Fat Files

5/14/2018 Fat Files - slidepdf.com

http://slidepdf.com/reader/full/fat-files 1/37

FAT Concepts and Analysis



Acknowledgments

Dr. David Dampier and the

Center for Computer Security Research(CCSR)



Basic Concepts

The FAT file system is one of themost simple file systems and doesnot clear follow the five categorymodel. It consists of two main datastructures:

File Allocation Table

Directory Entries



Basic Concepts

Each file and directory is allocated a directoryentry, that contains: File name

File size

Starting address of file content

Other metadata

File and directory content is stored in clusters

If a file or directory needs more than one

cluster, those clusters are found in the FATstructure

Versions of FAT: FAT12, FAT 16, and FAT32 Difference is the size of entries in the FAT structure



Versions of FAT

FAT12 Designed as a file system for floppy diskettes 12-bit cluster addresses

FAT16 16-bit cluster addresses

FAT32 32-bit cluster addresses (28 bits used) => 228 clusters Drive size up to 8TB with 32KB clusters Can become slow and inefficient Video applications and large databases often exceed

FAT32 limitations



Layout of a FAT file system

The layout of the FAT file systemconsists of 3 physical sections:

Reserved area – for file system category

FAT area – primary and backup FATstructures

Data area – clusters used for storing file

and directory content

ReservedSector 0 FAT area Data Area



FAT File System Data

In order to analyze the FAT file system, it is necessaryto locate the three physical layout areas.

The reserved area starts at sector 0, and its size is givenin the boot sector.

In FAT12/16, the reserved area is typically only 1 sector,but FAT32 will typically reserve many sectors

The FAT area begins in the sector after the reserved area.

Its size is calculated by multiplying the number of FATstructures by the size of each FAT, both of which can befound in the boot sector

The data area begin in the sector after the FAT area.

Its size can be found by subtracting the starting addressof the data area from the total number of sectors in thefile system, which can be found in the boot sector.



FAT System Layout

FAT 12/16

ReservedArea

FAT Area

RootDirectory

DataArea

DataArea

FAT 32ReservedArea

FAT Area

RootDirectory

The main difference between these layouts is that FAT 12/16’s rootdirectory is at the beginning of the data sector, while in the FAT 32’s root directory can be anywhere in the data area. The first 36

bytes are the same in all.



File System Category

The data in the File System Categorydescribes the general file system and

can be found in the boot sector datastructure. The boot sector is located inthe first sector of the volume and ispart of the reserved area of the file

system.



Boot Sector

The Boot Sector is contained in the first 512 bytes.

The first 36 bytes of all FAT Boot Sectors contain: 0-2 jump to boot code 3-10 name in ASCII 11-12 bytes per sector 13 sectors per cluster (powers of 2 < 32KB) 14-15 size in sectors of reserved area 16 number of FATs, 2 if backup 17-18 max # of root directory entries 19-20 16-bit value of number of sectors in file system 21 media type: 0xf8 fixed disks, 0xf0 removable

22-23 16-bit size in sectors of each FAT 24-25 sectors per track 26-27 number of heads 28-31 number of sectors before start of partition 32-35 32-bit value of # of sectors in file system, > 0

Bytes 510 and 511 have signature 0x55 and 0xAA



Example Image FAT32 (See pp. 216 and 217)

# fsstat – f fat fat-4.dd

FILE SYSTEM INFORMATION

------------------------------------------------

File system type: FAT

OEM Name: MSDOS5.0

Volume ID: 0x4c194603

Volume Label (Boot Sector): NO NAME

Volume Label (Root Directory): FAT DISK

File System Type Label: FAT32

Backup Boot Sector Location: 6

FS Info Sector Location: 1

Next Free Sector (FS Info): 1778

Free Sector Count (FS Info): 203836 ...

File System Layout (in sectors)

Total Range: 0 – 205631

* Reserved: 0 - 37

** Boot Sector: 0

** FS Info Sector: 1* FAT 0: 38 - 834

* FAT 1: 835 - 1631

* Data Area: 1632 - 205631

*** Root Directory: 1632 - 1635

CONTENT DATA INFORMATION

--------------------------------------------------

Sector Size: 512

Cluster Size: 1024 ...

38 reserved sectors2 FAT structures



Analysis

In order to analyze a disk or find hidden data,it is necessary to know the layout of filesystems and know which OS formatted thedisk

Several places not used by the file systemcould contain hidden data In the reserved area, at the end of the boot sector

data and the final signature Between the end of the file system and the end of

the volume FAT32 systems have a backup boot sector in sector 6

The primary and backup copies could be comparedto find inconsistencies

If values in the primary have been changed, thebackup may contain original data



Analysis Scenario

Imagine that the first 32 sectors of a diskare damaged and cannot be read. What doyou do? First, find the start of the file system.

The signature for a fat file system is 0x55 and0xAA in the final two bytes of the boot sector.The sigfind tool can be used to look for thesignature.

