Embed Size (px)
Citation preview
1© 2009-2010 J. Hamm
Revealed and Dissected
2© 2009-2010 J. Hamm
• Describe exFAT, what systems it’s enabled on, and explain why it was implemented.
• Identify an exFAT volume and explain the information contained in the Volume Boot Record.
• Explain how exFAT tracks fragmentation and allocation.
• Define the information contained in the directory records on an exFAT volume.
2© 2009-2010 J. Hamm
2© 2009-2010 J. Hamm
R. Shullich
3© 2009-2010 J. Hamm
• Identify when and why exFAT was introduced• Recognize what Microsoft operating systems
read and write to exFAT• Understand the scalability and limitations of
exFAT• Determining if a system was capable of using
the exFAT File System
3© 2009-2010 J. Hamm
3© 2009-2010 J. Hamm
R. Shullich
4© 2009-2010 J. Hamm
• Extended FAT (exFAT)
4© 2009-2010 J. Hamm
4© 2009-2010 J. Hamm
R. Shullich
5© 2009-2010 J. Hamm
• Removable Media• Large Multimedia Files• Limited Overhead• Transactional FAT Compatible
5© 2009-2010 J. Hamm
5© 2009-2010 J. Hamm
R. Shullich
6© 2009-2010 J. Hamm
• Introduced with Windows CE 6.0 in November 2006• Spring 2008 – Vista Service Pack 1 Released with exFAT
capabilities• January 2009 – SDXC (eXtended Capacity) memory card
specification announced. exFAT designated as the exclusive File System for use by host devices as the standard.
• January 2009 – Windows XP drivers available directly from Microsoft
• March 2009 – SDXC cards released by Pretec.• Spring 2010 – host devices set to be released.
6© 2009-2010 J. Hamm
6© 2009-2010 J. Hamm
R. Shullich
7© 2009-2010 J. Hamm
• Windows Vista SP 1• Windows XP SP 2 (with updates)• Windows XP SP 3 (with updates)• Windows Server 2003• Windows Server 2008• Windows 7• Windows CE 6.0
7© 2009-2010 J. Hamm
7© 2009-2010 J. Hamm
R. Shullich
8© 2009-2010 J. Hamm
• File Size: 16 EiB Based on a 64 bit limitation for “File Size”*
• Maximum Files per Sub-Directory: 2,796,202*• File Name Length: 255 Characters• Volume Size: 64 ZiB (Microsoft recommends 512 TiB)
Shorthand Longhand nth Bytes
Ki Kilobyte 210 1024
Mi Megabyte 220 1024 KiB
Gi Gigabyte 230 1024 MiB
Ti Terabyte 240 1024 GiB
Pi Petabyte 250 1024 TiB
Ei Exabyte 260 1024 PiB
Zi Zetabyte 270 1024 EiB 8© 2009-2010 J. Hamm
8© 2009-2010 J. Hamm
R. Shullich
9© 2009-2010 J. Hamm
• Universal Time Code (UTC)• Transactional exFAT (TexFAT) Compatibility• Access Control List (ACL) Support
9© 2009-2010 J. Hamm
9© 2009-2010 J. Hamm
R. Shullich
10© 2009-2010 J. Hamm
• System Files– exfat.sys – located in %SystemRoot%\System32\Drivers\– format.com – will include “exFAT” as an option– uexfat.dll – located in %SystemRoot%\System32\
• Other files modified include:– fmifs.dll– fs_rec.sys– ifsutil.dll– Shell32.dll– ulib.dll– xpsp3res.dll
10© 2009-2010 J. Hamm
10© 2009-2010 J. Hamm
R. Shullich
11© 2009-2010 J. Hamm
• Registry Keys XP:– SOFTWARE\Microsoft\Updates\Windows
XP\SP4\KB955704• Presence indicates exFAT files installed and lists them
separately in each entry.
