From long time, I was thinking of posting the forensic on how to extract crucial information from FAT-32, so that whoever wants to explore the digital caves of file systems, can do it easily. What I will do is that I will give some pointers and rest is on you to explore it.
So any disk has the following parts:
Volume boot sector is 512 bytes in size and is present after 63 sectors which are fixed for MBR (master boot record). Volume boot sector is a key part of the fat-32 file system present on the disk and it keeps all the necessary information to know where the FAT-table,i.e, File Allocation Table, exists, from where the root directory starts (knowledge of this location is crucial, as it is the top of the directory tree in FAT-32), how many clusters are there on the disk, how many sectors on the disk, how many sectors in each cluster, what is the sector size and all.
To begin with, I will show how each of these crucial information can be extracted from the VBS. Also, this introduction is only to give a kick start to the people, and hence, I will only go to the very basic things. If you want to learn more advance things, "google" is where your should look for .
In VBS, the Big-endian notation is used, i.e, if you want to write 0x12345678 on the disk, you should first write ox78, on the next location 0x56, on the next location 0x34, and on the next location 0x12. Now if you want to read from , say offset 17 and 18, then the offset 17 will contains lower 8-bits of the result and the offset 18 will contain higher 8-bits of the result.
The disk is often divided into tracks.
The tracks are divided into clusters.
The clusters are divided into sectors.
The sectors are composed of "a-fixed-number-of-byte". These fixed number of byte are given in VBS and it is from here our journey will start.
I will call start of VBS as offset '0' and offset 'x' will mean xth byte of the VBS.
Now, to extract "number of bytes per sector", you should read offset 11 and 12. For example, if offset 11 contains "0x00" and offset 12 contains "ox02" , then the number of bytes per sector are 0x0200, i.e. 512,.
The offset 13 contains the number of sectors present in a cluster.
Once you know this, then it is time to familiarize you with the structure of FAT-32 formatted disk, unless you know it already. A fat-32 formatted disk will have following sections in order:
1. MBR - master boot record
2. VBS - volume boot record
3. Researved Sector - for future extention
4. FAT1- first file allocation table
5. FAT2 - second file allocation table, This is nothing but a copy of the FAT1.
6. DATA area.
Now, read offset 14 and 15 of the VBS to know the number of sectors in the reserved area. If you multiply this value by the "number of bytes per sector", you will get the location from where the FAT1 starts. This is one very important location. Now, read the location 36,37,38 and 39. This will give the total number of sector in each FAT, i.e, FAT1 and FAT2. If you know the start of the FAT1 table location (which we have aleady calculated earlier) and if you know the "number of sectors in each FAT" and if you know "number-of-bytes in each sector", you can easily calculate the start of the DATA area as following :
start of DATA area = start of FAT1 + "number-of-sector-in-each-FAT" * "bytes-per-sector" * 2
Multiply by 2 because there are 2 fat tables, FAT1 and FAT2, replica of FAT1.
So, now you should be knowing the following:
1. how many byte per sector,
2. how many sector per cluster
3. location of FAT1
4. location of FAT2 = start of FAT + "number-of-sector-in-each-FAT" * "bytes-per-sector"
5. start of DATA area
:)
I hope this post will help you to better understand the FAT-32 file system with all the theoritical information available on the internet, explaining the structure of data area and FAT-table, and will give you a better understanding of actual structure and will help to analyze the FAT-32 in a forensic way.
:)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment