Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Structures

Computer Forensics

advertisement 
FAT Concepts and Analysis
Acknowledgments
Dr. David Dampier and the
Center for Computer Security Research
(CCSR)
Basic Concepts
The FAT file system is one of the
most simple file systems and does
not clear follow the five category
model. It consists of two main data
structures:
 File
Allocation Table
 Directory Entries
Basic Concepts

Each file and directory is allocated a directory
entry, that contains:







File name
File size
Starting address of file content
Other metadata
File and directory content is stored in clusters
If a file or directory needs more than one
cluster, those clusters are found in the FAT
structure
Versions of FAT: FAT12, FAT 16, and FAT32

Difference is the size of entries in the FAT structure
Versions of FAT

FAT12



FAT16


Designed as a file system for floppy diskettes
12-bit cluster addresses
16-bit cluster addresses
FAT32




32-bit cluster addresses (28 bits used) => 228 clusters
Drive size up to 8TB with 32KB clusters
Can become slow and inefficient
Video applications and large databases often exceed
FAT32 limitations
Layout of a FAT file system
The layout of the FAT file system
consists of 3 physical sections:



Reserved area – for file system category
FAT area – primary and backup FAT
structures
Data area – clusters used for storing file
and directory content
Reserved
Sector 0
FAT area
Data Area
FAT File System Data
In order to analyze the FAT file system, it is necessary
to locate the three physical layout areas.

The reserved area starts at sector 0, and its size is given
in the boot sector.


The FAT area begins in the sector after the reserved area.


In FAT12/16, the reserved area is typically only 1 sector,
but FAT32 will typically reserve many sectors
Its size is calculated by multiplying the number of FAT
structures by the size of each FAT, both of which can be
found in the boot sector
The data area begin in the sector after the FAT area.

Its size can be found by subtracting the starting address
of the data area from the total number of sectors in the
file system, which can be found in the boot sector.
FAT System Layout
FAT 12/16
Reserved
Area
FAT
Area
FAT 32
Reserved FAT
Area
Area
Root
Directory
Root
Directory
Data
Area
Data
Area
The main difference between these layouts is that FAT 12/16’s root
directory is at the beginning of the data sector, while in the FAT
32’s root directory can be anywhere in the data area. The first 36
bytes are the same in all.
File System Category
The data in the File System Category
describes the general file system and
can be found in the boot sector data
structure. The boot sector is located in
the first sector of the volume and is
part of the reserved area of the file
system.
Boot Sector
The Boot Sector is contained in the first 512 bytes.
The first 36 bytes of all FAT Boot Sectors contain:














0-2
3-10
11-12
13
14-15
16
17-18
19-20
21
22-23
24-25
26-27
28-31
32-35
jump to boot code
name in ASCII
bytes per sector
sectors per cluster (powers of 2 < 32KB)
size in sectors of reserved area
number of FATs, 2 if backup
max # of root directory entries
16-bit value of number of sectors in file system
media type: 0xf8 fixed disks, 0xf0 removable
16-bit size in sectors of each FAT
sectors per track
number of heads
number of sectors before start of partition
32-bit value of # of sectors in file system, > 0
Bytes 510 and 511 have signature 0x55 and 0xAA
Example Image FAT32 (See pp. 216 and 217)
# fsstat –f fat fat-4.dd
FILE SYSTEM INFORMATION
-----------------------------------------------File system type: FAT
OEM Name: MSDOS5.0
Volume ID: 0x4c194603
Volume Label (Boot Sector): NO NAME
Volume Label (Root Directory): FAT DISK
File System Type Label: FAT32
Backup Boot Sector Location: 6
FS Info Sector Location: 1
Next Free Sector (FS Info): 1778
Free Sector Count (FS Info): 203836 ...
File System Layout (in sectors)
Total Range: 0 – 205631
* Reserved: 0 - 37
** Boot Sector: 0
** FS Info Sector: 1
* FAT 0: 38 - 834
* FAT 1: 835 - 1631
* Data Area: 1632 - 205631
*** Root Directory: 1632 - 1635
CONTENT DATA INFORMATION
-------------------------------------------------Sector Size: 512
Cluster Size: 1024 ...
38 reserved sectors
2 FAT structures
Analysis
In order to analyze a disk or find hidden data,
it is necessary to know the layout of file
systems and know which OS formatted the
disk
Several places not used by the file system
could contain hidden data



In the reserved area, at the end of the boot sector
data and the final signature
Between the end of the file system and the end of
the volume
FAT32 systems have a backup boot sector in sector 6


The primary and backup copies could be compared
to find inconsistencies
If values in the primary have been changed, the
backup may contain original data
Analysis Scenario
Imagine that the first 32 sectors of a disk
are damaged and cannot be read. What do
you do?

