COEN 152 Computer Forensics

FAT File Systems

The FAT file system is used for older versions of the windows operating system, but also in floppies.

All of the FAT file system was originally developed for the IBM PC machine architecture. The importance of this is that FAT file systems on disk data structures are little endian, that is, in reverse byte order.

In response to increased capacity, three main versions of FAT evolved: FAT12, FAT16, FAT32. FAT12 is still being used for floppy disks and FAT32 has probably still the greatest share of computer systems.

Each FAT file system volume contains four basic regions

Figure 1: Layout of FAT 12/16 Partition.

 

FAT Boot Sector and BPB

The first sector in a FAT partition or on a floppy is the BIOS Parameter Block (BPB), also known as the boot sector, the reserved sector, or the zeroeth sector. The sector has a very tight structure. Our examples are for FAT32, though the first fields are the same across all FAT file systems.

Offset
Length of Field
Typical Value
Meaning
0x00
3B
eb 34 90
Jump Instruction
0x03
8B
IBM 3.3
OEM Manufacturer
0x0b
25B
 
BIOS Parameter Block
0x24
26B
 
Extended Bios Parameter Block
0x3e
448 B
 
Bootstrap Code
0x1fe
2B
55 aa
End of Sector Marker

Table 1: FAT Boot Sector Layout

Offset

Length of Field

Typical Value(in hex)

Meaning
0x0b, 11
2B
00 02
The number of bytes, in big-endian. The typical value of 0002 translates to 0x0200 = 512
0x0d, 13
1B
01
Number of Sectors per Cluster.
0x0e, 14
2B
0100
Number of Reserved Sectors. The number is at least 1. If the number is larger, then the bootstrap code does not fit in the allotted space in the partition boot sector.
0x10, 16
1B
02
Number of File Allocation Tables, typically 2. (This provides redundancy against corruption.)
0x11, 17
2B
e0 00
Root Entries. The total number file name entries that can be stored in the root folder of the volume.
For FAT12 and FAT16 volumes, this value should always specify a count that when multiplied by 32 results in an even multiple of BPB_BytsPerSec. FAT16 should use 512.
For FAT32 volumes, this number is set to zero.
0x13, 19
2B
40 0b
The total number of small sectors. Here, this number is 2880, the value for a 1.4MB floppy.
0x15, 21
1B
f0
Media Type: f0 removable, f8 fixed media, i.e. hard disk.
0x16, 22
2B
09 00
Sectors per file allocation table. This is useful to determine the location of the root folder.
For FAT32, this field should be zero.
0x18, 24
2B
12 00
Sectors per track, here 18. Hence, there must be 80 tracks.
0x1A, 26
2B
02 00
Number of heads, here 2.
0x1C, 28
4B
00 00 00 00
Count of hidden sectors preceding the partition that contains the FAT volume.
0x20, 32
4B
00 00 00 00
Number of sectors. Either this field or the one at 0x13 is zero, depending on whether the number fits in the first field. Thus, for FAT32 the total count of sectors.
0x24, 36
1B
00
Physical disk number. 0 is the A drive disk, hard disks start at 0x80.
0x25, 37
1B
00
Current Head. Unused in FAT file system.
0x26, 38
1B
00
Boot Signature.
0x27, 39
4B
Volume serial number.
0x2b, 43
11B
00 00 00 ... 00
Volume Label
0x36
8B
System ID. either FAT12 or FAT16.

Table 2: BIOS Parameter Block for FAT12 and FAT16, marked area differs from FAT 32.

