Difference between revisions of "FAT"

From ForensicsWiki
Jump to: navigation, search
(Forensics Issues)
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The FAT allocation system is primarly concerned with a descrete method of organizing files. In order to protect the file system, two copies are stored: FAT1 and FAT2. With two copies available redundancy is achieved in case one fails. The partition Boot Sector stores information critical to the file system. This information includes the number of sectors, and number of clustors, the number of sectors per cluster and more. When a computer user wants to read any type of file, the FAT file system also reassembles each piece of the file into one complete unit for viewing.
+
=Technical Overview=
The Root Folder contains a small piece of information for each file and directory in the system. Unlike other files in the system the Root Folder has a fixed size.
+
  
* FAT Partition Boot Sector
+
FAT, or file allocation table, is a file system that is designed to keep track of allocation status of clusters on a hard drive. Developed in 1977 by Microsoft Corporation, FAT was originally intended to be a file system for the Microsoft Disk BASIC interpreter. FAT was quickly incorporated into an early version of Tim Patterson's QDOS, which was a moniker for "Quick and Dirty Operating System". Microsoft later purchased the rights to QDOS and released it under Microsoft branding as PC-DOS and later, MS-DOS.  
* FAT File System  
+
* FAT Root Folder
+
*  FAT Folder Structure
+
  
[[Image:Recover-FAT-volume-structur.jpg]]
+
==File Allocation Table Structure==
  
'''History'''
+
[[Image:Yale fat16 diagram.jpg|frame|Basic layout of the FAT16 file system.]]
 +
The FAT file system is composed of several areas:
  
----
+
*  Boot Record or Boot Sector
 +
*  FATs
 +
*  Root Directory or Root Folder
 +
*  Data Area
  
 +
'''Boot Record'''
  
Originally developed by Bill Gates in 1976 as a way to store data on floppy disks for a version of Basic, the file allocation table system was quickly incorporated into an early version of Tim Patterson's (of Seattle Computer Products fame) operating system, QDOS ("Quick and Dirty Operating System"). Gates later bought the rights to QDOS and released it under Microsoft as PC-DOS and later, MS-DOS.
+
When a computer is powered on, a POST (power-on self test) is performed, and control is then transferred to the MBR (Master Boot Record).  The MBR is present no matter what file system is in use, and contains information about how the storage device is logically partitioned.  When using a FAT file system, the MBR hands off control of the computer to the Boot Record, which is the first sector on the partition.  The Boot Record, which occupies a reserved area on the partition, contains executable code, in addition to information such as an OEM identifier, number of FATs, media descriptor (type of storage device), and information about the operating system to be booted.  Once the Boot Record code executes, control is handed off to the operating system installed on that partition.  
  
----
+
'''FATs'''
 +
 
 +
The primary task of the FATs is to keep track of the allocation status of clusters, or logical groupings of sectors, on the disk drive.  There are four different possible FAT entries: allocated (along with the address of the next cluster associated with the file), unallocated, end of file, and bad sector.
 +
 
 +
In order to provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system.
 +
 
 +
'''Root Directory'''
 +
 
 +
The Root Directory, sometimes referred to as the Root Folder, contains an entry for each file and directory stored in the file system.  This information includes the file name, starting cluster number, and file size.  This information is changed whenever a file is created or subsequently modified.
 +
 
 +
'''Data Area'''
 +
 
 +
The Boot Record, FATs, and Root Directory are collectively referred to as the System Area.  The remaining space on the logical drive is called the Data Area, which is where files are actually stored.  It should be noted that when a file is deleted by the operating system, the data stored in the Data Area remains intact until it is overwritten.
 +
 
 +
==Versions==
 +
 
 +
There are three variants of FAT in existence: FAT12, FAT16, and FAT32.
  
 
'''FAT12'''
 
'''FAT12'''
Line 23: Line 40:
 
*  FAT12 can hold a max of 4,086 clusters (which is 2<sup>12</sup> clusters minus a few values that are reserved for values used in  the FAT).   
 
*  FAT12 can hold a max of 4,086 clusters (which is 2<sup>12</sup> clusters minus a few values that are reserved for values used in  the FAT).   
 
*  It is used for floppy disks and hard drive partitions that are smaller than 16 MB.   
 
*  It is used for floppy disks and hard drive partitions that are smaller than 16 MB.   
*  All 1.4 MB 3.5 inch floppy disks are formatted using FAT12.
+
*  All 1.44 MB 3.5" floppy disks are formatted using FAT12.
<br />
+
*  Cluster size that is used is between 0.5 KB to 4 KB.
  
----
+
'''FAT32'''
+
<br />
'''FAT32''':
+
 
FAT32 is the enhanced version of the FAT system implemented beginning with Windows 95 OSR2, Windows 98, and Windows Me.
 
FAT32 is the enhanced version of the FAT system implemented beginning with Windows 95 OSR2, Windows 98, and Windows Me.
 
Features include:
 
Features include:
Line 35: Line 51:
 
*  The limitations of FAT or FAT 16 on the number of root folder entries have been eliminated. In FAT32, the root folder is an ordinary cluster chain, and can be located anywhere on the drive.
 
*  The limitations of FAT or FAT 16 on the number of root folder entries have been eliminated. In FAT32, the root folder is an ordinary cluster chain, and can be located anywhere on the drive.
 
*  File allocation mirroring can be disabled in FAT32. This allows a different copy of the file allocation table then the default to be active.
 
