OPERATING SYSTEMS

Frans Sanen

Analyze a FAT file system manually FAT12 first and simplest version

Still used on smaller disks (e.g. floppies) FAT16 & FAT32 as successors (essentially the

same, but more complex) De facto USB stick standard

Resources Microsoft’s general overview of FAT (@

export) Links from the assignment

2

Hex editor Program that allows us to manipulate binary

computer files http://www.softcircuits.com/cygnus/fe XVI-32

ASCII table http://www.prepressure.com/library/

binhex.htm http://www.asciitable.com http://nl.wikipedia.org/wiki/ASCII_%28tekenset

%29#Tabel_van_ASCII-codes 3

Verify the MD5 checksum of the image Linux: md5sum Windows

hksfv (via Google) http://www.irnis.net/gloss/md5sum-

windows.shtml

4

Floppy Disk Directories FAT12 Removing files

5

Floppy Disk Directories FAT12 Removing files

6

Structure of a FAT12 formatted floppy diskPosition

Length Contents

0 1 Boot sector

1 9 Fat 1

10 9 Fat 2

19 14 Root directory

33 2847 Data

7

Sector size is 512B or ½ KB 2880 sectors in total (= 1+9+9+14+2847)

2880 * 1/2 KB = 1440 KB = 1,4 MB

Fat 2 is a copy of Fat 1 Root directory contains the directory

entries

Isolate the different parts for the floppy image (fat12.img) by using a hex editor

Find the (hexadecimal) start addresses for every part

9

Floppy Disk Directories FAT12 Removing files

10

Floppy Disk Directories FAT12 Removing files

11

Directory in FAT12 is a sequence of file descriptions

Every file description consists of 32 bytes

Note: hexadecimal number is a quick way to write

4 binary numbers

12

Position

Length Contents

0 8 Name

8 3 Extension

11 1 Attribute

12 10 Reserved

22 2 Time

24 2 Date

26 2 First cluster

28 4 File size

13

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

14

Name: first 8 bytes Can be looked up in ASCII table Spaces are used as padding

54 45 53 54 20 20 2020

T E S T _ _ _ _

15

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

16

Extension: next 3 bytes Can be looked up in ASCII table Spaces are used as padding

44 44 20D D _

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

17

Attribute: kept in a bitvector Little endian byte order: least significant byte

first E.g. 4A 3B 2C 1D (hexadecimal) is stored as 1D 2C

3B 4A

0 read-only 4 subdir

1 hidden 5 archive

2 system file 6 /

3 volume label 7 /

18

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

19

Attribute: 12th byte 20 hexadecimal 32 decimal 00100000 in bits (little endian)

Hence... archive!

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

20

Reserved: next 10 bytes Creation time and date Last accessed

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

21

Time: next 2 bytes (after reserved part) 851b 1b85

1b = 27 = 00011011 85 = 133 = 10000101

So: 00011011 10000101

22

0001101110000101 Hours: 5 bits

00011 or 3 Minutes: 6 bits

011100: 28 Seconds: 5 bits (only even seconds!)

00101: 5 10

So... 3h 28m 10s

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

23

Date: next 2 bytes (after time) 5a33 335a

33 = 51 = 00110011 5a = 90 = 01011010

So: 00110011 01011010

24

0011001101011010 7 bits for the number of years since 1980

0011001: 25 4 bits for the month

1010: 10 5 bits for the day

11010: 26

So... October 26, 2005

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

25

First cluster: next 2 bytes (after date) Sequence number of the first cluster of the

file 0300 0003 (hexadecimal) So: cluster 3

5445 5354 2020 2020 4444 2020 0064 851b

5a33 5a33 0000 851b 5a33 0300 b004 0000

26

File size: last 4 bytes B0040000 000004b0 So: 1200 bytes

Interpret the following directory entry

Visualize the contents of the root directory of fat12.img by giving the name, size and date of each entry.

5a57 4152 544b 4153 584c 5310 0000 3633

5a33 5a33 0000 3633 5a33 4001 0000 0000

27

Floppy Disk Directories FAT12 Removing files

28

Floppy Disk Directories FAT12 Removing files

29

Directory-entry contains the cluster where the file starts (first cluster value is FAT index) FAT indexes 0 and 1 are unused, so

FAT index 3 matches data cluster 1 FAT index 240 matches data cluster 238

FAT-table gives us the other clusters that potentially are used by the file

30

The FAT contains a 12-bit element for every cluster FAT12So… 2 FAT elements can be saved in 3 bytesE.g. AB CD EF contains both DAB and EFC

(AB CD EF BA DC FE DAB and EFC)

31

000 Free cluster

002-FEFUsed cluster + value pointing to next

cluster

FF0-FF6 Reserved

FF7 Bad cluster

FF8-FFF Used cluster + last cluster of file

32

F0 FF FF 00 40 00 05 F0 FF 00 00 00becomes(FOF FFF) 000 004 005 FFF 000 000orclusters 3, 4 and 5 are in use (cluster 2 is free)

Remember the file size of 1200 bytes?Now we know that the file is stored in 3 clusters:

(3 x 512) – 1200 or 336 bytes of slack space (i.e. lost space due to internal fragmentation loss)

33

Clusters 3, 4 and 5 match with data blocks 1, 2 and 3

How to find where a data block starts? Start address data blocks: 4200 (H) Cluster 1 starts after 1 x 512 bytes or 200 (H)Hence, 4400 is the hexadecimal start address.

34

Find all clusters of the file sum.xls on fat12.img and reconstruct the file

35

Floppy Disk Directories FAT12 Removing files

36

Floppy Disk Directories FAT12 Removing files

37

Find out what happens when a file is removed. How can you see this on the floppy?

Is it possible to undelete a file? How? If yes, are there limitations?

38