– SYSTEM\%Current Control Set%\Enum\Root\LEGACY_EXFAT
– SYSTEM\%Current Control Set%\Services\exFat– Other entries will show “exFAT”
11© 2009-2010 J. Hamm
11© 2009-2010 J. Hamm
R. Shullich
12© 2009-2010 J. Hamm
• Registry Keys Vista:– SYSTEM\%Current Control
Set%\Enum\Root\LEGACY_EXFAT– SYSTEM\%Current Control
Set%\Services\Eventlog\System\exFat– SYSTEM\%Current Control Set%\Services\exFat– Other entries will show “exFAT”
12© 2009-2010 J. Hamm
12© 2009-2010 J. Hamm
R. Shullich
13© 2009-2010 J. Hamm
• Identify when and why exFAT was introduced• Recognize what Microsoft operating systems
read and write to exFAT• Understand the scalability and limitations of
exFAT• Determining if a system was capable of using
the exFAT File System
13© 2009-2010 J. Hamm
13© 2009-2010 J. Hamm
R. Shullich
14© 2009-2010 J. Hamm
June 6th, 2010 14
• Bits are numbered right to left– 76543210
• Decimal Offsets (zero based)• Little-Endian numbers• Unsigned numbers• Sectors vs. Clusters• Strings are 16 bit Unicode• Strings not Terminated
15© 2009-2010 J. Hamm
• Identify an exFAT Volume• Manually Parse the Information in the Volume
Boot Record (VBR)• Interpret logical cluster mapping• Locate the first cluster of the Root directory• Recognize the 0x55 AA signature at the end of
the first 9 sectors of the volume and the VBR backup
• Recognize the 12th sector of the volume• Identify and locate the backup VBR
15© 2009-2010 J. Hamm
15© 2009-2010 J. Hamm
R. Shullich
16© 2009-2010 J. Hamm
Boot Record Backup Boot Record
FAT(Linked List)
Cluster Heap
(Data Area)
Starting Extent of the Root Directory
12 Sectors 12 Sectors
Variable Length:
Defined in the Boot
Variable Length:
Defined in the Boot
1st Cluster: Defined in the Boot
System Area
Note: The Root directory can and will fragment.
System Area
16© 2009-2010 J. Hamm
16© 2009-2010 J. Hamm
R. Shullich
17© 2009-2010 J. Hamm
OffsetHex
OffsetDec Length Field Definition
x00 0 3 Jump Code
x03 3 8 OEM File System Identifier
x0B 11 35 Must be Zero
x40 64 4 Partition Sector Offset – Will be Zero for Removable Media
x48 72 8 Total Sectors on the Volume
x50 80 4 FAT Location in Sectors
x54 84 4 Physical Size of the FAT in Sectors
x58 88 4 Physical Sector Location of the Cluster Heap (Cluster 2)
x5C 92 4 Allocation Units on the Volume (Bit Count)
x60 96 4 1st Cluster of the Root Directory
x64 100 4 Volume Serial Number
x68 104 2 File System Revision Number – 1.0
X6A 106 1 Volume Flags
X6B 107 1 Active FAT
x6C 108 1 Bytes per Sector
x6D 109 1 Sectors Per Cluster (in Powers of 2)
x6E 110 1 The Number of FATs on the Volume
x70 112 1 Percentage In Use 17© 2009-2010 J. Hamm
17© 2009-2010 J. Hamm
R. Shullich
18© 2009-2010 J. Hamm
Offset 0 : 3 Byte Value
Jump Code
Required for Microsoft file systems even when the device is not bootable.
18© 2009-2010 J. Hamm
18© 2009-2010 J. Hamm
R. Shullich
19© 2009-2010 J. Hamm
Offset 3 : 8 Byte Value
OEM Identifier
x45 58 46 41 54 20 20 20
exFAT
19© 2009-2010 J. Hamm
19© 2009-2010 J. Hamm
R. Shullich
20© 2009-2010 J. Hamm
Offset 72 : 8 Byte Value
Total Number of Sectors on the Volume
x00 81 0F 00 00 00 00 00
1,016,064 Sectors
20© 2009-2010 J. Hamm
20© 2009-2010 J. Hamm
R. Shullich
21© 2009-2010 J. Hamm
Offset 80 : 4 Byte Value
Starting Location of the FAT (Linked List)
x80 00 00 00
Physical Sector 128
21© 2009-2010 J. Hamm
21© 2009-2010 J. Hamm
R. Shullich
22© 2009-2010 J. Hamm
Offset 84 : 4 Byte Value
Size of the FAT (Linked List)
x03 1F 00 00
7939 Sectors
22© 2009-2010 J. Hamm
22© 2009-2010 J. Hamm
R. Shullich
23© 2009-2010 J. Hamm
Offset 88 : 4 Byte Value
Starting location of the Cluster Heap (Data Area)
x00 20 00 00Physical Sector 8192
23© 2009-2010 J. Hamm
23© 2009-2010 J. Hamm
R. Shullich
24© 2009-2010 J. Hamm
Offset 92 : 4 Byte Value
Allocation Units on the Volume (Clusters)
x00 61 0F 00
1,007,872 Units (Each Represented by a Bit)
2424© 2009-2010 J. Hamm
R. Shullich
25© 2009-2010 J. Hamm
Offset 96 : 4 Byte Value
Location of the 1st cluster of the Root Directory
x05 01 00 00
Logical Cluster 261
2525© 2009-2010 J. Hamm
R. Shullich
26© 2009-2010 J. Hamm
The data area (cluster heap) of an exFAT disk begins addressing starting with cluster two.
