HTCIA - Demystifying the Microsoft Extended File System (exFAT) V1.00

HTCIA International ConferenceSeptember 20 22 2010September 20-22, 2010

Atlanta, GA

Demystifying the Microsoft Extended File Demystifying the Microsoft Extended File System (exFAT)System (exFAT)

Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, CRISC, GSEC, GCFA

September 20th, 2010 1

AgendaAgenda

About MeAbout MeWhy a new file systemForensics RelevanceForensics RelevanceFeaturesAdvantagesAdvantagesTimelinesSupportSupportLimitsI t l


Internals

About MeAbout Me

I have been in the IT field for 35+ Years, and in ,InfoSec for over 15 YearsI carry many IT and InfoSec certifications This research was part of a term project for a forensics class for my masters in Forensic ComputingI then expanded the term paper into a practical paperI then expanded the term paper into a practical paper for my SANS GCFA certificationA link to the SANS paper and my blog is at the end of this presentation


Why do we need a new file system?Why do we need a new file system?

Current Limits ExhaustedLarger volumes (>2TB)Larger files sizes (>4GB)g ( )Faster I/O

(UHS-1: 104 MB/2 - UHS-2: 300MB/s)Removable MediaFlexibilityExtensibilityNTFS Features without the overhead


Relevance to Forensics StudyRelevance to Forensics Study

Digital Evidence ExtractionDigital Evidence ExtractionFinding the evidenceIncluding the hiding placesIncluding the hiding placesValidation

Daubert Expert TestimonyDaubert Expert TestimonyNeed to know and understand file org

New Media (SD Cards) will drive exFATNew Media (SD Cards) will drive exFAT adoption, and the potential for CP investigations.


What happens when you have exFAT f d di d A ?formatted media and no exFAT support?


Forensics ChallengesForensics Challenges

Linux OS SupportLinux OS SupportTuxera drivers may help

Mac OS SupportMac OS SupportOpen Source ToolsCommercial ToolsCommercial Tools

EncaseFTKFTK

Documentation


DisclaimerDisclaimer

The released specification andThe released specification and implementation is Release 1.00 of exFATThe specification mentions additional features pthat were not implemented yet, but may at a future time/ Some of these are Windows CE holdoversBoth may be presented todaySome directory entries will be skipped


ExponentsExponents

102 = 10 times 10 = 10010 10 times 10 100103 = 10 times 10 times 10 = 1000 (1K)22 = 2 times 2 = 42 = 2 times 2 = 429 = 2*2*2*2*2*2*2*2*2 = 512210 = 2*2*2*2*2*2*2*2*2*2 = 1024 (1K)210 = 2 2 2 2 2 2 2 2 2 2 = 1024 (1K)212 = 2*2*2*2*2*2*2*2*2*2*2*2 = 4096


International System of Units (SI) TableInternational System of Units (SI) Table

File System in Shorthand Longhand Nth Bytesypowers of 2Device characteristics in

KiB Kibibyte 210 1024

MiB Mebibyte 220 1024 KiBcharacteristics in power of 10 GiB Gibibyte 230 1024

MiBTiB Tebibyte 240 1024 GiBTiB Tebibyte 2 1024 GiB

PiB Pebibyte 250 1024 TiB

EiB Exbibyte 260 1024 PiBy

ZiB Zebibyte 270 1024 EiB

YiB Yobibyte 280 1024 ZiB


Features of exFAT 1 00Features of exFAT 1.00

Sector sizes from 512 to 4096 bytesSector sizes from 512 to 4096 bytesClusters sizes to 32MiBRoot Directory UnlimitedRoot Directory UnlimitedSubdirectories to 256MiBBuilt for speed less overhead than NTFS butBuilt for speed, less overhead than NTFS but has some of the NTFS featuresUTC Timestamp SupportUTC Timestamp Support

Vista/Server 2008 SP2+, XP with KB


Features of exFAT 1 00 (cont’d)Features of exFAT 1.00 (cont d)

OEM Parameters Sector for deviceOEM Parameters Sector for device dependent parameters12 sector VBR, support of larger boot , pp gprogramPotential capacity to 64ZiBp y

Current support ≈ 128 PiBUp to 2,796,202 files per subdirectoryp , , p yFile Names max to 255 CharactersUnicode File Names and Volume LabelsUnicode File Names and Volume Labels