First, find the start of the file system.
 The signature for a fat file system is 0x55 and
0xAA in the final two bytes of the boot sector.
The sigfind tool can be used to look for the
signature.
 When the tool find the signature, additional test
can be conducted on a range of values that are
valid for a given data structure. For example,
byte 13 of the boot sector identifies how many
sectors in a cluster, and must have a value that is
a power of 2. Any other value would indicate that
the sector was not part of a FAT file system boot
sector, even though it contained the signature.
Content Category
The Content category comprises of the file and
directory content.
Reserved
Sector 0
FAT area
Data Area
FAT file systems use the term cluster for its data
units in the Data Area
A cluster is a group of consecutive sectors, the
number of sectors must be a power of 2 (1, 2, 4, ...,
64) Each cluster has an address and the address of
the first cluster is 2 (there are no clusters with
address 0 or 1)
Finding the First Cluster
Finding cluster 2 is not easy, because it is
not at the beginning of the file system.
Depending on whether it is a FAT 12/16 or
FAT 32 system, the procedure is different.
FAT 12/16
Reserved
Area
FAT
Area
Root
Directory
Sector 1256
Cluster 2
Sector 1224
FAT 32
Reserved FAT
Area
Area
Data
Area
Root
Directory
Sector 1224
Cluster 2
Data
Area
Finding the First Cluster
In a FAT 12/16 system, the number of root
directory entries are given in the boot
sector, and cluster 2 starts in the next
sector.
For example, consider a FAT16 file system
with 32 sectors allocated for the root
directory. If the data area starts in sector
1224, then the root directory spans from
sector 1224 to 1255. If we have 2048 byte
clusters, then cluster 2 would start at 1256
and cluster 3 would start at 1260.
Cluster Allocation Status
The status of a cluster (whether allocated or
not) is found in the FAT structure.
Reserved
Sector 0
FAT area
Data Area
The basic concept of the FAT is that it has
one entry for each cluster in the file system.
If the table entry is 0, then the cluster
corresponding to that table entry is not
allocated to a file. All other values mean
that the cluster is allocated.
Allocation Algorithms


To find an unallocated cluster the OS scans
the FAT for an entry with a 0 in it
Most operating systems do not clear cluster
contents when unallocated
61
62
63
64
65 66
X
0
X
X
X
X – allocated
0 - available
0
Last allocated
67
0
Analysis Techniques
When analyzing the content category,
there are several places where data
could be hidden.


Clusters can be marked as ‘bad’, and
bad clusters should be examined,
because the OS does not look at them.
The size of the data are might not be a
multiple of the cluster size, so there
could be a few sectors at the end of the
data area that are not part of a cluster.
Analysis Scenario
Imagine a FAT 16 file system in which you
need to locate cluster 812. The only tool
available is a hex editor.

First, view the boot sector, which is located at
sector 0 of the file system and process it
 Processing this indicates that there are 6
reserved sectors, two FATS, each FAT is 249
sectors, each cluster is 32 sectors and there are
512 directory entries in the root directory.
Sector
Sector
Sector
6
255
504
Reserved
FAT1
FAT2
Sector Sector
536
Root
Directory
568
Cluster2
Sector
26456
Cluster812
Metadata Category

This category includes data that describe files and
directories in directory entries


Where content is stored, dates and times, and
permissions
In an FAT file system, this information is stored in
a directory entry structure.






Every file or directory is allocated a directory entry.
Exists anywhere in the Data area.
Each directory entry is 32 bytes: file attributes,
size, starting cluster, dates and times
When a new file or directory is created, a directory
entry in the parent directory (..) is allocated for it
Searched by using full name
FAT structure is used to find remaining clusters
Directory Entry Structures
Directory Entry Structures
File1.dat
4,000 bytes
Cluster 34
Clusters
FAT Structure
Cluster 34
Cluster 35
35
34
EOF
35
Directory Entry Data Structure












0
1-10
11
13
14-15
16-17
18-19
20-21
22-23
24-25
26-27
28-31
first character of file name in ASCII
characters 2 to 11 of file name in ASCII
file attributes (read only, hidden, volume label etc. )
creation time (tenths of seconds)
creation time (hours, minutes, seconds)
creation day
last accessed day
high 2 bytes of first cluster address
written time (hours, minutes, seconds)
written day
low 2 bytes of first cluster address
size of file (0 for directories), max file size 4GB
See Table 10.5 and 10.6
Directory Entries
Directory entries can exist anywhere in the data area. When a
new file or directory is created, a directory entry in the parent
directory is allocated for it.
The 11th byte in the directory entry has an attribute field that
can contain 7 different attributes.







Directory attribute
Long file name attribute
Volume label – only one directory entry should have this label
Read-only attribute
Hidden attribute
System attribute
Archive attribute
The allocation status of a directory entry is determined by using
the first byte. With an allocated entry, the first byte stores the
first character in the file name, but it is replaced by 0xe5 when
the entry becomes unallocated.
Directory Entries
Sector 520
Sector 1,376
...
FAT Area
Carrier Figure 9.12
...
Data Area
Each 512 byte sector
can store 16
directory entry
structures
Cluster Chains
If a FAT entry is non-zero, it contains the address of
the next cluster, an EOF, or a bad sector indicator.
FAT
39
0
40
41
41
44
42
EOF
43
0
44
EOF
Directory Entry
File1.dat
Start: 40 Size: 6,013
We know from the file size how
many clusters are needed
Creation times in directory entries
Cluster 110
Cluster 256
Created
Cluster
Dir2
3/30/08 01:02:03
128
Dir1
4/03/08 11:12:13
File8.dat
5/24/08 12:12:12
Name
Created
Cluster
.
4/01/08 05:14:00
256
256
..
4/04/08 05:14:00
110
512
File1.dat
4/03/08 12:12:12
208
Name
The created time in the directory entry for the
directory does not match the . and .. entries
Carrier Figure 9.10
Directories




When a new directory is created a cluster is
allocated and wiped with zeros
The size field is always zero
To find the size of the directory, go to the starting
cluster and follow the cluster chain until EOF
The first two directory entries in a directory entry
are:


Current directory (.)
Parent directory (..)


