 1st Long Entry
x42
i
t
s
.
e
e
S
c
l
h
e
Short Entry
C
H
e
d
d
E
D
V
U
~
1
E
x0f
Check
Sum
x
x00
Check
Sum
u
i
s
0x0000
X
E
x20 x00
Creation Last access Cluster Last modi- Last modi- Cluster
Address
Address
Date
date
fied
time
fied
date
High Bytes
Low Bytes
© SANS,
All Rights Reserved
x00
0x0000
x01
S
x0f
Appendix D - FAT Filesystem
Create Time
File Size
FAT Content Data
• Data in a FAT file system is stored in a cluster
• A Cluster is a group of consecutive sectors
– Sectors are 512 bytes each
– Smallest addressable data unit on a disk
512 Bytes
One Sector
512 Bytes
512 Bytes
512 Bytes
One Cluster which is addressable
•
•
•
•
Clusters are located in the data area of the file system
Clusters are given an address starting with number 2
The FAT sets the allocation status of a cluster
FAT is a table where each entry can point to:
1. the next cluster in a file
2. the End of Chain (EOC) marker
3. 0 if the cluster is not being used
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT16 File Allocation Table
in Hex Editor
Allocated Cluster
Pointing to next
Cluster
Unallocated Cluster
Allocated Cluster
End of Cluster
Chain
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT Directory Entry and the FAT
Cluster Chains Relationship (1)
FAT Directory Entry
Cluster
Address
FILE.EXE
0200
File Size
FAT
Entry Address
FAT Chains
0002 0003 0004 0005 0006 0007 0008 0009 000a
0300 0400 0500 FFFF 0800 0900 FFFF FFFF 0000
Yellow=Hex bytes in FAT on disk
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT Directory Entry and the FAT
Cluster Chains Relationship (2)
FAT Directory Entry
FAT Entry
Address 0049
© SANS,
All Rights Reserved
FAT Chains
Appendix D - FAT Filesystem
FAT: What Data Still Exists
Upon File Deletion?
FILENAME LAYER
• File Name will be preserved minus the first letter
• (0xe5 will replace the first letter in the directory entry)
METADATA LAYER
• Modification/Creation Times and Access Date (Preserved)
• File Attributes, Size, and Starting Cluster address (Preserved)
DATA LAYER
• Data clusters in FAT will be marked as unallocated (0x00) but
data will be preserved at the original cluster locations
• Slack Space will exist
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
FAT Review
• Differences in FAT12/16/32
• FAT Boot Sector
• FAT Root Directory
• FAT Directory Entries
• FAT Cluster Chains
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
The EXFAT Filesystem
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT
•
•
•
•
•
Cluster Size = 512 bytes to 32 MB
Sector Size = 512 bytes to 4096 bytes
32 bit cluster numbers
232-11 addressable clusters
4,294,967,285 clusters max for a theoretical maximum volume size of128
Pedabytes
– MBR Limitations only allow partitions that are 2 TB or 16 TB in size
• No security
• Root directory - no limit on size
• Maximum file size can almost be as large as the file system itself
• New Items
– Bitmap for unallocated clusters
– UTC – Universal Timestamp Support
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT Volume Layout
• Volume Boot Record (VBR)
– a.k.a. Boot Sector from FAT32
• File Allocation Table (FAT)
– 1 or 2 Tables (Version 1.00 will only have 1)
• Cluster Heap
– a.k.a. Data Area from FAT32
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT VBR (Boot Sector)
Jump
FAT Offset
FAT Length
Instruction
OEM ID
Volume Length
Root Directory Volume
First Cluster
ID
© SANS,
All Rights Reserved
Cluster Heap
Bytes Per
Offset
Sector
Appendix D - FAT Filesystem
Cluster
Count
Sectors
Per
Cluster
Number of
FAT Tables
exFAT Directory Entry
(Metadata Layer)
• 32 bytes each
• 3 Directory Entry Types
–File Entry
• MACB Times in UTC
–Stream Entry (Data Run)
• Starting Cluster and Length
–File Name Entry
• File Name
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT Directory Entry File Entry
• Entry Type 0x85 or 0x05
• Defines a File Set
– Either a file or subdirectory
– File Set checksum
• One per file set, always first
– Primary entry
– Secondary Count
• File Attributes
• Timestamps (Modified, Accessed, Created)
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT File Entry in Hex Editor
Accessed
File Entry
Count
Hash
Checksum
TZ Offsets
Create Modified
Length File Name
Stream Extension Entry
Data Length
File Name Extension
Address of
First Cluster
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
15 Character Unicode
Filename
exFAT Directory Entry
Stream Entry
• Entry Type 0xC0 or 0x40
• Secondary Entry
– One of this type per file set
– Secondary Flags
• File name attributes
– Search Hash
– Name Length
• Cluster Address of first data block
• Data Length
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT Stream Entry
in Hex Editor
Accessed
File Entry
Count
Hash
Checksum
TZ Offsets
Create Modified
Length File Name
Stream Extension Entry
Data Length
File Name Extension
Address of
First Cluster
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
15 Character Unicode
Filename
exFAT Directory Entry
File Name
• Entry Type 0xC1 or 0x41
• Secondary Entry
– One or more (up to 17)
• Contains part of the file name
– 15 Characters of 16-bit Unicode
– 255 Characters maximum
– In forward order
• No 8.3 Support
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT File Name Entry
in Hex Editor
Accessed
File Entry
Count
Hash
Checksum
TZ Offsets
Create Modified
Length File Name
Stream Extension Entry
Data Length
File Name Extension
Address of
First Cluster
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
15 Character Unicode
Filename
exFAT FAT Table
•
•
•
•
•
•
•
•
•
Not used for Allocation Status
Only used when file is fragmented
When used, chaining works same as FAT
First 2 Entries are reserved
First entry is media descriptor – 0xF8
Content Data uses all 32 bits for address
Largest value is 0xFFFFFFF6
Not in the Cluster Heap
Sector address in the VBR (Boot Sector)
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT Allocation Bitmap
• Resides in the Cluster Heap
• Address in an Allocation Bitmap Entry
• 1 bit for each cluster defined
– First bit is cluster 2
• Allocation Status of Cluster
– 1 – Allocated
– 0 – Free
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
exFAT Allocation Bitmap
in Hex Editor
Clusters 2-6 are allocated
Clusters 7-9 are free
© SANS,
All Rights Reserved
Clusters 510-513 are allocated
Clusters 506-509 are free
Appendix D - FAT Filesystem
exFAT: What Data Still Exists
Upon File Deletion?
FILENAME LAYER
• In exFAT the file name is preserved, the entry is marked inactive
• Note: if the file is renamed it could move the file name to a new entry in
the directory. In exFAT, a file will look deleted (inactive) if it were merely
renamed
METADATA LAYER
• Modification/Access/Creation Times (Preserved)
• File Attributes, Size, and Starting Cluster address (Preserved)
DATA LAYER
• Data clusters in Allocation Bitmap will be marked as unallocated but data
will be preserved at the original cluster locations
• Slack Space will exist
© SANS,
All Rights Reserved
Appendix D - FAT Filesystem
Related documents
Weight Loss: Never Believe It’s Impossible
Weight Loss: Never Believe It’s Impossible
A. soothing B. nutrient ... F. carbohydrate content G. diabetics ...
A. soothing B. nutrient ... F. carbohydrate content G. diabetics ...
Download
advertisement