Future Features of exFATFuture Features of exFAT

TexFAT (To be released later)TexFAT (To be released later)Exists in Windows CETransaction Safe exFATTransaction Safe exFAT

ACL (To be released later)Exists in Windows CEExists in Windows CE

Encryption Support?Not announced, but mentioned how easy toNot announced, but mentioned how easy to add


MBR Partition LimitationsMBR Partition Limitations

Microsoft File Systems are limited whenMicrosoft File Systems are limited when stored in a MBR partitionA partition is defined by a Master Boot p yRecordA MBR uses a 4 byte value for number of ysectorsTo get the maximum volume size, exFAT cannot be created within a partition


Advantages of exFATAdvantages of exFAT

Handle growing capacities in media,Handle growing capacities in media, increasing capacity to >32 GB.> 1000 files in a single directory.Speeds up storage allocation processes.Breaks file size 4 GB barrier.S t i t bilit ith f t d ktSupports interoperability with future desktop OSs.Provides an extensible formatProvides an extensible format.Large cluster sizes


Disadvantages of exFATDisadvantages of exFAT

Not all Windows CE features implementedNot all Windows CE features implementedNo direct conversion to or from other FSCannot use CONVERT command to NTFSCannot use CONVERT command to NTFSNo Floppy SupportMostly a Microsoft Desktop and Server WorldMostly a Microsoft Desktop and Server World

No Support for Older MS systemsNo Support for Non MS systemsNo Support for Non-MS systemsNo XBOX, PS3 or other special devices


Key Dates for exFATKey Dates for exFATSeptember 2006 – Windows CE 6.0 M h 2008 Wi d Vi S i P k 1March 2008 – Windows Vista Service Pack 1January 2009 – Announcement at CES of SDXC specificationJanuary 2009 – Windows XP Drivers AvailableMay 2009 Windows Vista Service Pack 2May 2009 – Windows Vista Service Pack 2August 2009 – Tuxera Signs File System IP Agreement with MicrosoftMarch 2009 – Pretec Releases first SDXC Cards December 2009 – Microsoft (re)announces exFAT license program for third-partiesDecember 2009 – SDXC laptops due soon D b 2009 Di ki t l l FAT tilitDecember 2009 – Diskinternals releases exFAT recovery utilityDecember 2009 – Encase support


More Key Dates for exFATMore Key Dates for exFAT

December 2009 Sony, Canon & SanyoDecember 2009 Sony, Canon & Sanyo LicenseJanuary 2010 Funai License (LCD TV)y ( )February 2010 Panasonic LicenseFebruary 2010 Panasonic 64/48GB SDXCFebruary 2010 Panasonic 64/48GB SDXCFebruary 2010 Sony Memory Stick XCFebruary 2010 Sandisk Ultra XC 64GB CardFebruary 2010 Sandisk Ultra XC 64GB Card 3.0 Spec $350


More Key DatesMore Key Dates

June 1st 2010 Tuxera Releases Linux &June 1 2010 Tuxera Releases Linux & Android exFAT driversJune 3rd 2010 Kingston Releases Class 10 gSDXC 64GB Card 60 MB/s read, 35 MB/s write.


SD Card AssociationSD Card Association

New Memory CardyConsumer AppliancesFollows SDHCSpecification for 2TB Capacity


SDXC Storage CapabilitiesSDXC Storage Capabilities

From 32GB to 2TB on a cardFrom 32GB to 2TB on a cardExclusively exFAT File System300 MB/s I/O Transfer300 MB/s I/O TransferStorage

4 000 RAW images4,000 RAW images100 HD moviesor 60 hours of HD recordingor 60 hours of HD recording17,000 fine-grade photosin a single directory


in a single directory

Support for exFATSupport for exFAT

Windows XP & Server 2003Windows XP & Server 2003KB955704 (requires SP2 or SP3)

Vista & Server 2008 SP1Vista & Server 2008 SP1Vista & Server 2008 SP2

(Adds UTC timestamp support)(Adds UTC timestamp support)Windows 7


Reference StandardsReference Standards

Bits are numbered right to leftBits are numbered right to left76543210

Decimal Offsets (zero based)Decimal Offsets (zero based)Little-Endian numbersUnsigned numbersUnsigned numbersSectors vs. ClustersStrings are 16 bit UnicodeStrings are 16 bit UnicodeStrings not Terminated


