Revealed and Dissected - SANS Computer Forensics Training
Transcript of Revealed and Dissected - SANS Computer Forensics Training
![Page 1: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/1.jpg)
1© 2009-2010 J. Hamm
Revealed and Dissected
![Page 2: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/2.jpg)
2© 2009-2010 J. Hamm
• Describe exFAT, what systems it’s enabled on, and explain why it was implemented.
• Identify an exFAT volume and explain the information contained in the Volume Boot Record.
• Explain how exFAT tracks fragmentation and allocation.
• Define the information contained in the directory records on an exFAT volume.
2© 2009-2010 J. Hamm
2© 2009-2010 J. Hamm
R. Shullich
![Page 3: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/3.jpg)
3© 2009-2010 J. Hamm
• Identify when and why exFAT was introduced• Recognize what Microsoft operating systems
read and write to exFAT• Understand the scalability and limitations of
exFAT• Determining if a system was capable of using
the exFAT File System
3© 2009-2010 J. Hamm
3© 2009-2010 J. Hamm
R. Shullich
![Page 4: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/4.jpg)
4© 2009-2010 J. Hamm
• Extended FAT (exFAT)
4© 2009-2010 J. Hamm
4© 2009-2010 J. Hamm
R. Shullich
![Page 5: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/5.jpg)
5© 2009-2010 J. Hamm
• Removable Media• Large Multimedia Files• Limited Overhead• Transactional FAT Compatible
5© 2009-2010 J. Hamm
5© 2009-2010 J. Hamm
R. Shullich
![Page 6: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/6.jpg)
6© 2009-2010 J. Hamm
• Introduced with Windows CE 6.0 in November 2006• Spring 2008 – Vista Service Pack 1 Released with exFAT
capabilities• January 2009 – SDXC (eXtended Capacity) memory card
specification announced. exFAT designated as the exclusive File System for use by host devices as the standard.
• January 2009 – Windows XP drivers available directly from Microsoft
• March 2009 – SDXC cards released by Pretec.• Spring 2010 – host devices set to be released.
6© 2009-2010 J. Hamm
6© 2009-2010 J. Hamm
R. Shullich
![Page 7: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/7.jpg)
7© 2009-2010 J. Hamm
• Windows Vista SP 1• Windows XP SP 2 (with updates)• Windows XP SP 3 (with updates)• Windows Server 2003• Windows Server 2008• Windows 7• Windows CE 6.0
7© 2009-2010 J. Hamm
7© 2009-2010 J. Hamm
R. Shullich
![Page 8: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/8.jpg)
8© 2009-2010 J. Hamm
• File Size: 16 EiB Based on a 64 bit limitation for “File Size”*
• Maximum Files per Sub-Directory: 2,796,202*• File Name Length: 255 Characters• Volume Size: 64 ZiB (Microsoft recommends 512 TiB)
Shorthand Longhand nth Bytes
Ki Kilobyte 210 1024
Mi Megabyte 220 1024 KiB
Gi Gigabyte 230 1024 MiB
Ti Terabyte 240 1024 GiB
Pi Petabyte 250 1024 TiB
Ei Exabyte 260 1024 PiB
Zi Zetabyte 270 1024 EiB 8© 2009-2010 J. Hamm
8© 2009-2010 J. Hamm
R. Shullich
![Page 9: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/9.jpg)
9© 2009-2010 J. Hamm
• Universal Time Code (UTC)• Transactional exFAT (TexFAT) Compatibility• Access Control List (ACL) Support
9© 2009-2010 J. Hamm
9© 2009-2010 J. Hamm
R. Shullich
![Page 10: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/10.jpg)
10© 2009-2010 J. Hamm
• System Files– exfat.sys – located in %SystemRoot%\System32\Drivers\– format.com – will include “exFAT” as an option– uexfat.dll – located in %SystemRoot%\System32\
• Other files modified include:– fmifs.dll– fs_rec.sys– ifsutil.dll– Shell32.dll– ulib.dll– xpsp3res.dll
10© 2009-2010 J. Hamm
10© 2009-2010 J. Hamm
R. Shullich
![Page 11: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/11.jpg)
11© 2009-2010 J. Hamm
• Registry Keys XP:– SOFTWARE\Microsoft\Updates\Windows
XP\SP4\KB955704• Presence indicates exFAT files installed and lists them
separately in each entry.