When the tool find the signature, additional testcan be conducted on a range of values that are

valid for a given data structure. For example,byte 13 of the boot sector identifies how manysectors in a cluster, and must have a value thatis a power of 2. Any other value would indicatethat the sector was not part of a FAT file systemboot sector, even though it contained thesignature.



Content Category

The Content category comprises of the file anddirectory content.

FAT file systems use the term cluster for its dataunits in the Data Area

A cluster is a group of consecutive sectors, thenumber of sectors must be a power of 2 (1, 2, 4, ...,64) Each cluster has an address and the address of the first cluster is 2 (there are no clusters withaddress 0 or 1)

ReservedSector 0

FAT area Data Area



Finding the First Cluster

Finding cluster 2 is not easy, because it isnot at the beginning of the file system.Depending on whether it is a FAT 12/16 orFAT 32 system, the procedure is different.

ReservedArea

FAT Area

RootDirectory

DataArea

DataArea

ReservedArea

FAT Area

RootDirectory

FAT 12/16

Sector 1224

FAT 32

Sector 1256Cluster 2

Sector 1224Cluster 2



Finding the First Cluster

In a FAT 12/16 system, the number of rootdirectory entries are given in the bootsector, and cluster 2 starts in the next

sector.

For example, consider a FAT16 file systemwith 32 sectors allocated for the rootdirectory. If the data area starts in sector1224, then the root directory spans fromsector 1224 to 1255. If we have 2048 byteclusters, then cluster 2 would start at 1256and cluster 3 would start at 1260.



Cluster Allocation Status

The status of a cluster (whether allocated ornot) is found in the FAT structure.

The basic concept of the FAT is that it has

one entry for each cluster in the file system.If the table entry is 0, then the clustercorresponding to that table entry is notallocated to a file. All other values meanthat the cluster is allocated.

ReservedSector 0

FAT area Data Area



Allocation Algorithms

To find an unallocated cluster the OS scansthe FAT for an entry with a 0 in it

Most operating systems do not clear cluster

contents when unallocated

X X0 X X 0 0

61 62 63 64 65 66 67

X – allocated0 - available

Last allocated



Analysis Techniques

When analyzing the content category,there are several places where datacould be hidden.

Clusters can be marked as ‘bad’, andbad clusters should be examined,because the OS does not look at them.

The size of the data are might not be a

multiple of the cluster size, so therecould be a few sectors at the end of thedata area that are not part of a cluster.



Analysis Scenario

Imagine a FAT 16 file system in which youneed to locate cluster 812. The only toolavailable is a hex editor.

First, view the boot sector, which is located atsector 0 of the file system and process it

Processing this indicates that there are 6reserved sectors, two FATS, each FAT is 249sectors, each cluster is 32 sectors and there are

512 directory entries in the root directory.Sector

504

Sector

255

Sector

6

Sector

536

Sector

568

Sector

26456

Reserved FAT1 FAT2 Root

Directory

Cluster2 Cluster812



Metadata Category

This category includes data that describe files anddirectories in directory entries Where content is stored, dates and times, and

permissions

In an FAT file system, this information is stored ina directory entry structure. Every file or directory is allocated a directory entry. Exists anywhere in the Data area. Each directory entry is 32 bytes: file attributes,

size, starting cluster, dates and times

When a new file or directory is created, a directoryentry in the parent directory (..) is allocated for it Searched by using full name FAT structure is used to find remaining clusters



Directory Entry Structures

File1.dat 4,000 bytes Cluster 34

Directory Entry Structures

Cluster 34

Cluster 35

Clusters

35

EOF

FAT Structure

34

35



Directory Entry Data Structure

0 first character of file name in ASCII 1-10 characters 2 to 11 of file name in ASCII 11 file attributes (read only, hidden, volume label etc. )

13 creation time (tenths of seconds)

14-15 creation time (hours, minutes, seconds) 16-17 creation day 18-19 last accessed day 20-21 high 2 bytes of first cluster address 22-23 written time (hours, minutes, seconds) 24-25 written day

26-27 low 2 bytes of first cluster address 28-31 size of file (0 for directories), max file size 4GB

See Table 10.5 and 10.6



Directory Entries

Directory entries can exist anywhere in the data area. When anew file or directory is created, a directory entry in the parentdirectory is allocated for it.

The 11th byte in the directory entry has an attribute field thatcan contain 7 different attributes. Directory attribute Long file name attribute Volume label – only one directory entry should have this label Read-only attribute Hidden attribute System attribute Archive attribute

The allocation status of a directory entry is determined by usingthe first byte. With an allocated entry, the first byte stores thefirst character in the file name, but it is replaced by 0xe5 whenthe entry becomes unallocated.



Directory Entries

... ...

FAT AreaData Area

Sector 520 Sector 1,376

Carrier Figure 9.12

Each 512 byte sectorcan store 16directory entrystructures



Cluster Chains

If a FAT entry is non-zero, it contains the address of the next cluster, an EOF, or a bad sector indicator.