Hint: This can make manually navigating the file system difficult. To keep locations relative, translate cluster zero of the file system by subtracting two clusters from the starting sector of the Bitmap.
0x0F8100 = 8192 (Sector location of Cluster 2) – 2 Clusters = Sector 819026
© 2009-2010 J. Hamm26
© 2009-2010 J. HammR. Shullich
27© 2009-2010 J. Hamm
To find the starting location of the first sector of the root directory, find the cluster offset relative to the defined location for cluster 2. In this example one sector equals one cluster and cluster 2 starts in sector 8192.
0x0105 = Cluster 261 (defined above) + Sector 8192 (defined in VBR as the start of the cluster heap) – 2 Clusters (addressing begins at cluster 2) = Sector 8451
The starting cluster for the root directory is at cluster 261 and it’s location is sector 8451.27
© 2009-2010 J. Hamm27
© 2009-2010 J. HammR. Shullich
28© 2009-2010 J. Hamm
If the cluster size is set to 1024 bytes (2 Sectors per cluster) the addressing works in the same fashion. The value 4224 is the starting location for the cluster heap and is addressed as cluster 2.
Hint: To find logical cluster addressing, subtract 4 sectors (2 clusters) from 4224 and the result is the the equivalent to cluster zero. Sector 4220 will be the starting point for cluster addressing.
28© 2009-2010 J. Hamm
28© 2009-2010 J. Hamm
R. Shullich
29© 2009-2010 J. Hamm
To find the starting location of the first sector of the root directory, start cluster mapping from the previous location (sector 4220). (two sectors equal one cluster in this example)
0x46 = 70 Clusters (as defined in the VBR) = 140 Sectors + 4224 Sectors (defined as the starting location for the data area) – 2 Clusters (4 Sectors) = sector 4360
The starting cluster for the root directory is at cluster 70 and its location is sector 4360.29
© 2009-2010 J. Hamm29
© 2009-2010 J. HammR. Shullich
30© 2009-2010 J. Hamm
Offset 100 : 4 Byte Value
Volume Serial Number
xFD D9 FC C8
C8FC-D9FD
30© 2009-2010 J. Hamm
30© 2009-2010 J. Hamm
R. Shullich
31© 2009-2010 J. Hamm
Offset 104 : 2 Byte Value
File System Version
x00 01
exFAT 1.00
31© 2009-2010 J. Hamm
31© 2009-2010 J. Hamm
R. Shullich
32© 2009-2010 J. Hamm
Offset 108 : 1 Byte Value
Sector Size
x09
2^9 (512 bytes)
32© 2009-2010 J. Hamm
32© 2009-2010 J. Hamm
R. Shullich
33© 2009-2010 J. Hamm
Offset 109 : 1 Byte Value
The Number of Sectors Per Clusterx00
20 = 1 Sector Per Cluster
33© 2009-2010 J. Hamm
33© 2009-2010 J. Hamm
R. Shullich
34© 2009-2010 J. Hamm
Offset 110: 1 Byte Value
Number of FATs in Use
x01
1
34© 2009-2010 J. Hamm
34© 2009-2010 J. Hamm
R. Shullich
35© 2009-2010 J. Hamm
Offset 111: 1 Byte Value
Used by INT13
x80
x80
35© 2009-2010 J. Hamm
35© 2009-2010 J. Hamm
R. Shullich
36© 2009-2010 J. Hamm
Offset 112 : 1 Byte Value
Percentage of cluster heap in use
0x01
1% in use
36© 2009-2010 J. Hamm
36© 2009-2010 J. Hamm
R. Shullich
37© 2009-2010 J. Hamm
The last 2 bytes of each sector will be x55 AA. This value will be present in the first 9 sectors of the boot record and the first 9 sectors of the back up boot.
*Assuming 512 byte sectors
37© 2009-2010 J. Hamm
37© 2009-2010 J. Hamm
R. Shullich
38© 2009-2010 J. Hamm
The 12th sector of the boot and back up boot will contain a repetitive 4 byte value. The value is a checksum of the other sectors of the boot region. This value is calculated without including the Volume Flags and Percent in Use fields.