– SYSTEM\%Current Control Set%\Enum\Root\LEGACY_EXFAT
– SYSTEM\%Current Control Set%\Services\exFat– Other entries will show “exFAT”
11© 2009-2010 J. Hamm
11© 2009-2010 J. Hamm
R. Shullich
![Page 12: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/12.jpg)
12© 2009-2010 J. Hamm
• Registry Keys Vista:– SYSTEM\%Current Control
Set%\Enum\Root\LEGACY_EXFAT– SYSTEM\%Current Control
Set%\Services\Eventlog\System\exFat– SYSTEM\%Current Control Set%\Services\exFat– Other entries will show “exFAT”
12© 2009-2010 J. Hamm
12© 2009-2010 J. Hamm
R. Shullich
![Page 13: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/13.jpg)
13© 2009-2010 J. Hamm
• Identify when and why exFAT was introduced• Recognize what Microsoft operating systems
read and write to exFAT• Understand the scalability and limitations of
exFAT• Determining if a system was capable of using
the exFAT File System
13© 2009-2010 J. Hamm
13© 2009-2010 J. Hamm
R. Shullich
![Page 14: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/14.jpg)
14© 2009-2010 J. Hamm
June 6th, 2010 14
• Bits are numbered right to left– 76543210
• Decimal Offsets (zero based)• Little-Endian numbers• Unsigned numbers• Sectors vs. Clusters• Strings are 16 bit Unicode• Strings not Terminated
![Page 15: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/15.jpg)
15© 2009-2010 J. Hamm
• Identify an exFAT Volume• Manually Parse the Information in the Volume
Boot Record (VBR)• Interpret logical cluster mapping• Locate the first cluster of the Root directory• Recognize the 0x55 AA signature at the end of
the first 9 sectors of the volume and the VBR backup
• Recognize the 12th sector of the volume• Identify and locate the backup VBR
15© 2009-2010 J. Hamm
15© 2009-2010 J. Hamm
R. Shullich
![Page 16: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/16.jpg)
16© 2009-2010 J. Hamm
Boot Record Backup Boot Record
FAT(Linked List)
Cluster Heap
(Data Area)
Starting Extent of the Root Directory
12 Sectors 12 Sectors
Variable Length:
Defined in the Boot
Variable Length:
Defined in the Boot
1st Cluster: Defined in the Boot
System Area
Note: The Root directory can and will fragment.
System Area
16© 2009-2010 J. Hamm
16© 2009-2010 J. Hamm
R. Shullich
![Page 17: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/17.jpg)
17© 2009-2010 J. Hamm
OffsetHex
OffsetDec Length Field Definition
x00 0 3 Jump Code
x03 3 8 OEM File System Identifier
x0B 11 35 Must be Zero
x40 64 4 Partition Sector Offset – Will be Zero for Removable Media
x48 72 8 Total Sectors on the Volume
x50 80 4 FAT Location in Sectors
x54 84 4 Physical Size of the FAT in Sectors
x58 88 4 Physical Sector Location of the Cluster Heap (Cluster 2)
x5C 92 4 Allocation Units on the Volume (Bit Count)
x60 96 4 1st Cluster of the Root Directory
x64 100 4 Volume Serial Number
x68 104 2 File System Revision Number – 1.0
X6A 106 1 Volume Flags
X6B 107 1 Active FAT
x6C 108 1 Bytes per Sector
x6D 109 1 Sectors Per Cluster (in Powers of 2)
x6E 110 1 The Number of FATs on the Volume
x70 112 1 Percentage In Use 17© 2009-2010 J. Hamm
17© 2009-2010 J. Hamm
R. Shullich
![Page 18: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/18.jpg)
18© 2009-2010 J. Hamm
Offset 0 : 3 Byte Value
Jump Code
Required for Microsoft file systems even when the device is not bootable.