EndianEndian

Numbering order may vary based onNumbering order may vary based on processor type, is determined by the order the data bytes are read from the register.A 32 bit number is read as 4 8 bit bytesIf I have the number 0x01 02 03 04Big-Endian will store it as:

0x 01 02 03 04Little-Endian will store it as:

0x 04 03 02 01


File System IntegrityFile System Integrity

Version VerifiedVersion Verified3 Checksums

VBRVBRUP-Case TableFile SetFile Set

Critical Directory EntriesOther Checks and BalancesOther Checks and BalancesFile System should NOT mount if failures


exFAT LimitsexFAT LimitsVolume size 128PiB

MS said 64ZiBMS now says 256TiB

File Size 16 EiB (64 bit number)File Size 16 EiB (64 bit number)Bigger than volume size

Subdirectory 256MiBSector 512-4096 bytes (29-212)Cluster 32MiB (225)No floppy supportNo floppy supportNo FAT32 minimum cluster (65,525) restrictionNo 8.3 file name support


pp

Data Hide Alert!Data Hide Alert!

FAT32 max cluster 32KiBFAT32 max cluster 32KiBexFAT max cluster 32MiB

This is an increase of 1024 foldThis is an increase of 1024 foldPotential for massive slack space


Volume Space LayoutVolume Space Layout

The Main Boot RegionThe Main Boot RegionContains main VBR

The Backup Boot RegionThe Backup Boot RegionContains backup VBR

The FAT RegionThe FAT RegionContains FAT Table(s)

The Data Region (Cluster Heap)The Data Region (Cluster Heap)This is where data resides


VBR – Volume Boot RecordVBR Volume Boot Record

Contains 12 sectorsContains 12 sectors1 sector main boot sector

Jump Code (3 bytes)p ( y )BPB (BIOS Parameter Block)Boot Strap Code

8 sectors main extended boot sectors1 sector OEM parms1 sector reserved1 sector VBR Checksum


Boot Parameter Block (BPB)Boot Parameter Block (BPB)

OEM Label “EXFAT ”Volume Length (64-bit) [sector]FAT Location & Size [sector]Heap Location & Size [sector, cluster]Volume Serial Number

fLocation of Root Directory [cluster]Volume FlagsSector and Cluster Sizes [2 shift]Sector and Cluster Sizes [2-shift]Percent in useFile System Revision (0x0010=1.00)


File System Revision (0x0010 1.00)

Sectors & ClustersSectors & Clusters

A 2-Shift is a power of 2A 2 Shift is a power of 2Another name for exponent

Sector size and sectors per clusterSector size and sectors per clusterEach stored in 1 byteTheoretical maximum is 2255Theoretical maximum is 2Sector Size Maximum 212

Sectors per cluster is derivedpCluster Size Maximum is 225


Executable Boot CodeExecutable Boot Code

First 3 bytes of Main Boot SectoryJump Code0xEB7690

Offset 120 size 390Remainder of boot code

Offset 510End signature marker0 AA55 “55AA”0xAA55 = “55AA”

Offset 512Unused if defined


Unused if defined

More Bootable CodeMore Bootable Code

Up to 8 Main Extended Boot SectorsUp to 8 Main Extended Boot SectorsFAT32 had 3 sector VBR with 1 MEBSEntire sector can be used for boot codeEntire sector can be used for boot codeLast 8 bytes of sector is marker0xAA550000 = “000055AA”

Larger capacity for boot virus!


VBR Checksum SectorVBR Checksum Sector

The 12th sector of the VBRThe 12 sector of the VBRRepeating 4 byte checksumChecksum of previous 11 sectorsChecksum of previous 11 sectorsFlags and Percent excluded

These are volatile and change oftenThese are volatile and change oftenBoot Sector Virus & Checksum


VBR Checksum SectorVBR Checksum Sector

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹00000010 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ ÉÐ ÉÐ ÉÐ00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹00000030 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹00000040 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹

Lines 00000050 through 01BF repeatedg p

000001C0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹000001D0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹000001E0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ ‹ÉÐ ‹ÉÐ ‹ÉÐ ‹000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹


FAT – File Allocation TableFAT File Allocation Table

When it is used, same as legacy FAT, g yNot used when file contiguousNever used for cluster allocationFAT 32 has 32 bit cells, uses 28 bitsexFAT has 32 bit cells, uses 32 bits