41

44

EOF

EOF

0

File1.dat Size: 6,013Start: 400

FAT

39

40

41

42

43

44

Directory Entry

We know from the file size howmany clusters are needed



Creation times in directory entries

Created Cluster

Dir2 3/30/08 01:02:03 128

Dir1 4/03/08 11:12:13 256

File8.dat 5/24/08 12:12:12 512

Name

The created time in the directory entry for thedirectory does not match the . and .. entries

Created Cluster

. 4/01/08 05:14:00 256

.. 4/04/08 05:14:00 110

File1.dat 4/03/08 12:12:12 208

Name

Cluster 110 Cluster 256

Carrier Figure 9.10



Directories

When a new directory is created a cluster isallocated and wiped with zeros

The size field is always zero

To find the size of the directory, go to the startingcluster and follow the cluster chain until EOF

The first two directory entries in a directory entryare:

Current directory (.)

Parent directory (..) Time fields may be used to verify creation time of a directory

However we cannot confirm the last written date because .and .. entries are not updated for each directory modification



Directory Entry Allocation

Directory Entry #1

Directory Entry #3

Directory Entry #2

Directory Entry #6

Directory Entry #5

Directory Entry #4

Unallocated

Allocated

Last Allocated ... Entry 3 was unallocated after entry 4was allocated

Carrier’s Observations:

1. Windows 98 uses a first-available allocationstrategy and starts from the beginning

2. Windows XP uses next-available and startsfrom the last allocated directory entry



Searching for deleted directories

When unallocated, the first letter of a filename is changed to _ (0xe5)

Thus, if two files had similar names: A-1.dat

and B-1.dat, they would now both be _-1.dat When a directory is deleted and its entry

is reallocated, the cluster for thatdirectory is orphaned

To find orphan files, every sector of the dataarea needs to be examined... See figure 9.11



Analysis Scenario

Imagine that there is a FAT file system hasbeen recently formatted and we need torecover the directories from before the

format.

That means, we need to look at all theunallocated space and see if there is any

directory information in there. Using TSK,we can extract the unallocated space usingdls.



Analysis Contd. - Search for UnallocatedSpace and then Search for Directories

dls allows us to extract the unallocated space.

#dls –f fat Fat-10.dd > fat-10.dls

sigfind can be used to search for a signature.Example: the first 4 bytes of a directory is always “. “(period followed by 3 spaces – current directory) which hasthe hex code of 0x2e202020

#sigfind –b 512 2e202020 fat-10.dls

Block size: 512 Offset: 0

Block: 180 (-)

Block 2004 (+1824)

Block 3092 (+1088)

Block 3188 (+96)

Block 19028 (+15840)

...says that this signature occurred in sector 180 and others



Viewing the contents of Sector 180

#dd if=fat-10.dls skip=180 count=1 | xxd0000000: 2e20 2020 2020 2020 2020 2010 0037 5daf . .. 7].0000016: 3c23 3c23 0000 5daf 3c23 4f19 0000 0000 <#<#..].<#0....0000032: 2e2e 2020 2020 2020 2020 2010 0037 5daf . .. 7].0000048: 3c23 3c23 0000 5daf 3c23 dc0d 0000 0000 <#<#..].<#0....

0000064: e549 4c45 312e 4441 5420 2020 0000 0000 .ILE1.DAT ....0000080: 7521 7521 0000 0000 7521 5619 00d0 0000 u!u!.....u!V.....

Three entries are shown here. The first two are for the . and .. entries.

The . entry points to cluster 6,479 (0x194f)The .. entry points to cluster 3,548 (0x0ddc)

The third entry is for a file that starts in cluster 6,486 (0x1956) with a size of 53, 248bytes (0xd000).

File recovery could be performed on this file now that we know its startingaddress and size.



File Name Category

FAT does not differentiate between a filename address and metadata address, andthis is the same as what was there in themetadata category.

So far, what we saw were filenames with 8characters plus a 3-character extension(SFN)

SFN entry contains time, size, and starting

cluster information A file may also have a longer, more descriptive

file name, LFN If there are > 13 characters, more LFN entries

are used...see figure 9.15



Finding Hidden Data

Unused sectors in the reserved area

Between the end of the file system

and the end of the volume Compare the number of sectors in the

file system (given in boot sector) withthe number of sectors in the volume to

find volume slack The total number of sectors value can

be easily changed in the boot sector



Finding more hidden data...

Between the last entry in the primary FATand the start of the backup copy orbetween the last valid entry in the backupFAT and the start of the data area Compare the size of each FAT with the size

needed for the number of clusters in the filesystem

Someone could create a directory with

only a few files and use the rest of thedirectory space for hiding data Compare the allocated size of the directory to

the number of allocated files



The Big Picture

dir1 90File1.txt 200

This is thecontent ofa file thatI justcreated

This is thecontentfrom therest of thefile thatdidn’t fit inthe cluster

Boot Sector

Root Directory Cluster 90 Cluster 200

Cluster 201

201

EOF

FAT

200

201

Data Area

Documents

Fat Files