38© 2009-2010 J. Hamm
38© 2009-2010 J. Hamm
R. Shullich
39© 2009-2010 J. Hamm
• Sector 12-23 will contain a complete backup of the first 12 sectors of the volume
39© 2009-2010 J. Hamm
39© 2009-2010 J. Hamm
R. Shullich
40© 2009-2010 J. Hamm
• Identify an exFAT Volume• Manually Parse the Information in the Volume
Boot Record (VBR)• Interpret logical cluster mapping• Locate the first cluster of the Root directory• Recognize the 0x55 AA signature at the end of
the first 9 sectors of the volume and the VBR backup
• Recognize the 12th sector of the volume• Identify and locate the backup VBR
40© 2009-2010 J. Hamm
40© 2009-2010 J. Hamm
R. Shullich
41© 2009-2010 J. Hamm
• Review of a FAT from a FAT32 File System• Define the Possible States of Entries in the
Linked List• Track Fragmentation in the FAT in exFAT
41© 2009-2010 J. Hamm
41© 2009-2010 J. Hamm
R. Shullich
42© 2009-2010 J. Hamm
• The FAT file system is named for the use of a File Allocation Table (FAT)
• A FAT32 file system by default has a FAT0 and a FAT1 (or FAT 1 and FAT 2)
• Directory Entries track file name, metadata, and starting extent of a file
• The FAT tracks the fragmentation of a file• The FAT tracks allocation status of a cluster
42© 2009-2010 J. Hamm
42© 2009-2010 J. Hamm
R. Shullich
43© 2009-2010 J. Hamm
• An entry in a FAT12/16/32 File Allocation Table can be:– A pointer to the next cluster– An end of file marker– A designation for a bad cluster– A zero for an unallocated cluster
43© 2009-2010 J. Hamm
43© 2009-2010 J. Hamm
R. Shullich
44© 2009-2010 J. Hamm
• exFAT uses a Linked List to track data file fragmentation
• A flag in the directory record indicates if the FAT is being used for the file
• The exFAT FAT does not track allocation status• The only Media Type is 0xF8
44© 2009-2010 J. Hamm
44© 2009-2010 J. Hamm
R. Shullich
45© 2009-2010 J. Hamm
Pointer to Next Fragment
End of File (0xFF FF FF FF) (null value)
No Fragmentation Being Tracked (0x00 00 00 00)
45© 2009-2010 J. Hamm
45© 2009-2010 J. Hamm
R. Shullich
46© 2009-2010 J. Hamm
Pointer to the next Pointer
Pointer to the next Pointer
End of File0xFFFFFFFF
46© 2009-2010 J. Hamm
46© 2009-2010 J. Hamm
R. Shullich
47© 2009-2010 J. Hamm
Each entry is 4 bytes in length. It can point to another location, it can be terminated by hex value 0xFFFFFFFF, or it can be left zeros indicating no fragmentation for the addressed portion of the FAT.
47© 2009-2010 J. Hamm
47© 2009-2010 J. Hamm
R. Shullich
48© 2009-2010 J. Hamm
This example is the location for tracking the 0x000000FC (252nd) allocation unit. It’s value points the next fragment: 0x000000FD (253).
48© 2009-2010 J. Hamm
48© 2009-2010 J. Hamm
R. Shullich
49© 2009-2010 J. Hamm
0x000000FC (253) points to 0x000000FE (254) and so on.
49© 2009-2010 J. Hamm
49© 2009-2010 J. Hamm
R. Shullich
50© 2009-2010 J. Hamm
So, 252 points to 253 points to 254, points to 255, points to 256 points to 257, points to 258, points to 259, points to 260.
50© 2009-2010 J. Hamm
50© 2009-2010 J. Hamm
R. Shullich
51© 2009-2010 J. Hamm
And finally, 0xFFFFFFFF is the end of file marker.