18© 2009-2010 J. Hamm
18© 2009-2010 J. Hamm
R. Shullich
![Page 19: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/19.jpg)
19© 2009-2010 J. Hamm
Offset 3 : 8 Byte Value
OEM Identifier
x45 58 46 41 54 20 20 20
exFAT
19© 2009-2010 J. Hamm
19© 2009-2010 J. Hamm
R. Shullich
![Page 20: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/20.jpg)
20© 2009-2010 J. Hamm
Offset 72 : 8 Byte Value
Total Number of Sectors on the Volume
x00 81 0F 00 00 00 00 00
1,016,064 Sectors
20© 2009-2010 J. Hamm
20© 2009-2010 J. Hamm
R. Shullich
![Page 21: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/21.jpg)
21© 2009-2010 J. Hamm
Offset 80 : 4 Byte Value
Starting Location of the FAT (Linked List)
x80 00 00 00
Physical Sector 128
21© 2009-2010 J. Hamm
21© 2009-2010 J. Hamm
R. Shullich
![Page 22: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/22.jpg)
22© 2009-2010 J. Hamm
Offset 84 : 4 Byte Value
Size of the FAT (Linked List)
x03 1F 00 00
7939 Sectors
22© 2009-2010 J. Hamm
22© 2009-2010 J. Hamm
R. Shullich
![Page 23: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/23.jpg)
23© 2009-2010 J. Hamm
Offset 88 : 4 Byte Value
Starting location of the Cluster Heap (Data Area)
x00 20 00 00Physical Sector 8192
23© 2009-2010 J. Hamm
23© 2009-2010 J. Hamm
R. Shullich
![Page 24: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/24.jpg)
24© 2009-2010 J. Hamm
Offset 92 : 4 Byte Value
Allocation Units on the Volume (Clusters)
x00 61 0F 00
1,007,872 Units (Each Represented by a Bit)
2424© 2009-2010 J. Hamm
R. Shullich
![Page 25: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/25.jpg)
25© 2009-2010 J. Hamm
Offset 96 : 4 Byte Value
Location of the 1st cluster of the Root Directory
x05 01 00 00
Logical Cluster 261
2525© 2009-2010 J. Hamm
R. Shullich
![Page 26: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/26.jpg)
26© 2009-2010 J. Hamm
The data area (cluster heap) of an exFAT disk begins addressing starting with cluster two.
Hint: This can make manually navigating the file system difficult. To keep locations relative, translate cluster zero of the file system by subtracting two clusters from the starting sector of the Bitmap.
0x0F8100 = 8192 (Sector location of Cluster 2) – 2 Clusters = Sector 819026
© 2009-2010 J. Hamm26
© 2009-2010 J. HammR. Shullich
![Page 27: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/27.jpg)
27© 2009-2010 J. Hamm
To find the starting location of the first sector of the root directory, find the cluster offset relative to the defined location for cluster 2. In this example one sector equals one cluster and cluster 2 starts in sector 8192.
0x0105 = Cluster 261 (defined above) + Sector 8192 (defined in VBR as the start of the cluster heap) – 2 Clusters (addressing begins at cluster 2) = Sector 8451
The starting cluster for the root directory is at cluster 261 and it’s location is sector 8451.27
© 2009-2010 J. Hamm27
© 2009-2010 J. HammR. Shullich
![Page 28: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/28.jpg)
28© 2009-2010 J. Hamm
If the cluster size is set to 1024 bytes (2 Sectors per cluster) the addressing works in the same fashion. The value 4224 is the starting location for the cluster heap and is addressed as cluster 2.
Hint: To find logical cluster addressing, subtract 4 sectors (2 clusters) from 4224 and the result is the the equivalent to cluster zero. Sector 4220 will be the starting point for cluster addressing.