Offset

Length of Field
Meaning
0x0b, 11
2B
The number of bytes, in big-endian. The typical value of 0002 translates to 0x0200 = 512
0x0d, 13
1B
Number of Sectors per Cluster.
0x0e, 14
2B
Number of Reserved Sectors. The number is at least 1. If the number is larger, then the bootstrap code does not fit in the allotted space in the partition boot sector.
0x10, 16
1B
Number of File Allocation Tables, typically 2. (This provides redundancy against corruption.)
0x11, 17
2B
Root Entries. The total number file name entries that can be stored in the root folder of the volume.
For FAT12 and FAT16 volumes, this value should always specify a count that when multiplied by 32 results in an even multiple of BPB_BytsPerSec. FAT16 should use 512.
For FAT32 volumes, this number is set to zero.
0x13, 19
2B
0 for FAT32
0x15, 21
1B
Media Type: f0 removable, f8 fixed media, i.e. hard disk.
0x16, 22
2B
For FAT32, this field should be zero.
0x18, 24
2B
Sectors per track, here 63.
0x1A, 26
2B
Number of heads, here 255.
0x1C, 28
4B
Count of hidden sectors preceeding the partition that contains the FAT volume.
0x20, 32
4B
Number of sectors. Either this field or the one at 0x13 is zero, depending on whether the number fits in the first field. Thus, for FAT32 the total count of sectors.
0x24, 36
4B
32-bit count of sectors occupied by one FAT.
0x28, 40
2B
Bits 0-3: Zero based number of active FAT. Bits 4-6: reserved. Bit 7: 0 means the FAT is mirrored at runtime into all FATs, 1 means only one FAT is active. Bits 8-15: Reserved.
0x2a, 42
2B
High Byte: Major revision number. The sample value prevents windows from loading this FAT partition.
0x2c, 44
4B
Cluster number of the first cluster of the root directory
0x30, 48
2B
File system info. Usually 1.
0x32, 50
2B
If not zero, indicates the sector number in the reserved area of the volume of a copy of the boot record.
0x34, 52
12B
Reserved.
0x40, 64
1B
Drive Number
0x41, 65
1B
Reserved
0x42, 66
1B
Boot signature.
0x43, 67
4B
Volume ID.
0x47, 71
11B
Volume Label.
0x52, 67
8B
Volume ID.

Table 3: BIOS Parameter Block for FAT32.

Offset
Length of Field
Typical Value
Meaning
0x00, 0
4B
0x 41 61 52 52
Signature. This value is used to insure that this is a FAT 32 FSInfo Sector
0x04, 4
480B
00 00 00 00 ...
Currently reserved for future use. Should be initialized to all zero. Bytes should not be used.
0x1E4, 484
4B
0x 61 41 72 72
Signature. This value is used to insure that this is a FAT 32 FSInfo Sector
0x1E8, 488
4B
FF FF FF FF
Contains the last known free cluster on the volume. A value of 0XFFFFFFFF indicates that the free count is unknown
0x1EC, 492
4B
0x ?? ?? ?? ??
Indicates where FAT should look for free clusters.
0x1 F0
12B
00 00 ... 00
Reserved for future use
0x1FC
4B
0x AA 55 00 00
Trail signature. This value is used to insure that this is a FAT 32 FSInfo Sector

Table 4: FSInfo Sector for FAT 32

FAT32 can have very long FAT tables, since they deal with large partitions. In order to prevent the system from spending too much time scanning FAT for free clusters, a FSInfo sector follows the BPB immediately containing the "last known" free cluster count, so that it does not have to be computed. See Table 4 for the layout.

There are utilities that translate the contents of the BPB directly.

Figure 2: Example output from Norton Disk Editor boot record view

Based on these data, we can derive a picture of this 500 MB disk. There are two FATs, each of size 252 or about 125KB. The special hidden sectors are the sectors before the start of the first partition. The physical drive number is 128 or 0x80, indicating that this is drive 0. This is an old MSDOS disk, and uses LBA for sectors. We can draw with these data the layout of the partition:

Figure 3: Corresponding layout of FAT partition.

FAT Data Structure

The File Allocation Table or FAT, which gave the system its name, is contained in the first sector of cluster 2. On a floppy, that would be the second sector. Actually, two independent copies are kept.

From the viewpoint of FAT, every partition provides us with a number of sectors, sequentially numbered starting with 0. If we however were to allocate individual sectors, then the corresponding meta data structures would take up a large portion of the disk. Instead, we allocate sectors in clusters. In the example from above, there are 16 sectors in a cluster.

FAT offers two fundamental characteristics

  1. Files can be named and maintain characteristics such as access control and the beginning of the file.
  2. Files that use more than a single cluster need to maintain where the next portion of the file can be found.