Th i 64 bit FATThere is no 64 bit FATMaximum clusters is 232-11With TexFAT – 2 FAT Tables (2 Bitmaps)With TexFAT – 2 FAT Tables (2 Bitmaps)Addressed by pointer in VBRSize stored in VBR


Cell Values in FAT TableCell Values in FAT Table

0x00000000 – No significant meaning0x00000000 No significant meaning0x00000001 – Not a valid cell value0xFFFFFFF6 – Largest Value0xFFFFFFF6 Largest Value0xFFFFFFF7 – Bad Block0xFFFFFFF8 Media Descriptor0xFFFFFFF8 – Media Descriptor

Fixed Disk0xFFFFFFF9 0xFFFFFFFE Not Defined0xFFFFFFF9-0xFFFFFFFE – Not Defined0xFFFFFFFF – End of File (EOF)


FAT Table ExampleFAT Table Example

Media R dUP-Case TableAllocation Bit Map

Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Media Reserved Allocation Bit Map

Root Directory

0000 F8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0010 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Allocation BitmapAllocation Bitmap

Keeps track of cluster allocation statusKeeps track of cluster allocation statusZero – Free ClusterOne – Allocated ClusterOne Allocated Cluster

1 Byte = Tracking of 8 ClustersBit Zero – Byte Zero = Cluster 2Bit Zero Byte Zero Cluster 2

Cluster 0 & Cluster 1 are not definedAddressed by Directory EntryAddressed by Directory EntryWith TexFAT – 2 of these (FAT Pairing)



The Allocation Bitmap and the UP-CaseThe Allocation Bitmap and the UP Case Table are stored as files, and provide hiding space in the metadataThese files are static, typically won’t move, and have slack space.Nothing prevents someone from moving these files elsewhere in the cluster heap, and

ll ki h lactually making them larger


Directories in exFATDirectories in exFATRoot (VBR Pointer)( )

Contains certain critical entriesAlmost unlimited in size

Subdirectory (by File Entry)Subdirectory (by File Entry)Contains file sets256MiB Max sizeNo physical “.” or “..” entries

Uses 16 Bit Unicode for stringsEvery Entry 32 bytes in sizeEvery Entry 32 bytes in sizeEntry 0x00 is end of directoryHas capabilities for user entries



Manipulation of the Allocation Bitmap, andManipulation of the Allocation Bitmap, and creation of user directory entries provides the capability of hiding a file system within the file systemIt may also be possible to hide data within the directory metadata itself


Entry TypeEntry Type

Type Field Offset (Bits) Size (Bits)

In Use 7 1C t 6 1Category 6 1

Importance 5 1Importance 5 1

Code 0 5September 20th, 2010 47

Code 0 5

Entry TypeEntry Type

In Use:In Use:0 – Not in Use, 1- In Use

Category:Category:0 – Primary, 1 – Secondary

Importance:Importance:0 – Critical, 1 – Benign

Code: Identifies the entryCode: Identifies the entry


Volume Label Directory EntryVolume Label Directory Entry

0x83 or 0x03 Entry0x83 or 0x03 EntryPrimary EntryOnly resident in Root DirectoryOnly resident in Root DirectoryContains the Volume Label16 bit Unicode16 bit Unicode0x03 means no volume label


Volume Label Directory EntryVolume Label Directory Entry

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 83 0A 65 00 78 00 46 00 41 00 54 00 2D 00 31 00 ƒ.e.x.F.A.T.-.1.00000010 32 00 38 00 4B 00 00 00 00 00 00 00 00 00 00 00 2.8.K...........

TypeType

Volume Name Length (10)

Volume Label (exFAT-128K)


Allocation Bitmap Directory EntryAllocation Bitmap Directory Entry

0x81 Entry0x81 EntryPrimary EntryOnly resident in Root DirectoryOnly resident in Root DirectoryPoints to the Allocation Bitmap

If TexFAT then 2 of theseIf TexFAT, then 2 of theseFlag bits says which FAT/Bitmap

Cluster Address of BitmapCluster Address of BitmapSize of Bitmap


Allocation Bitmap Directory EntryAllocation Bitmap Directory Entry

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

0000 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0010 00 00 00 00 02 00 00 00 3F 00 00 00 00 00 00 00