*  File allocation mirroring can be disabled in FAT32. This allows a different copy of the file allocation table then the default to be active.
 
+
<br />
Currently the FAT file system has become the ubiquitous format that is used for interchange of media between computers. Since the advent of less expensive, removable flash memory, the FAT file system has become the format that is used between digital devices. Some items in which you might find the FAT file format are:
+
'''Comparison of FAT Versions'''
 
+
* Thumb drives
+
* Portable digital still/video cameras
+
* Portable digital audio and video players
+
* Multifunction printers
+
* Electronic photo frames
+
* Electronic musical instruments
+
* Standard televisions
+
 
+
 
+
----
+
 
+
'''Comparison of FAT Versions''''
+
  
 
Table adapted from:  
 
Table adapted from:  
Line 185: Line 188:
 
</tr>
 
</tr>
 
</table>
 
</table>
 +
<br/>
 +
==Applications of FAT==
  
----
+
Due to its low cost, mobility, and non-volatile nature, flash memory has quickly become the choice medium for storing and transferring data in consumer electronic devices. The majority of flash memory storage is formatted using the FAT file system.  In addition, FAT is also frequently used in electronic devices with miniature hard drives.
  
Recovering directory entries from FAT filesystems as part of Recovering_deleted_data can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.
+
Examples of devices in which FAT is utilized include:
  
----
+
* USB thumb drives
 +
* Digital cameras
 +
* Digital camcorders
 +
* Portable audio and video players
 +
* Multifunction printers
 +
* Electronic photo frames
 +
* Electronic musical instruments
 +
* Standard televisions
 +
* PDAs
 +
 
 +
=Forensics Issues=
 +
==Data Recovery==
 +
Recovering directory entries from FAT filesystems as part of [[recovering deleted data]] can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.
 +
 
 +
==File Slack==
 +
File slack is data that starts from the end of the file written and continues to the end of the sectors designated to the file.    There are two types of file slack, RAM slack, and Residual slack.  RAM slack starts from the end of the file to the end of that cluster that the last part of the file was written to.  Residual slack starts at the next cluster and goes to the last cluster allocated for the file.  File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact.
 +
 
 +
<br/>
  
 
'''References:'''
 
'''References:'''
 +
----
  
 
http://en.wikipedia.org/wiki/File_Allocation_Table
 
http://en.wikipedia.org/wiki/File_Allocation_Table
Line 201: Line 224:
  
 
http://support.microsoft.com/kb/q154997/#XSLTH3126121123120121120120
 
http://support.microsoft.com/kb/q154997/#XSLTH3126121123120121120120
 +
 +
http://www.dewassoc.com/kbase/hard_drives/boot_sector.htm
 +
 +
http://www2.tech.purdue.edu/cpt/courses/cpt499s/

Revision as of 13:46, 25 January 2006

Technical Overview

FAT, or file allocation table, is a file system that is designed to keep track of allocation status of clusters on a hard drive. Developed in 1977 by Microsoft Corporation, FAT was originally intended to be a file system for the Microsoft Disk BASIC interpreter. FAT was quickly incorporated into an early version of Tim Patterson's QDOS, which was a moniker for "Quick and Dirty Operating System". Microsoft later purchased the rights to QDOS and released it under Microsoft branding as PC-DOS and later, MS-DOS.

File Allocation Table Structure

File:Yale fat16 diagram.jpg
Basic layout of the FAT16 file system.

The FAT file system is composed of several areas:

  • Boot Record or Boot Sector
  • FATs
  • Root Directory or Root Folder
  • Data Area

Boot Record

When a computer is powered on, a POST (power-on self test) is performed, and control is then transferred to the MBR (Master Boot Record). The MBR is present no matter what file system is in use, and contains information about how the storage device is logically partitioned. When using a FAT file system, the MBR hands off control of the computer to the Boot Record, which is the first sector on the partition. The Boot Record, which occupies a reserved area on the partition, contains executable code, in addition to information such as an OEM identifier, number of FATs, media descriptor (type of storage device), and information about the operating system to be booted. Once the Boot Record code executes, control is handed off to the operating system installed on that partition.

FATs

The primary task of the FATs is to keep track of the allocation status of clusters, or logical groupings of sectors, on the disk drive. There are four different possible FAT entries: allocated (along with the address of the next cluster associated with the file), unallocated, end of file, and bad sector.

In order to provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system.

Root Directory

The Root Directory, sometimes referred to as the Root Folder, contains an entry for each file and directory stored in the file system. This information includes the file name, starting cluster number, and file size. This information is changed whenever a file is created or subsequently modified.

Data Area

The Boot Record, FATs, and Root Directory are collectively referred to as the System Area. The remaining space on the logical drive is called the Data Area, which is where files are actually stored. It should be noted that when a file is deleted by the operating system, the data stored in the Data Area remains intact until it is overwritten.

Versions

There are three variants of FAT in existence: FAT12, FAT16, and FAT32.

FAT12

  • FAT12 is the oldest type of FAT that uses a 12 bit file allocation table entry.
  • FAT12 can hold a max of 4,086 clusters (which is 212 clusters minus a few values that are reserved for values used in the FAT).
  • It is used for floppy disks and hard drive partitions that are smaller than 16 MB.
  • All 1.44 MB 3.5" floppy disks are formatted using FAT12.
  • Cluster size that is used is between 0.5 KB to 4 KB.

FAT32
FAT32 is the enhanced version of the FAT system implemented beginning with Windows 95 OSR2, