Sie sind auf Seite 1von 37

FAT Concepts and Analysis

Acknowledgments

Dr. David Dampier and the Center for Computer Security Research (CCSR)

Basic Concepts
The FAT file system is one of the most simple file systems and does not clear follow the five category model. It consists of two main data structures:
File

Allocation Table Directory Entries

Basic Concepts

Each file and directory is allocated a directory entry, that contains:


File name File size Starting address of file content Other metadata

File and directory content is stored in clusters If a file or directory needs more than one cluster, those clusters are found in the FAT structure Versions of FAT: FAT12, FAT 16, and FAT32

Difference is the size of entries in the FAT structure

Versions of FAT

FAT12

Designed as a file system for floppy diskettes 12-bit cluster addresses

FAT16

16-bit cluster addresses

FAT32

32-bit cluster addresses (28 bits used) => 228 clusters Drive size up to 8TB with 32KB clusters Can become slow and inefficient Video applications and large databases often exceed FAT32 limitations

Layout of a FAT file system


The layout of the FAT file system consists of 3 physical sections:

Reserved area for file system category FAT area primary and backup FAT structures Data area clusters used for storing file and directory content

Reserved
Sector 0

FAT area

Data Area

FAT File System Data


In order to analyze the FAT file system, it is necessary to locate the three physical layout areas.

The reserved area starts at sector 0, and its size is given in the boot sector.

In FAT12/16, the reserved area is typically only 1 sector, but FAT32 will typically reserve many sectors Its size is calculated by multiplying the number of FAT structures by the size of each FAT, both of which can be found in the boot sector Its size can be found by subtracting the starting address of the data area from the total number of sectors in the file system, which can be found in the boot sector.

The FAT area begins in the sector after the reserved area.

The data area begin in the sector after the FAT area.

FAT System Layout


FAT 12/16
Reserved Area
FAT Area

Root Directory

Data Area

Reserved FAT Area Area

FAT 32

Root Directory

Data Area

The main difference between these layouts is that FAT 12/16s root directory is at the beginning of the data sector, while in the FAT 32s root directory can be anywhere in the data area. The first 36 bytes are the same in all.

File System Category


The data in the File System Category describes the general file system and can be found in the boot sector data structure. The boot sector is located in the first sector of the volume and is part of the reserved area of the file system.

Boot Sector
The Boot Sector is contained in the first 512 bytes. The first 36 bytes of all FAT Boot Sectors contain:

0-2 3-10 11-12 13 14-15 16 17-18 19-20 21 22-23 24-25 26-27 28-31 32-35

jump to boot code name in ASCII bytes per sector sectors per cluster (powers of 2 < 32KB) size in sectors of reserved area number of FATs, 2 if backup max # of root directory entries 16-bit value of number of sectors in file system media type: 0xf8 fixed disks, 0xf0 removable 16-bit size in sectors of each FAT sectors per track number of heads number of sectors before start of partition 32-bit value of # of sectors in file system, > 0

Bytes 510 and 511 have signature 0x55 and 0xAA

Example Image FAT32 (See pp. 216 and 217)


# fsstat f fat fat-4.dd FILE SYSTEM INFORMATION -----------------------------------------------File system type: FAT OEM Name: MSDOS5.0 Volume ID: 0x4c194603 Volume Label (Boot Sector): NO NAME Volume Label (Root Directory): FAT DISK File System Type Label: FAT32 Backup Boot Sector Location: 6 FS Info Sector Location: 1 Next Free Sector (FS Info): 1778 Free Sector Count (FS Info): 203836 ... File System Layout (in sectors) Total Range: 0 205631 * Reserved: 0 - 37 ** Boot Sector: 0 ** FS Info Sector: 1 * FAT 0: 38 - 834 * FAT 1: 835 - 1631 * Data Area: 1632 - 205631 *** Root Directory: 1632 - 1635 CONTENT DATA INFORMATION -------------------------------------------------Sector Size: 512 Cluster Size: 1024 ...

38 reserved sectors 2 FAT structures

Analysis
In order to analyze a disk or find hidden data, it is necessary to know the layout of file systems and know which OS formatted the disk Several places not used by the file system could contain hidden data

In the reserved area, at the end of the boot sector data and the final signature Between the end of the file system and the end of the volume FAT32 systems have a backup boot sector in sector 6

The primary and backup copies could be compared to find inconsistencies If values in the primary have been changed, the backup may contain original data

Analysis Scenario
Imagine that the first 32 sectors of a disk are damaged and cannot be read. What do you do?

First, find the start of the file system. The signature for a fat file system is 0x55 and 0xAA in the final two bytes of the boot sector. The sigfind tool can be used to look for the signature. When the tool find the signature, additional test can be conducted on a range of values that are valid for a given data structure. For example, byte 13 of the boot sector identifies how many sectors in a cluster, and must have a value that is a power of 2. Any other value would indicate that the sector was not part of a FAT file system boot sector, even though it contained the signature.