FAT uses the root directory for the first task and the FAT structure for the second. To explain the function of the latter, we best use a simple example:

Figure 4: How the FAT works

In Figure 3, we have a file called "TEST.DOC". It starts in cluster 32. To follow the file, we go to the FAT entry for 32 and find 36. Thus, the rest of the file starts in sector 36. Using the FAT entry there, we are sent to cluster 38. The special value FFFF tells us that the file ends in this cluster. FAT entries of 0000 indicate sectors that can be allocated.

By the way, defragmentation refers to reallocating the files so that they take up contiguous spaces as much as possible. This will speed up file access considerably, given that the disk can then transfer larger portions of a file in a single operations.

The size of the FAT table is considerable, since it contains an entry for each cluster. Making clusters very large results in a small FAT, but also waists space as no two files can share the same cluster. Making clusters very small results in a very large FAT, which also wastes time, but more importantly, also degrades performance. Thus, clusters tend to be quite small and to save space for the FAT, the entry size is limited as much as possible. The ideal value for cluster size and FAT entry size depends on the capacity of the storage device, so that as a result of progress, FAT schemes become outdated very fast. The first FAT used 12b entries (which make it hard to read on a hex-dump). The maximum cluster number is then 0xfff or 4095, but actually, some entries are reserved, see Fig. 4. The next step is to add a half byte to each entry for FAT16. For large disk partitions, over 2GB, we need to use FAT32. The first two entries in a FAT table can never be assigned to a file, that is why they start out with F8 FF FF FF in FAT 16.

FAT 12 FAT 16 Meaning
000 0000 available for allocation
001 0001 not used
FF0 FFF0-FFF6 reserved
FF7 FFF7 bad cluster, dna
FF8-FFF FFF8-FFFF last cluster in file
everything else everything else next cluster

Figure 5: Meaning of FAT entries

With the large disks of the presence, M$ and other file systems vendors are going different routes.

For a 12 bit example, go to FAT 12 Allocation Table.

Root Directory

A FAT directory is nothing but a linear file composed of a list of 32-byte structures. The only directory that has to be present is the root directory. For FAT12 and FAT16, the root directory is located right after the last FAT table. The directory is of fixed size. FAT32 directories are cluster chains. Originally, MS only supported "short" filenames of length 8B and 3B extension.

FAT12 & FAT16 Root Directories

Each directory entry follows a simple structure

Offset
Length of Field
Typical Value
Meaning
0x00
8B
49 4F 20 20 20 20 20 20
File name, padded with spaces
0x08
3B
53 59 53
3B file extension
0x0b
1B
04
File Attribute
0x0c
10B
27 00 00 00 00 00 00 75 2F 00 00
Reserved
0x16
2B
65 59
Time of last change
0x18
2B
18 21
Date of Last Change
0x1a
2B
02 00
First Cluster
0x1c
4B
34 47 03 00
File Size

Table 5: FAT 12 / 16 Directory Entry (short entry)

The first character of the file name is important.

The file attribute entry is a tightly packed bit map. File behavior is different for hidden files (not displayed under the DIR command) and for system files. A mark of 10 means that this entry is the name of the whole volume, in this case, the reserved bytes starting at 0c are part of the volume name of that partition. If the subdirectory bit is set, then the first cluster field points to a subdirectory rather than to a file.

The next 10 bytes are reserved in MS-DOS up to 6.22. Windows 95 and DOS 7.0 use seven of the bytes for additional date and time information and two of them are used in FAT 32 to make up the four bytes needed for the first cluster entry.

The next four bytes make up the time and the date of the last change in a very interesting ex amply of bit packing.

The last to final field gives the address of the first cluster. FAT 12 and FAT 16 only need the bytes allocated there, FAT 32 needs to use an additional 2B out of the reserved sector.