51© 2009-2010 J. Hamm
51© 2009-2010 J. Hamm
R. Shullich
52© 2009-2010 J. Hamm
• Review of a FAT from a FAT32 File System• Define the Possible States of Entries in the
Linked List• Track Fragmentation in the FAT in exFAT
52© 2009-2010 J. Hamm
52© 2009-2010 J. Hamm
R. Shullich
53© 2009-2010 J. Hamm
• Locate the bitmap on an exFAT volume• Explain how the bitmap tracks allocated
clusters
53© 2009-2010 J. Hamm
53© 2009-2010 J. Hamm
R. Shullich
54© 2009-2010 J. Hamm
• A bitmap is used in exFAT for quickly determining if a cluster is available to write to or not
• This is much more efficient than parsing the link list for availability of cluster
• This can provide a quick way to determine a place to write a file to avoid fragmentation
54© 2009-2010 J. Hamm
54© 2009-2010 J. Hamm
R. Shullich
55© 2009-2010 J. Hamm
• Each cluster is tracked in the bitmap• A single bit is used for each cluster on the
volume• The value can be either
– 0 – unallocated cluster– 1 – allocated cluster
55© 2009-2010 J. Hamm
55© 2009-2010 J. Hamm
R. Shullich
56© 2009-2010 J. Hamm
• The bitmap tracks each cluster by utilizing the least significant bit in a byte to represent the allocation status of first cluster in the respective range.
56© 2009-2010 J. Hamm
56© 2009-2010 J. Hamm
R. Shullich
57© 2009-2010 J. Hamm
• For example, if only the first cluster were allocated, the bitmap would have a value of 0x01 – or 0000 0001
• If the first and eighth cluster were allocated the value would be 0x81 – or 1000 0001
57© 2009-2010 J. Hamm
57© 2009-2010 J. Hamm
R. Shullich
58© 2009-2010 J. Hamm
• Recognize exFAT Directory Entries• Understand the Three Record Types in a
Directory Entry– Directory Entry Record– Stream Extension– File Name Extension
• Locate the Starting Cluster and Size of a File• Identify Deleted Files
58© 2009-2010 J. Hamm
58© 2009-2010 J. Hamm
R. Shullich
59© 2009-2010 J. Hamm
• Directory entries are a series of 32 byte records.
• Each record has a type flag located in the first byte of the record.
• A file will have at least 3 records.
59© 2009-2010 J. Hamm
59© 2009-2010 J. Hamm
R. Shullich
60© 2009-2010 J. Hamm
60© 2009-2010 J. Hamm
60© 2009-2010 J. Hamm
R. Shullich
61© 2009-2010 J. Hamm
Directory Entry RecordTracks attributes and created, accessed and modified times.
Stream ExtensionTracks size and starting extent of the file. Also tracks the size of the filename.
File Name ExtensionThis actually contains the filename in Unicode characters.
Note: Additional records may be created and used for longer file names.
61© 2009-2010 J. Hamm
61© 2009-2010 J. Hamm
R. Shullich
62© 2009-2010 J. Hamm
OffsetHex Field Definition
x85 Directory Entry Record
x83 Volume Name Record
x82 Up-Case Table Logical Location and Size
x81 Bitmap Logical Location and Size
xC0 Stream Extension
xC1 File Name Extension
62© 2009-2010 J. Hamm
62© 2009-2010 J. Hamm
R. Shullich
63© 2009-2010 J. Hamm
OffsetHex
OffsetDec Length Field Definition
x00 0 1 Record Type x85 – Directory Entry Record
x01 1 1 Secondary Count (Number of Additional 32 Byte Records in the Entry)
x02 2 2 Record Entry Checksum
x04 4 2 DOS File Flags (Archive, Hidden, etc)
x06 6 2 Unknown (Values only on Volume Label)
x08 8 4 Created Date and Time
x0C 12 4 Last Modified Date and Time
x10 16 4 Last Accessed Date and Time
x14 20 2 10 ms Increments Added to Created and Modified Times Respectively
x18 22 3 Time Zone Offset Applied to the File Time63
© 2009-2010 J. Hamm63
© 2009-2010 J. HammR. Shullich
64© 2009-2010 J. Hamm
OffsetHex
OffsetDec Length Field Definition
x00 0 1 Record Type xC0
x01 1 1 Secondary Flags (Including NO FAT)
X03 3 1 Number of Unicode Characters in the File Name
x04 4 2 File Name Hash
x06 6 2 Reserved
x08 8 8 Initialized Size of the File in Bytes
x10 16 4 Reserved
x14 20 4 Starting Cluster of the File
x18 24 8 Logical Size of the File in Bytes
64© 2009-2010 J. Hamm
64© 2009-2010 J. Hamm
R. Shullich
65© 2009-2010 J. Hamm
OffsetHex
OffsetDec Length Field Definition
x00 0 1 Record Type xC1
x02 2 Variable File Name
Length is in Unicode Characters as Defined in the xC0 Record.