28© 2009-2010 J. Hamm
28© 2009-2010 J. Hamm
R. Shullich
![Page 29: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/29.jpg)
29© 2009-2010 J. Hamm
To find the starting location of the first sector of the root directory, start cluster mapping from the previous location (sector 4220). (two sectors equal one cluster in this example)
0x46 = 70 Clusters (as defined in the VBR) = 140 Sectors + 4224 Sectors (defined as the starting location for the data area) – 2 Clusters (4 Sectors) = sector 4360
The starting cluster for the root directory is at cluster 70 and its location is sector 4360.29
© 2009-2010 J. Hamm29
© 2009-2010 J. HammR. Shullich
![Page 30: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/30.jpg)
30© 2009-2010 J. Hamm
Offset 100 : 4 Byte Value
Volume Serial Number
xFD D9 FC C8
C8FC-D9FD
30© 2009-2010 J. Hamm
30© 2009-2010 J. Hamm
R. Shullich
![Page 31: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/31.jpg)
31© 2009-2010 J. Hamm
Offset 104 : 2 Byte Value
File System Version
x00 01
exFAT 1.00
31© 2009-2010 J. Hamm
31© 2009-2010 J. Hamm
R. Shullich
![Page 32: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/32.jpg)
32© 2009-2010 J. Hamm
Offset 108 : 1 Byte Value
Sector Size
x09
2^9 (512 bytes)
32© 2009-2010 J. Hamm
32© 2009-2010 J. Hamm
R. Shullich
![Page 33: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/33.jpg)
33© 2009-2010 J. Hamm
Offset 109 : 1 Byte Value
The Number of Sectors Per Clusterx00
20 = 1 Sector Per Cluster
33© 2009-2010 J. Hamm
33© 2009-2010 J. Hamm
R. Shullich
![Page 34: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/34.jpg)
34© 2009-2010 J. Hamm
Offset 110: 1 Byte Value
Number of FATs in Use
x01
1
34© 2009-2010 J. Hamm
34© 2009-2010 J. Hamm
R. Shullich
![Page 35: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/35.jpg)
35© 2009-2010 J. Hamm
Offset 111: 1 Byte Value
Used by INT13
x80
x80
35© 2009-2010 J. Hamm
35© 2009-2010 J. Hamm
R. Shullich
![Page 36: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/36.jpg)
36© 2009-2010 J. Hamm
Offset 112 : 1 Byte Value
Percentage of cluster heap in use
0x01
1% in use
36© 2009-2010 J. Hamm
36© 2009-2010 J. Hamm
R. Shullich
![Page 37: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/37.jpg)
37© 2009-2010 J. Hamm
The last 2 bytes of each sector will be x55 AA. This value will be present in the first 9 sectors of the boot record and the first 9 sectors of the back up boot.
*Assuming 512 byte sectors
37© 2009-2010 J. Hamm
37© 2009-2010 J. Hamm
R. Shullich
![Page 38: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/38.jpg)
38© 2009-2010 J. Hamm
The 12th sector of the boot and back up boot will contain a repetitive 4 byte value. The value is a checksum of the other sectors of the boot region. This value is calculated without including the Volume Flags and Percent in Use fields.
38© 2009-2010 J. Hamm
38© 2009-2010 J. Hamm
R. Shullich
![Page 39: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/39.jpg)
39© 2009-2010 J. Hamm
• Sector 12-23 will contain a complete backup of the first 12 sectors of the volume
39© 2009-2010 J. Hamm
39© 2009-2010 J. Hamm
R. Shullich
![Page 40: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/40.jpg)
40© 2009-2010 J. Hamm
• Identify an exFAT Volume• Manually Parse the Information in the Volume
Boot Record (VBR)• Interpret logical cluster mapping• Locate the first cluster of the Root directory• Recognize the 0x55 AA signature at the end of
the first 9 sectors of the volume and the VBR backup
• Recognize the 12th sector of the volume• Identify and locate the backup VBR
40© 2009-2010 J. Hamm
40© 2009-2010 J. Hamm
R. Shullich
![Page 41: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/41.jpg)
41© 2009-2010 J. Hamm
• Review of a FAT from a FAT32 File System• Define the Possible States of Entries in the
Linked List• Track Fragmentation in the FAT in exFAT
41© 2009-2010 J. Hamm
41© 2009-2010 J. Hamm
R. Shullich
![Page 42: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/42.jpg)
42© 2009-2010 J. Hamm
• The FAT file system is named for the use of a File Allocation Table (FAT)
• A FAT32 file system by default has a FAT0 and a FAT1 (or FAT 1 and FAT 2)
• Directory Entries track file name, metadata, and starting extent of a file
• The FAT tracks the fragmentation of a file• The FAT tracks allocation status of a cluster
42© 2009-2010 J. Hamm
42© 2009-2010 J. Hamm
R. Shullich
![Page 43: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/43.jpg)
43© 2009-2010 J. Hamm
• An entry in a FAT12/16/32 File Allocation Table can be:– A pointer to the next cluster– An end of file marker– A designation for a bad cluster– A zero for an unallocated cluster
43© 2009-2010 J. Hamm
43© 2009-2010 J. Hamm
R. Shullich
![Page 44: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/44.jpg)
44© 2009-2010 J. Hamm
• exFAT uses a Linked List to track data file fragmentation
• A flag in the directory record indicates if the FAT is being used for the file
• The exFAT FAT does not track allocation status• The only Media Type is 0xF8
44© 2009-2010 J. Hamm
44© 2009-2010 J. Hamm
R. Shullich
![Page 45: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/45.jpg)
45© 2009-2010 J. Hamm
Pointer to Next Fragment
End of File (0xFF FF FF FF) (null value)
No Fragmentation Being Tracked (0x00 00 00 00)
45© 2009-2010 J. Hamm
45© 2009-2010 J. Hamm
R. Shullich
![Page 46: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/46.jpg)
46© 2009-2010 J. Hamm
Pointer to the next Pointer
Pointer to the next Pointer
End of File0xFFFFFFFF
46© 2009-2010 J. Hamm
46© 2009-2010 J. Hamm
R. Shullich
![Page 47: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/47.jpg)
47© 2009-2010 J. Hamm
Each entry is 4 bytes in length. It can point to another location, it can be terminated by hex value 0xFFFFFFFF, or it can be left zeros indicating no fragmentation for the addressed portion of the FAT.
