File Systems - The File Allocation Table (FAT)

Question 1

History of FAT and the Variants

Answer 1

FAT is the FS of choice for removeable media (almost universal OS support)

1977 to present.

Variants relate to the amount of space that can be addressed:

• FAT 12 (1980). Max file and volume size of 32 MB. Can address 2 to the power of 12 areas of disc
• FAT 16 (1984). Max file and volume size of 2 GB. Can address 2 to the power of 16 areas of disc
• FAT 32 (1995). Max file size 4GB and volume size of 2 TB. Can address 2 to the power of 28 areas of disk (NOT 32!).

From a forensic analysis POV there is no difference between FAT 12 and FAT 16. There is only limited differnces between FAT 32 and the other 2.

**In FAT remember that almost all values are stored in LE so need converting unless otherwise stated. **

Question 2

Name the 3 main FAT structures

Answer 2

1. BOOT SECTOR (part of the reserved area). Sector 0
2. FAT 1 & 2
3. ROOT DIRECTORY

Then there is THE DATA AREA. Begins at cluster 2

The order of where these are never changes (between FAT 12 and FAT 16). In FAT 32, the root directory is not always after the FAT2, it can be anywhere in the data area.

We need to remember the order of this.

Using the 3 structures it is possible to re-build the contents of the entire file system.

Question 3

The BOOT SECTOR

Answer 3

The Boot sector:

• Always the first sector on the partition.
  Always sector 0. Only structure whose location is known to us.
• Contains disk geometry info (such as how many bytes in each sector and how many sectors in a cluster) and FAT structure info.
• We need to use the boot sector to calculate the positions / locations of FAT 1 and FAT 2 and the Root directory. This is the first thing we do in file analysis.

Remember to convert the hex to a decimal answer.
Always assume values are LE unless started - so always need converting to BE

Question 4

FAT 1 and FAT 2

Answer 4

The File Allocation Table (FAT).

So important that it has two copies (FAT 1 and 2 are identical).

It tells us what CLUSTERS a FILE OCCUPIES.
It contains an entry for every cluster in the file system (allocated or not) and tells us if files use more than one cluster.

Each cluster’s entry is 2 bytes in size.

If a file occupies more than one cluster, it tells us where to find the next cluster. We follow these to build a chain of clusters. Extracting each cluster in order should recover the file contents.

How to read it:
- First 4 bytes are reserved (byte 1 is media type 00 is fixed and F8 is removeable).

So bytes 4 and 5 represent cluster 2 (data area starts at cluster 2),
6 and 7 represent cluster 3. So in order to find a specific cluster’s strating byte, mulitple the cluster number by 2. So cluster 6 would be at byte 12 and 13.

What do the 2 byte values mean?

0000 = Unallocated cluster

FFF7 = Bad clsuter

FFF8, FFF9, FFFA, FFFB, FFFC, FFFD, FFFE and FFFF = it’s an allocated cluster and this is the LAST cluster in the file.

ANY OTHER VALUE = an allocated cluster and the number is the next cluster that the file occupies i.e. it is a cluster number (convert from LE though - e.g 0x0600 converted is 0x0006 so cluster number 6)

Question 5

Root Directory

Answer 5

The root directory contains an entry for each file or directory in the root of the file system. Includes metadata for the file. (Root means ‘Top’ of the file system.
It points to the first cluster for each file

Each root directory entry is 32 bytes in size. So 2 lines long on hex (unless LFN!!)

This means the max no. of files in root directory multiplied by 32 gives us the number of bytes in the Root Directory structure.

Every file has a directory entry that is 32 bytes. The structure of the directory entry is given in exam. The entries may relate to files or folders

The directory entry gives info like: File name, file attributes, file size, MAC times.

Remember file names are BIG ENDIAN - do not need converting, they are case insensitive and may be padded by 0x20’s (spaces) - ignore these

Question 6

Summary of how to manually interpret the FAT file system and how to rebuild it to recover files stored on it.

Answer 6

1. Use the Boot Sector to locate root directory and FAT
2. List all the files in the Root Directory.
   Check each files attributes
   If it is a directory then extract the contents of the directory using the starting cluster and FAT

Interpret the directory entries for each file. Remember info about file names and how to understand FAT date and times. Use this to LOCATE THE FILE’S CLUSTER, e.g low order byte value when converted is 0x0003 is cluster 3, but where is this in the whole file system?) Use all the previously obtained file size details to work out.

3. Analyse FAT to locate any other clusters (if any that the file occupies), follow the chain of clusters until end marker reached (FFF8, FFF9, FFFA, FFFB, FFFC, FFFD, FFFE, FFFF)
4. Recover files by extracting the data from the clusters.

Question 7

FAT File Creation (dir1 / file1)

Answer 7

• Locate the root directory and FAT from boot sector
• Locate dir1’s strating cluster in the root directory
• Add entry to dir1 for file1.txt (add metadata)
• Find area of unallocated space in the FAT
• Set the starting cluster in the directory entry
• add correct chain to the FAT table.

Question 8

FAT File Creation (dir1 / file1.txt)

Answer 8

• Locate the root directory and FAT in the boot sector
• Locate dir1 in the root directory and get starting cluster
• find file 1 entry in dir1 cluster
• set FAT entries for file 1 to 0
• change first character of file name to 0xE5