Type Cluster Address (Cluster 2) Size (63 bytes)


UP-Case Table Directory EntryUP Case Table Directory Entry

0x82 Entry0x82 EntryPrimary EntryOnly resident in Root DirectoryOnly resident in Root DirectoryFile names are case insensitiveUsed to fold file nameUsed to fold file nameTable has a checksum (32 bits)


UP-Case Table Directory EntryUP Case Table Directory Entry

Off t 0 1 2 3 4 5 6 7 8 9 A B C D E FOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F

0000 82 00 00 00 0D D3 19 E6 00 00 00 00 00 00 00 00 0010 00 00 00 00 03 00 00 00 CC 16 00 00 00 00 00 00

Type Cluster Address (3)

Length (0x16CC = 5,836)Table Checksum


File Directory Entry SetFile Directory Entry Set

Used to define a fileUsed to define a fileMay have 3 to 19 entries, or more1 Primary many Secondary1 Primary, many SecondaryIs considered an array

Must be in orderMust be in orderMust be contiguous (no gaps)

Entire Set has ChecksumEntire Set has Checksum


File Directory EntryFile Directory Entry

0x85 or 0x05 Entry0x85 or 0x05 EntryPrimary EntrySet Checksum (16 bits)Set Checksum (16 bits)

Not modified on file deleteSecondary CountSecondary Count

# Secondary entries that followFile AttributesFile AttributesTimestamps


Timestamps & Time ZonesTimestamps & Time Zones

3 Timestamps (MAC)3 Timestamps (MAC)32 bit DOS Date/Time

Local Machine TimeLocal Machine Time10ms Offset (MC)TZ Offset (MAC)TZ Offset (MAC)

15 minute increments7 bit signed number7 bit signed number±16 hoursPresent with UTC support


Present with UTC support

Timestamp AccuracyTimestamp Accuracy

FAT32 – Last Access – Date onlyFAT32 Last Access Date onlyexFAT – Last Access – Date/TimeAll DOS DATE/TIME Double SecondsAll DOS DATE/TIME Double Seconds10ms adds 0-1990 ms to time10ms only for Create/Modify10ms only for Create/Modify


Timestamp ReliabilityTimestamp Reliability

Timestamps appear to be updated when theTimestamps appear to be updated when the file is created or modified.Last Accessed Timestamp appear to be p ppupdated when file is created or modified.Last Accessed Timestamp appear NOT p ppmodified on file read.Forensics Implication on MAC time analysis


File Attributes

Attribute Offset Size MaskReserved2 6 10Archive 5 1 0x20Directory 4 1 0x10Reserved1 3 1Reserved1 3 1

System 2 1 0x04yHidden 1 1 0x02Read Only 0 1 0x01September 20th, 2010 60

Read-Only 0 1 0x01

File Directory EntryFile Directory Entry

Type # Secondary Entries

Set Checksum (0x92D4)

Off t 0 1 2 3 4 5 6 7 8 9 A B C D E F

Set Checksum (0x92D4)

Attributes (0x0020 = Archive)

CreateOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F

0000 85 04 D4 92 20 00 00 00 44 62 86 3B F1 62 BA 3A 0010 44 62 86 3B A8 00 EC EC EC 00 00 00 00 00 00 00

ModifiedAccessed

C t 10

Modified 10ms

September 20th, 2010 61TZ Offset CMA EC = GMT-5

Create 10ms

Formatted File Directory EntryFormatted File Directory Entry

Root Entry Type Read is: 85 Directory Entry RecordRoot Entry Type Read is: 85 Directory Entry RecordChecksum: 92D4Calculated Checksum is: 92D4 Size Directory Set (bytes): 160Secondary Count 004File Attributes: 0020 Archive C t Ti t 3B866244 12/06/2009 12 18 08Create Timestamp: 3B866244 12/06/2009 12:18:08Last Modified Timestamp: 3ABA62F1 05/26/2009 12:23:34Last Accessed Timestamp: 3B866244 12/06/2009 12:18:0810 ms Offset Create A8 16810 ms Offset Modified 00 0Time Zone Create EC 236 Value of tz is: GMT -05:00Time Zone Modified EC 236 Value of tz is: GMT -05:00Time Zone Last Accessed EC 236 Value of tz is: GMT -05:00