FAT 32 Root Directory

Offset
Length of Field
Typical Value
Meaning
0x00
8B
49 4F 20 20 20 20 20 20
File name, padded with spaces
0x08
3B
53 59 53
3B file extension
0x0b
1B
04
File Attribute
0x0c
1B
00
Reserved
0x0d
1B
23
Millisecond stamp at file creation time.
0x0e
2B
65 59
Time file was created
0x10
2B
18 21
Date file was created
0x12
2B
18 21
Date file was last accessed
0x14
2B
 
High word of the file's first cluster
0x16
2B
 
Time of last write.
0x18
2B
 
Date of last write.
0x1a
2B
 
Low word of the file's first Cluster
0x1c
4B
 
File Size in bytes

Table 5: FAT 32 Directory Entry (short entry)

FAT 32 root directories make use of the reserved space to add the date the file was last accessed and the day and time of the last modification. The other field is used to give the other half of the number of the first cluster of the file.

The modification times of files are very important in a forensics investigation. For example, activity during the time that the owner of a workstation was not present can indicate malicious activity.

Long Filenames

The original limitations of 8B file names became soon too tight. When MS added support for long file names, it needed to prevent legacy systems and codes to be broken. The developers needed to put them in close proximity to the entries with short filenames. They also needed to avoid disk utilities misdiagnosing long filename information as repaired directory fields. For this reason, the long filename entries in a directory have the same format as short filename entries, but they set the file attribute byte field at offset 0x0b to read-only, hidden, system, and volume, that is, to 00001111 = 0x0f.

Offset
Length of Field
Typical Value
Meaning
0x00
1B
0x 41
Entry order number in sequence of long directory entries
0x01
10B
65 00 74 00 68 00 65 00 72 00
Long Directory Entry Name Characters 1-5 (in Unicode and small endian).
0x0b
1B
0F
File Attribute, must be 0x 0f.
0x0c
1B
00
Type: If zero, this is a subcomponent of a long name.
0x0d
1B
DE
Checksum of short file name
0x0e
12B
00 00 FF FF FF FF
FF FF FF FF FF FF
Long Directory Entry Name Characters 6-11 (in Unicode and small endian).
0x1a
2B
00 00
Must be zero to be compatible with the first cluster entry of small directory entries
0x1c
4B
02 00
Long Directory Entry Name Characters 12, 13(in Unicode and small endian).

Table 6: Long Filename Entry in a Directory

Long entries are always paired with short directory entries, with the long filename entry immediately preceeding the short filename directory entry. To prevent "orphaning" a long entry, the file system uses other checks. All members in a set of long entries are uniquely numbered and the last member of the set is marked by or-ing the sequence number with 0x40. Second, the system computes an 8-bit checksum on the name contained in the short directory entry at the time the short and long directory entry are created. The check sum is placed into the long entry. If the check sum does not agree with the associated short entry, then the long entry is treated as an orphan. If a file is created with a long filename, then a short name is created as well, typically of the form "examp~14.xyz" where the alphabetic piece is an initial piece of the long filename and the numbers are appended to keep the short filename unique.

Long filenames can be 255 B long, therefore, they can take up more than a single directory entry.

Figure 4: A long file name

Figure 4 shows the contents of a root directory with two (the red) short file name entries. Reading from bottom to the top in the "long" entries (blue), we can see that the long file name is "This Entry is a very long file name, do you see hot it is put together", actually this is a directory. The first byte of the long entries give the numbers, 01, 02, 03, 04, 05, and 06 ored with 40 to yield 46. Notice the attribute 0F in the long entries and the attribute 10 in the short entries. The latter means that both short entries refer to directories. The short file name is all upper case, whereas the long name has unicode characters.

Subdirectories

A directory other than the root directory is a file that has exactly the same structure as the root directory. Each directory has two entries ".." and ".". The first one refers to itself, the second one to the parent directory.

Finding FAT partitions without the Partition Table

As we have seen, the FAT boot sector has a very specific structure. We can hunt for it by flagging down all sectors that end in 55 AA. This yields approximately 1/(64K) false positives, but we can check whether each flagged sector can be the beginning of a partition. This is useful if the first track is damaged.

Finding the First Cluster

The reserved and the FAT areas do not use clusters for allocation. We can calculate the size of these areas in sectors. We then calculate the size of the root directory from the number of root entries given in the FAT boot sector. The first cluster, i.e. cluster 2, then starts in the following sector. If this is a FAT 32 partition, then things are easier, because cluster 2 starts with the beginning of the data area.

2007 Thomas Schwarz, S.J., COEN, SCU SCU COEN COEN252 T. Schwarz