OPERATING SYSTEMS
Frans Sanen
Analyze a FAT file system manually FAT12 first and simplest version
Still used on smaller disks (e.g. floppies) FAT16 & FAT32 as successors (essentially the
same, but more complex) De facto USB stick standard
Resources Microsoft’s general overview of FAT (@
export) Links from the assignment
2
Hex editor Program that allows us to manipulate binary
computer files http://www.softcircuits.com/cygnus/fe XVI-32
ASCII table http://www.prepressure.com/library/
binhex.htm http://www.asciitable.com http://nl.wikipedia.org/wiki/ASCII_%28tekenset
%29#Tabel_van_ASCII-codes 3
Verify the MD5 checksum of the image Linux: md5sum Windows
hksfv (via Google) http://www.irnis.net/gloss/md5sum-
windows.shtml
4
Floppy Disk Directories FAT12 Removing files
5
Floppy Disk Directories FAT12 Removing files
6
Structure of a FAT12 formatted floppy diskPosition
Length Contents
0 1 Boot sector
1 9 Fat 1
10 9 Fat 2
19 14 Root directory
33 2847 Data
7
Sector size is 512B or ½ KB 2880 sectors in total (= 1+9+9+14+2847)
2880 * 1/2 KB = 1440 KB = 1,4 MB
Fat 2 is a copy of Fat 1 Root directory contains the directory
entries
Isolate the different parts for the floppy image (fat12.img) by using a hex editor
Find the (hexadecimal) start addresses for every part
9
Floppy Disk Directories FAT12 Removing files
10
Floppy Disk Directories FAT12 Removing files
11
Directory in FAT12 is a sequence of file descriptions
Every file description consists of 32 bytes
Note: hexadecimal number is a quick way to write
4 binary numbers
12
Position
Length Contents
0 8 Name
8 3 Extension
11 1 Attribute
12 10 Reserved
22 2 Time
24 2 Date
26 2 First cluster
28 4 File size
13
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
14
Name: first 8 bytes Can be looked up in ASCII table Spaces are used as padding
54 45 53 54 20 20 2020
T E S T _ _ _ _
15
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
16
Extension: next 3 bytes Can be looked up in ASCII table Spaces are used as padding
44 44 20D D _
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
17
Attribute: kept in a bitvector Little endian byte order: least significant byte
first E.g. 4A 3B 2C 1D (hexadecimal) is stored as 1D 2C
3B 4A
0 read-only 4 subdir
1 hidden 5 archive
2 system file 6 /
3 volume label 7 /
18
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
19
Attribute: 12th byte 20 hexadecimal 32 decimal 00100000 in bits (little endian)
Hence... archive!
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
20
Reserved: next 10 bytes Creation time and date Last accessed
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
21
Time: next 2 bytes (after reserved part) 851b 1b85
1b = 27 = 00011011 85 = 133 = 10000101
So: 00011011 10000101
22
0001101110000101 Hours: 5 bits
00011 or 3 Minutes: 6 bits
011100: 28 Seconds: 5 bits (only even seconds!)
00101: 5 10
So... 3h 28m 10s
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
23
Date: next 2 bytes (after time) 5a33 335a
33 = 51 = 00110011 5a = 90 = 01011010
So: 00110011 01011010
24
0011001101011010 7 bits for the number of years since 1980
0011001: 25 4 bits for the month
1010: 10 5 bits for the day
11010: 26
So... October 26, 2005
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
25
First cluster: next 2 bytes (after date) Sequence number of the first cluster of the
file 0300 0003 (hexadecimal) So: cluster 3
5445 5354 2020 2020 4444 2020 0064 851b
5a33 5a33 0000 851b 5a33 0300 b004 0000
26
File size: last 4 bytes B0040000 000004b0 So: 1200 bytes
Interpret the following directory entry
Visualize the contents of the root directory of fat12.img by giving the name, size and date of each entry.
5a57 4152 544b 4153 584c 5310 0000 3633
5a33 5a33 0000 3633 5a33 4001 0000 0000
27
Floppy Disk Directories FAT12 Removing files
28
Floppy Disk Directories FAT12 Removing files
29
Directory-entry contains the cluster where the file starts (first cluster value is FAT index) FAT indexes 0 and 1 are unused, so
FAT index 3 matches data cluster 1 FAT index 240 matches data cluster 238
FAT-table gives us the other clusters that potentially are used by the file
30
The FAT contains a 12-bit element for every cluster FAT12So… 2 FAT elements can be saved in 3 bytesE.g. AB CD EF contains both DAB and EFC
(AB CD EF BA DC FE DAB and EFC)
31
000 Free cluster
002-FEFUsed cluster + value pointing to next
cluster
FF0-FF6 Reserved
FF7 Bad cluster
FF8-FFF Used cluster + last cluster of file
32
F0 FF FF 00 40 00 05 F0 FF 00 00 00becomes(FOF FFF) 000 004 005 FFF 000 000orclusters 3, 4 and 5 are in use (cluster 2 is free)
Remember the file size of 1200 bytes?Now we know that the file is stored in 3 clusters:
(3 x 512) – 1200 or 336 bytes of slack space (i.e. lost space due to internal fragmentation loss)
33
Clusters 3, 4 and 5 match with data blocks 1, 2 and 3
How to find where a data block starts? Start address data blocks: 4200 (H) Cluster 1 starts after 1 x 512 bytes or 200 (H)Hence, 4400 is the hexadecimal start address.
34
Find all clusters of the file sum.xls on fat12.img and reconstruct the file
35
Floppy Disk Directories FAT12 Removing files
36
Floppy Disk Directories FAT12 Removing files
37
Find out what happens when a file is removed. How can you see this on the floppy?
Is it possible to undelete a file? How? If yes, are there limitations?
38
Top Related