Stream Extension Directory EntryStream Extension Directory Entry

0xC0 or 0x40 EntryySecondary EntryLength of NamegLength of File (2 of them)Cluster address of first data blockName Search Hash valueSecondary Flag

FAT InvalidAllocation Possible


Stream Extension Directory EntryStream Extension Directory Entry

Entry Flags (Alloc Possible/Fat Invalid)

Length of File Name (0x28= 40)

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

Name Hash (0x3CAD)

0000 C0 03 00 28 AD 3C 00 00 1F 46 1D 01 00 00 00 000010 00 00 00 00 05 00 00 00 1F 46 1D 01 00 00 00 00

Cluster (5)

Data Length 0x011d461f 18 695 711


Data Length 0x011d461f = 18,695,711

Parameters for SamplesParameters for Samples

Bytes Per Sector: 2 to the 09 power is: 512Bytes Per Sector: 2 to the 09 power is: 512Sectors Per Cluster: 2 to the 08 power is: 256Bytes per Cluster: 131072 (128K)


Formatted Stream ExtensionFormatted Stream Extension

Root Entry Type Read is: C0 Directory Entry Record, Stream ExtensionSecondary Flags: 03

Flag Bit 0: Allocation PossibleFlag Bit 1: FAT Chain Invalid

Length of UniCode Filename is: 40Length of UniCode Filename is: 40Name Hash Value is: AD3CStream Extension First Cluster 5Cluster 5 is AllocatedStream Extension Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143Stream Extension Valid Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143


Slack: 83487 Clusters Used: 143

File Name Extension Directory EntryFile Name Extension Directory Entry

0xC1 or 0x41 EntryySecondary EntrySecondary Flagsy g

Allocation not possibleFAT Invalid

15 Characters (30 bytes) of NameName in 16 Bit UnicodeIn order (FAT32 LFN was reversed)Up to 17 max, total 255 character


File Name Extension Directory EntryFile Name Extension Directory Entry

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

0000 C1 00 62 00 75 00 73 00 69 00 6E 00 65 00 73 00 Á.b.u.s.i.n.e.s.0010 73 00 5F 00 6F 00 66 00 5F 00 73 00 65 00 63 00

fs._.o.f._.s.e.c.

0000 C1 00 75 00 72 00 69 00 74 00 79 00 5F 00 5F 00 Á.u.r.i.t.y._._.0010 62 00 75 00 73 00 2D 00 31 00 30 00 35 00 2D 000010 62 00 75 00 73 00 2D 00 31 00 30 00 35 00 2D 00 b.u.s.-.1.0.5.-.

0000 C1 00 33 00 32 00 6B 00 62 00 70 00 73 00 2E 00 Á 3 2 k bÁ.3.2.k.b.p.s...0010 6D 00 70 00 33 00 00 00 00 00 00 00 00 00 00 00 m.p.3...........

Fil N b i f it b 105 32kb 3


File Name = business_of_security__bus-105-32kbps.mp3

Significance of “not in use” flagSignificance of not in use flag

0x05, 0x40 & 0x41 Entries0x05, 0x40 & 0x41 Entries“Not in use” may mean deleted filesMay also be reallocated renameMay also be reallocated rename

Set Checksum not changed when entries marked “not in use”


SummarySummary

exFAT is a new generation of the FAT familyexFAT is a new generation of the FAT family of Microsoft File SystemsThe need for forensics tools will heat up in p2010We don’t have the right tools yetg yDocumentation and support for exFAT is scarce


Q&AQ&A


Contact InformationContact Information

E-mail: [email protected] mail: [email protected]: rshullic.wordpress.comBlog: shullich blogspot comBlog: shullich.blogspot.com


ReferencesReferences

Sans Reading Room:ghttp://www.sans.org/reading_room/whitepapers/forensic

s/rss/reverse_engineering_the_microsoft_exfat_file_st 33274ystem_33274

Microsoft Patent:Microsoft Patent 0164440 (June 25 2009) QuickMicrosoft Patent 0164440 (June 25, 2009). Quick

Filename Lookup Using Name Hash.Pub No. US 2009/0164440 A1 Retrieved December 10,

2009 fromhttp://www.pat2pdf.org/patents/pat20090164440.pdf


HTCIA - Demystifying the Microsoft Extended File System (exFAT) V1.00

Documents

Transcript of HTCIA - Demystifying the Microsoft Extended File System (exFAT) V1.00