47© 2009-2010 J. Hamm
47© 2009-2010 J. Hamm
R. Shullich
![Page 48: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/48.jpg)
48© 2009-2010 J. Hamm
This example is the location for tracking the 0x000000FC (252nd) allocation unit. It’s value points the next fragment: 0x000000FD (253).
48© 2009-2010 J. Hamm
48© 2009-2010 J. Hamm
R. Shullich
![Page 49: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/49.jpg)
49© 2009-2010 J. Hamm
0x000000FC (253) points to 0x000000FE (254) and so on.
49© 2009-2010 J. Hamm
49© 2009-2010 J. Hamm
R. Shullich
![Page 50: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/50.jpg)
50© 2009-2010 J. Hamm
So, 252 points to 253 points to 254, points to 255, points to 256 points to 257, points to 258, points to 259, points to 260.
50© 2009-2010 J. Hamm
50© 2009-2010 J. Hamm
R. Shullich
![Page 51: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/51.jpg)
51© 2009-2010 J. Hamm
And finally, 0xFFFFFFFF is the end of file marker.
51© 2009-2010 J. Hamm
51© 2009-2010 J. Hamm
R. Shullich
![Page 52: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/52.jpg)
52© 2009-2010 J. Hamm
• Review of a FAT from a FAT32 File System• Define the Possible States of Entries in the
Linked List• Track Fragmentation in the FAT in exFAT
52© 2009-2010 J. Hamm
52© 2009-2010 J. Hamm
R. Shullich
![Page 53: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/53.jpg)
53© 2009-2010 J. Hamm
• Locate the bitmap on an exFAT volume• Explain how the bitmap tracks allocated
clusters
53© 2009-2010 J. Hamm
53© 2009-2010 J. Hamm
R. Shullich
![Page 54: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/54.jpg)
54© 2009-2010 J. Hamm
• A bitmap is used in exFAT for quickly determining if a cluster is available to write to or not
• This is much more efficient than parsing the link list for availability of cluster
• This can provide a quick way to determine a place to write a file to avoid fragmentation
54© 2009-2010 J. Hamm
54© 2009-2010 J. Hamm
R. Shullich
![Page 55: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/55.jpg)
55© 2009-2010 J. Hamm
• Each cluster is tracked in the bitmap• A single bit is used for each cluster on the
volume• The value can be either
– 0 – unallocated cluster– 1 – allocated cluster
55© 2009-2010 J. Hamm
55© 2009-2010 J. Hamm
R. Shullich
![Page 56: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/56.jpg)
56© 2009-2010 J. Hamm
• The bitmap tracks each cluster by utilizing the least significant bit in a byte to represent the allocation status of first cluster in the respective range.
56© 2009-2010 J. Hamm
56© 2009-2010 J. Hamm
R. Shullich
![Page 57: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/57.jpg)
57© 2009-2010 J. Hamm
• For example, if only the first cluster were allocated, the bitmap would have a value of 0x01 – or 0000 0001
• If the first and eighth cluster were allocated the value would be 0x81 – or 1000 0001
57© 2009-2010 J. Hamm
57© 2009-2010 J. Hamm
R. Shullich
![Page 58: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/58.jpg)
58© 2009-2010 J. Hamm
• Recognize exFAT Directory Entries• Understand the Three Record Types in a
Directory Entry– Directory Entry Record– Stream Extension– File Name Extension
• Locate the Starting Cluster and Size of a File• Identify Deleted Files
58© 2009-2010 J. Hamm
58© 2009-2010 J. Hamm
R. Shullich
![Page 59: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/59.jpg)
59© 2009-2010 J. Hamm
• Directory entries are a series of 32 byte records.