Time fields may be used to verify creation time of a directory
However we cannot confirm the last written date because .
and .. entries are not updated for each directory modification
Directory Entry Allocation
Directory Entry #1
Unallocated
Directory Entry #2
Allocated
Directory Entry #3
Directory Entry #4
Directory Entry #5
Directory Entry #6
Last Allocated ... Entry 3 was unallocated after entry 4
was allocated
Carrier’s Observations:
1.
Windows 98 uses a first-available allocation
strategy and starts from the beginning
2.
Windows XP uses next-available and starts
from the last allocated directory entry
Searching for deleted directories

When unallocated, the first letter of a file
name is changed to _ (0xe5)


Thus, if two files had similar names: A-1.dat
and B-1.dat, they would now both be _-1.dat
When a directory is deleted and its entry
is reallocated, the cluster for that
directory is orphaned

To find orphan files, every sector of the data
area needs to be examined... See figure 9.11
Analysis Scenario
Imagine that there is a FAT file system has
been recently formatted and we need to
recover the directories from before the
format.
That means, we need to look at all the
unallocated space and see if there is any
directory information in there. Using TSK,
we can extract the unallocated space using
dls.
Analysis Contd. - Search for Unallocated
Space and then Search for Directories
dls allows us to extract the unallocated space.
#dls –f fat Fat-10.dd > fat-10.dls
sigfind can be used to search for a signature.
Example: the first 4 bytes of a directory is always “. “
(period followed by 3 spaces – current directory) which has
the hex code of 0x2e202020
#sigfind –b 512 2e202020 fat-10.dls
Block size: 512 Offset: 0
Block: 180 (-)
Block 2004 (+1824)
Block 3092 (+1088)
Block 3188 (+96)
Block 19028 (+15840)
...says that this signature occurred in sector 180 and others
Viewing the contents of Sector 180
#dd if=fat-10.dls skip=180 count=1 | xxd
0000000: 2e20 2020 2020 2020 2020 2010
0000016: 3c23 3c23 0000 5daf 3c23 4f19
0000032: 2e2e 2020 2020 2020 2020 2010
0000048: 3c23 3c23 0000 5daf 3c23 dc0d
0000064: e549 4c45 312e 4441 5420 2020
0000080: 7521 7521 0000 0000 7521 5619
0037
0000
0037
0000
0000
00d0
5daf
0000
5daf
0000
0000
0000
.
.. 7].
<#<#..].<#0....
.
.. 7].
<#<#..].<#0....
.ILE1.DAT ....
u!u!.....u!V.....
Three entries are shown here. The first two are for the . and .. entries.
The . entry points to cluster 6,479 (0x194f)
The .. entry points to cluster 3,548 (0x0ddc)
The third entry is for a file that starts in cluster 6,486 (0x1956) with a size of 53, 248
bytes (0xd000).
File recovery could be performed on this file now that we know its starting
address and size.
File Name Category
FAT does not differentiate between a file
name address and metadata address, and
this is the same as what was there in the
metadata category.
So far, what we saw were filenames with 8
characters plus a 3-character extension
(SFN)


SFN entry contains time, size, and starting
cluster information
A file may also have a longer, more descriptive
file name, LFN
 If there are > 13 characters, more LFN entries
are used...see figure 9.15
Finding Hidden Data


Unused sectors in the reserved area
Between the end of the file system
and the end of the volume

Compare the number of sectors in the
file system (given in boot sector) with
the number of sectors in the volume to
find volume slack
 The total number of sectors value can
be easily changed in the boot sector
Finding more hidden data...

Between the last entry in the primary FAT
and the start of the backup copy or
between the last valid entry in the backup
FAT and the start of the data area


Compare the size of each FAT with the size
needed for the number of clusters in the file
system
Someone could create a directory with
only a few files and use the rest of the
directory space for hiding data

Compare the allocated size of the directory to
the number of allocated files
The Big Picture
Boot Sector
Data Area
Root Directory
dir1
90
Cluster 90
File1.txt 200
Cluster 200
This is the
content of
a file that
I just
created
Cluster 201
This is the
content
from the
rest of the
file that
didn’t fit in
the cluster
FAT
201
200
EOF
201
Related documents
reading
reading
Construction Check List for The Preserve, Delwood Point, and
Construction Check List for The Preserve, Delwood Point, and
Faculty Directory Information Form
Faculty Directory Information Form
Data Classification Examples
Data Classification Examples
Membership Enrollment Form
Membership Enrollment Form
Download
advertisement