Content Category
The Content category comprises of the file and directory content.

Reserved
Sector 0

FAT area

Data Area

FAT file systems use the term cluster for its data units in the Data Area A cluster is a group of consecutive sectors, the number of sectors must be a power of 2 (1, 2, 4, ..., 64) Each cluster has an address and the address of the first cluster is 2 (there are no clusters with address 0 or 1)

Finding the First Cluster


Finding cluster 2 is not easy, because it is not at the beginning of the file system. Depending on whether it is a FAT 12/16 or FAT 32 system, the procedure is different.
FAT 12/16
Reserved Area
FAT Area

Root Directory

Data Area

Sector 1224

Sector 1256 Cluster 2

FAT 32

Reserved FAT Area Area

Root Directory

Data Area

Sector 1224 Cluster 2

Finding the First Cluster


In a FAT 12/16 system, the number of root directory entries are given in the boot sector, and cluster 2 starts in the next sector.
For example, consider a FAT16 file system with 32 sectors allocated for the root directory. If the data area starts in sector 1224, then the root directory spans from sector 1224 to 1255. If we have 2048 byte clusters, then cluster 2 would start at 1256 and cluster 3 would start at 1260.

Cluster Allocation Status


The status of a cluster (whether allocated or not) is found in the FAT structure.

Reserved
Sector 0

FAT area

Data Area

The basic concept of the FAT is that it has one entry for each cluster in the file system. If the table entry is 0, then the cluster corresponding to that table entry is not allocated to a file. All other values mean that the cluster is allocated.

Allocation Algorithms

To find an unallocated cluster the OS scans the FAT for an entry with a 0 in it Most operating systems do not clear cluster contents when unallocated
61
X

62
0

63
X

64 X

65 66 X 0

67
0

X allocated 0 - available

Last allocated

Analysis Techniques
When analyzing the content category, there are several places where data could be hidden.

Clusters can be marked as bad, and bad clusters should be examined, because the OS does not look at them. The size of the data are might not be a multiple of the cluster size, so there could be a few sectors at the end of the data area that are not part of a cluster.

Analysis Scenario
Imagine a FAT 16 file system in which you need to locate cluster 812. The only tool available is a hex editor.

First, view the boot sector, which is located at sector 0 of the file system and process it Processing this indicates that there are 6 reserved sectors, two FATS, each FAT is 249 sectors, each cluster is 32 sectors and there are 512 directory entries in the root directory.
Sector 6 Sector 255 Sector 504 Sector Sector 536 568 Sector 26456

Reserved

FAT1

FAT2

Root
Directory

Cluster2

Cluster812

Metadata Category

This category includes data that describe files and directories in directory entries

In an FAT file system, this information is stored in a directory entry structure.


Where content is stored, dates and times, and permissions

Every file or directory is allocated a directory entry. Exists anywhere in the Data area. Each directory entry is 32 bytes: file attributes, size, starting cluster, dates and times When a new file or directory is created, a directory entry in the parent directory (..) is allocated for it Searched by using full name FAT structure is used to find remaining clusters

Directory Entry Structures

Directory Entry Structures


File1.dat 4,000 bytes Cluster 34

Clusters
Cluster 34

FAT Structure

35 Cluster 35 EOF

34 35

Directory Entry Data Structure


0 1-10 11 13 14-15 16-17 18-19 20-21 22-23 24-25 26-27 28-31

first character of file name in ASCII characters 2 to 11 of file name in ASCII file attributes (read only, hidden, volume label etc. ) creation time (tenths of seconds) creation time (hours, minutes, seconds) creation day last accessed day high 2 bytes of first cluster address written time (hours, minutes, seconds) written day low 2 bytes of first cluster address size of file (0 for directories), max file size 4GB

See Table 10.5 and 10.6

Directory Entries
Directory entries can exist anywhere in the data area. When a new file or directory is created, a directory entry in the parent directory is allocated for it. The 11th byte in the directory entry has an attribute field that can contain 7 different attributes.

Directory attribute Long file name attribute Volume label only one directory entry should have this label Read-only attribute Hidden attribute System attribute Archive attribute

The allocation status of a directory entry is determined by using the first byte. With an allocated entry, the first byte stores the first character in the file name, but it is replaced by 0xe5 when the entry becomes unallocated.

Directory Entries
Sector 520
Sector 1,376 Each 512 byte sector can store 16 directory entry structures

...

...