• Each record has a type flag located in the first byte of the record.
• A file will have at least 3 records.
59© 2009-2010 J. Hamm
59© 2009-2010 J. Hamm
R. Shullich
![Page 60: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/60.jpg)
60© 2009-2010 J. Hamm
60© 2009-2010 J. Hamm
60© 2009-2010 J. Hamm
R. Shullich
![Page 61: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/61.jpg)
61© 2009-2010 J. Hamm
Directory Entry RecordTracks attributes and created, accessed and modified times.
Stream ExtensionTracks size and starting extent of the file. Also tracks the size of the filename.
File Name ExtensionThis actually contains the filename in Unicode characters.
Note: Additional records may be created and used for longer file names.
61© 2009-2010 J. Hamm
61© 2009-2010 J. Hamm
R. Shullich
![Page 62: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/62.jpg)
62© 2009-2010 J. Hamm
OffsetHex Field Definition
x85 Directory Entry Record
x83 Volume Name Record
x82 Up-Case Table Logical Location and Size
x81 Bitmap Logical Location and Size
xC0 Stream Extension
xC1 File Name Extension
62© 2009-2010 J. Hamm
62© 2009-2010 J. Hamm
R. Shullich
![Page 63: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/63.jpg)
63© 2009-2010 J. Hamm
OffsetHex
OffsetDec Length Field Definition
x00 0 1 Record Type x85 – Directory Entry Record
x01 1 1 Secondary Count (Number of Additional 32 Byte Records in the Entry)
x02 2 2 Record Entry Checksum
x04 4 2 DOS File Flags (Archive, Hidden, etc)
x06 6 2 Unknown (Values only on Volume Label)
x08 8 4 Created Date and Time
x0C 12 4 Last Modified Date and Time
x10 16 4 Last Accessed Date and Time
x14 20 2 10 ms Increments Added to Created and Modified Times Respectively
x18 22 3 Time Zone Offset Applied to the File Time63
© 2009-2010 J. Hamm63
© 2009-2010 J. HammR. Shullich
![Page 64: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/64.jpg)
64© 2009-2010 J. Hamm
OffsetHex
OffsetDec Length Field Definition
x00 0 1 Record Type xC0
x01 1 1 Secondary Flags (Including NO FAT)
X03 3 1 Number of Unicode Characters in the File Name
x04 4 2 File Name Hash
x06 6 2 Reserved
x08 8 8 Initialized Size of the File in Bytes
x10 16 4 Reserved
x14 20 4 Starting Cluster of the File
x18 24 8 Logical Size of the File in Bytes
64© 2009-2010 J. Hamm
64© 2009-2010 J. Hamm
R. Shullich
![Page 65: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/65.jpg)
65© 2009-2010 J. Hamm
OffsetHex
OffsetDec Length Field Definition
x00 0 1 Record Type xC1
x02 2 Variable File Name
Length is in Unicode Characters as Defined in the xC0 Record.
If more than one entry is necessary, the file name will continue in the next entry again starting at offset 0x02
65© 2009-2010 J. Hamm
65© 2009-2010 J. Hamm
R. Shullich
![Page 66: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/66.jpg)
66© 2009-2010 J. Hamm
66© 2009-2010 J. Hamm
66© 2009-2010 J. Hamm
R. Shullich
![Page 67: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/67.jpg)
67© 2009-2010 J. Hamm
Hex Binary Description
0x0001 0000 0001 Read Only
0x0002 0000 0010 Hidden File
0x0004 0000 0100 System File
0x0020 0010 0000 Archive
67© 2009-2010 J. Hamm
67© 2009-2010 J. Hamm
R. Shullich
![Page 68: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/68.jpg)
68© 2009-2010 J. Hamm
68© 2009-2010 J. Hamm
68© 2009-2010 J. Hamm
R. Shullich
![Page 69: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/69.jpg)
69© 2009-2010 J. Hamm
69© 2009-2010 J. Hamm
69© 2009-2010 J. Hamm
R. Shullich
![Page 70: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/70.jpg)
70© 2009-2010 J. Hamm
70© 2009-2010 J. Hamm
70© 2009-2010 J. Hamm
R. Shullich
![Page 71: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/71.jpg)
71© 2009-2010 J. Hamm
71© 2009-2010 J. Hamm
71© 2009-2010 J. Hamm
R. Shullich
Hex Binary Description
0x0001 0000 0001 Allocation Possible
0x0002 0000 0010 No FAT Chain in Use
![Page 72: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/72.jpg)
72© 2009-2010 J. Hamm
72© 2009-2010 J. Hamm
72© 2009-2010 J. Hamm
R. Shullich
![Page 73: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/73.jpg)
73© 2009-2010 J. Hamm
Unallocated records are tracked by switching one bit in the entry.Unallocated may be marked if a file name is changed – this is not exclusive to deletion.