If more than one entry is necessary, the file name will continue in the next entry again starting at offset 0x02
65© 2009-2010 J. Hamm
65© 2009-2010 J. Hamm
R. Shullich
66© 2009-2010 J. Hamm
66© 2009-2010 J. Hamm
66© 2009-2010 J. Hamm
R. Shullich
67© 2009-2010 J. Hamm
Hex Binary Description
0x0001 0000 0001 Read Only
0x0002 0000 0010 Hidden File
0x0004 0000 0100 System File
0x0020 0010 0000 Archive
67© 2009-2010 J. Hamm
67© 2009-2010 J. Hamm
R. Shullich
68© 2009-2010 J. Hamm
68© 2009-2010 J. Hamm
68© 2009-2010 J. Hamm
R. Shullich
69© 2009-2010 J. Hamm
69© 2009-2010 J. Hamm
69© 2009-2010 J. Hamm
R. Shullich
70© 2009-2010 J. Hamm
70© 2009-2010 J. Hamm
70© 2009-2010 J. Hamm
R. Shullich
71© 2009-2010 J. Hamm
71© 2009-2010 J. Hamm
71© 2009-2010 J. Hamm
R. Shullich
Hex Binary Description
0x0001 0000 0001 Allocation Possible
0x0002 0000 0010 No FAT Chain in Use
72© 2009-2010 J. Hamm
72© 2009-2010 J. Hamm
72© 2009-2010 J. Hamm
R. Shullich
73© 2009-2010 J. Hamm
Unallocated records are tracked by switching one bit in the entry.Unallocated may be marked if a file name is changed – this is not exclusive to deletion.
If the first bit is “1”, then the record is in use.
If the first bit is “0”, then the record is not in use.
73© 2009-2010 J. Hamm
73© 2009-2010 J. Hamm
R. Shullich
74© 2009-2010 J. Hamm
Unu
sed
Entr
y
000000000x00
Allo
cate
d Di
rect
ory
Entr
y Re
cord
100001010x85
Una
lloca
ted
Dire
ctor
y En
try
Reco
rd
000001010x05
74© 2009-2010 J. Hamm
74© 2009-2010 J. Hamm
R. Shullich
75© 2009-2010 J. Hamm
Unu
sed
Entr
y
000000000x00
Allo
cate
d St
ream
Ext
ensio
n
110000000xC0 U
nallo
cate
d St
ream
Ext
ensio
n
010000000x40
75© 2009-2010 J. Hamm
75© 2009-2010 J. Hamm
R. Shullich
76© 2009-2010 J. Hamm
Unu
sed
Entr
y
000000000x00
Allo
cate
d Fi
le N
ame
Reco
rd
110000010xC1 U
nallo
cate
d Fi
le N
ame
Reco
rd
010000010x41
76© 2009-2010 J. Hamm
76© 2009-2010 J. Hamm
R. Shullich
77© 2009-2010 J. Hamm
• Recognize exFAT Directory Entries• Understand the Three Record Types in a
Directory Entry– Directory Entry Record– Stream Extension– File Name Extension
• Locate the Starting Cluster and Size of a File• Identify Deleted Files
77© 2009-2010 J. Hamm
77© 2009-2010 J. Hamm
R. Shullich
78© 2009-2010 J. Hamm
• Describe exFAT, what systems it’s enabled on, and explain why it was implemented.
• Identify an exFAT volume and explain the information contained in the Volume Boot Record.
• Explain how exFAT tracks fragmentation and allocation.
• Define the information contained in the directory records on an exFAT volume.
78© 2009-2010 J. Hamm
78© 2009-2010 J. Hamm
R. Shullich
79© 2009-2010 J. Hamm
Jeff Hamm, CFCEUS Department of State – Computer Investigations and ForensicsParadigm Solutions [email protected] 431 8735
Robert Shullich, CPP, CISSP, CISA, GSEC, GCIH, GCFA, CEHInformation Security [email protected]: rshullic.wordpress.com
79© 2009-2010 J. Hamm
R. Shullich
80© 2009-2010 J. Hamm
June 6th, 2010 80
Sans Reading Room:http://www.sans.org/reading_room/whitepapers/foren
sics/rss/reverse_engineering_the_microsoft_exfat_file_system_33274
Microsoft Patent:Microsoft Patent 0164440 (June 25, 2009). Quick
Filename Lookup Using Name Hash.Pub No. US 2009/0164440 A1 Retrieved December 10,
2009 fromhttp://www.pat2pdf.org/patents/pat20090164440.pdf