FAT Area

Data Area

Carrier Figure 9.12

Cluster Chains
If a FAT entry is non-zero, it contains the address of the next cluster, an EOF, or a bad sector indicator.
FAT 39 40 41 42 43 44 0 41 44 EOF Directory Entry File1.dat Start: 40 Size: 6,013

0
EOF

We know from the file size how many clusters are needed

Creation times in directory entries


Cluster 110
Name
Dir2 Dir1 File8.dat Created 3/30/08 01:02:03 4/03/08 11:12:13 5/24/08 12:12:12 Cluster 128 256 512

Cluster 256
Name
. .. File1.dat Created 4/01/08 05:14:00 4/04/08 05:14:00 4/03/08 12:12:12 Cluster 256 110 208

The created time in the directory entry for the directory does not match the . and .. entries
Carrier Figure 9.10

Directories

When a new directory is created a cluster is allocated and wiped with zeros The size field is always zero To find the size of the directory, go to the starting cluster and follow the cluster chain until EOF The first two directory entries in a directory entry are:

Current directory (.) Parent directory (..)

Time fields may be used to verify creation time of a directory However we cannot confirm the last written date because . and .. entries are not updated for each directory modification

Directory Entry Allocation


Directory Entry #1
Directory Entry #2 Directory Entry #3 Directory Entry #4 Directory Entry #5 Directory Entry #6

Unallocated Allocated
Last Allocated ... Entry 3 was unallocated after entry 4 was allocated Carriers Observations: 1. Windows 98 uses a first-available allocation strategy and starts from the beginning

2.

Windows XP uses next-available and starts from the last allocated directory entry

Searching for deleted directories

When unallocated, the first letter of a file name is changed to _ (0xe5)

Thus, if two files had similar names: A-1.dat and B-1.dat, they would now both be _-1.dat

When a directory is deleted and its entry is reallocated, the cluster for that directory is orphaned

To find orphan files, every sector of the data area needs to be examined... See figure 9.11

Analysis Scenario
Imagine that there is a FAT file system has been recently formatted and we need to recover the directories from before the format.
That means, we need to look at all the unallocated space and see if there is any directory information in there. Using TSK, we can extract the unallocated space using dls.

Analysis Contd. - Search for Unallocated Space and then Search for Directories
dls allows us to extract the unallocated space.
#dls f fat Fat-10.dd > fat-10.dls

sigfind can be used to search for a signature.


Example: the first 4 bytes of a directory is always . (period followed by 3 spaces current directory) which has the hex code of 0x2e202020
#sigfind b 512 2e202020 fat-10.dls Block size: 512 Offset: 0 Block: 180 (-) Block 2004 (+1824) Block 3092 (+1088) Block 3188 (+96) Block 19028 (+15840)

...says that this signature occurred in sector 180 and others

Viewing the contents of Sector 180


#dd if=fat-10.dls skip=180 count=1 | xxd 0000000: 2e20 2020 2020 2020 2020 2010 0000016: 3c23 3c23 0000 5daf 3c23 4f19 0000032: 2e2e 2020 2020 2020 2020 2010 0000048: 3c23 3c23 0000 5daf 3c23 dc0d 0000064: e549 4c45 312e 4441 5420 2020 0000080: 7521 7521 0000 0000 7521 5619 0037 0000 0037 0000 0000 00d0 5daf 0000 5daf 0000 0000 0000 . .. 7]. <#<#..].<#0.... . .. 7]. <#<#..].<#0.... .ILE1.DAT .... u!u!.....u!V.....

Three entries are shown here. The first two are for the . and .. entries. The . entry points to cluster 6,479 (0x194f) The .. entry points to cluster 3,548 (0x0ddc) The third entry is for a file that starts in cluster 6,486 (0x1956) with a size of 53, 248 bytes (0xd000). File recovery could be performed on this file now that we know its starting address and size.

File Name Category


FAT does not differentiate between a file name address and metadata address, and this is the same as what was there in the metadata category. So far, what we saw were filenames with 8 characters plus a 3-character extension
(SFN)

SFN entry contains time, size, and starting cluster information A file may also have a longer, more descriptive file name, LFN If there are > 13 characters, more LFN entries are used...see figure 9.15

Finding Hidden Data

Unused sectors in the reserved area Between the end of the file system and the end of the volume

Compare the number of sectors in the file system (given in boot sector) with the number of sectors in the volume to find volume slack The total number of sectors value can be easily changed in the boot sector

Finding more hidden data...

Between the last entry in the primary FAT and the start of the backup copy or between the last valid entry in the backup FAT and the start of the data area

Compare the size of each FAT with the size needed for the number of clusters in the file system

Someone could create a directory with only a few files and use the rest of the directory space for hiding data

Compare the allocated size of the directory to the number of allocated files

The Big Picture


Data Area
Root Directory

Boot Sector
Cluster 90 Cluster 200
This is the content of a file that I just created

FAT

dir1

90

File1.txt 200

201 EOF

200 201

Cluster 201
This is the content from the rest of the file that didnt fit in the cluster