If the first bit is “1”, then the record is in use.
If the first bit is “0”, then the record is not in use.
73© 2009-2010 J. Hamm
73© 2009-2010 J. Hamm
R. Shullich
![Page 74: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/74.jpg)
74© 2009-2010 J. Hamm
Unu
sed
Entr
y
000000000x00
Allo
cate
d Di
rect
ory
Entr
y Re
cord
100001010x85
Una
lloca
ted
Dire
ctor
y En
try
Reco
rd
000001010x05
74© 2009-2010 J. Hamm
74© 2009-2010 J. Hamm
R. Shullich
![Page 75: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/75.jpg)
75© 2009-2010 J. Hamm
Unu
sed
Entr
y
000000000x00
Allo
cate
d St
ream
Ext
ensio
n
110000000xC0 U
nallo
cate
d St
ream
Ext
ensio
n
010000000x40
75© 2009-2010 J. Hamm
75© 2009-2010 J. Hamm
R. Shullich
![Page 76: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/76.jpg)
76© 2009-2010 J. Hamm
Unu
sed
Entr
y
000000000x00
Allo
cate
d Fi
le N
ame
Reco
rd
110000010xC1 U
nallo
cate
d Fi
le N
ame
Reco
rd
010000010x41
76© 2009-2010 J. Hamm
76© 2009-2010 J. Hamm
R. Shullich
![Page 77: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/77.jpg)
77© 2009-2010 J. Hamm
• Recognize exFAT Directory Entries• Understand the Three Record Types in a
Directory Entry– Directory Entry Record– Stream Extension– File Name Extension
• Locate the Starting Cluster and Size of a File• Identify Deleted Files
77© 2009-2010 J. Hamm
77© 2009-2010 J. Hamm
R. Shullich
![Page 78: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/78.jpg)
78© 2009-2010 J. Hamm
• Describe exFAT, what systems it’s enabled on, and explain why it was implemented.
• Identify an exFAT volume and explain the information contained in the Volume Boot Record.
• Explain how exFAT tracks fragmentation and allocation.
• Define the information contained in the directory records on an exFAT volume.
78© 2009-2010 J. Hamm
78© 2009-2010 J. Hamm
R. Shullich
![Page 79: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/79.jpg)
79© 2009-2010 J. Hamm
Jeff Hamm, CFCEUS Department of State – Computer Investigations and ForensicsParadigm Solutions [email protected] 431 8735
Robert Shullich, CPP, CISSP, CISA, GSEC, GCIH, GCFA, CEHInformation Security [email protected]: rshullic.wordpress.com
79© 2009-2010 J. Hamm
R. Shullich
![Page 80: Revealed and Dissected - SANS Computer Forensics Training](https://reader031.fdocuments.in/reader031/viewer/2022020704/61fb4fc72e268c58cd5cabd9/html5/thumbnails/80.jpg)
80© 2009-2010 J. Hamm
June 6th, 2010 80
Sans Reading Room:http://www.sans.org/reading_room/whitepapers/foren
sics/rss/reverse_engineering_the_microsoft_exfat_file_system_33274
Microsoft Patent:Microsoft Patent 0164440 (June 25, 2009). Quick
Filename Lookup Using Name Hash.Pub No. US 2009/0164440 A1 Retrieved December 10,
2009 fromhttp://www.pat2pdf.org/patents/pat20090164440.pdf