CSC414 Exploring The FAT Partition Format Computer FAT Boot Record File Allocation Table System - Boot Sector - Two copies for safety (FAT1 & FAT2) File System - BIOS Parameter Block (BPB) Root Directory of File System Fundamentals - Two extra sectors for FAT32: - Directory of files and their attributes Part IIIa: - File System Information Sector Data Area - FSInfo Sector The File Allocation Table - Divided into clusters - Reserved (empty) Sector (FAT) - Starts at Cluster #2 - FAT32 maintains copy of the three Digital Forensics Center - For FAT32, THINK BIG WE DO boot sectors Department of Computer Science and Statics - Root Directory is part of the data area - Starts at Sector #6
U R I
http://www.forensics.cs.uri.edu
File Allocation Table File Allocation Table
File Allocation Table (FAT) Cluster Next File Allocation Table (FAT) FAT32 Root or File System : : FAT12 / FAT16 Boot BPB Sector - System for storage of files and : : - System for storage of files and BPB Sector Boot Directory FSInfo Sector subdirectories in the Data Area subdirectories in the Data Area Sector Record testFile.docx 44 0 Reserved Sector Reserved Sector(s) - Maintains the clusters used by 45 46 - Maintains the clusters used by BPB Sector File Start = 45 Boot every file on the partition every file on the partition 46 49 FAT1 Record FSInfo Sector Copy Reserved Sector - Which clusters are available for use 4 KB 47 48 - Which clusters are available for use Cluster Size (8 blocks) Reserved Sectors - Which clusters have bad sectors 48
FAT Implementation FAT Implementation
File Allocation Table (FAT) FAT Entry Values - Number of entries (clusters) is limited by the number of bits used to represent FAT Entries FAT12 FAT16 FAT32 cluster IDs (numbers) First Table Entry FF8 FFF8 F8FF 0FF8 FF FF F80F Second Table Entry FFF FF FF 0FFF FF FF FF0F FAT/FAT12 FAT16 FAT32 Used Cluster, value points 002 to FEF 0002 0200 to FFEF EFFF 0002 00 00 0200 to 0FEF FF FF EF0F Maximum Number to next cluster in file FAT32 actually only uses 28 of the 32 bits. 4084 65,526 268,435,456 of Clusters Cluster size is Free Cluster Use a000 FAT12 00 00 00 00 00 00 Disk Editor Cluster Sizes determined by the Reserved Cluster 001 0001 0100 0001 00 00 0100 1 to 8 4 to 64 8 to 64 (sectors) Reserved Values FF0 to FF6 FF F0 to FF F6 0FF0 FF FF F00F to 0FF6 FF FF F60F operating system and Cluster Sizes Bad Cluster FF7 FFF7 F7FF 0FF7 FF FF F70F 0.5 KB to 4 KB 2 KB to 32 KB 4 KB to 32 KB file system and (bytes) Last Cluster in File FF8 to FFF FFF8 F8FF to FF FF 0FF8 FF FF F80F to 0FFF FF FF FF0F depends on partition Maximum Volume 16,736,256 2,147,123,200 about 241 Size (16 MB) (2 GB) size. Clusters 0 and 1 are for system data Boot Record, FAT, and Root Directory FAT Entries are stored in Little Endian order maxVolumeSize = maxClusterSize x maxNumberofCLusters Numbering for data clusters begins at 2 FAT Implementation FAT Implementation
Data Area Cluster Number to Sector Number Data Area Cluster Number to Sector Number FAT12 / FAT16 FAT32 - Cluster number found in FAT - Cluster number found in FAT BPB Sector Boot Boot BPB Sector FSInfo Sector DataAreaStart = ReservedSectors + NumofFATs * Sectors2FAT Sector Record DataAreaStart = ReservedSectors + NumofFATs * Sectors2FAT Reserved Sector + MaxRootEntries * 32 / BytesPerSector Reserved Sector(s) BPB Sector Boot FileStartSector = DataAreaStart FileStartSector = DataAreaStart Record FSInfo Sector FAT1 Copy + (ClusterNumber ! 2) * SectorsPerCluster + (ClusterNumber ! 2) * SectorsPerCluster Reserved Sector Reserved Sectors ClusterNumber = (FileStartSector-DataAreaStart)/SectorsPerCluster + 2 FAT2 ClusterNumber = (FileStartSector-DataAreaStart)/SectorsPerCluster + 2 FAT1 FAT Root Directory 2 Root Directory Data Cluster #2 Cluster #2 Data
Exploring The FAT File System Part IIIa: The File Allocation Table
Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO
U R I
http://www.forensics.cs.uri.edu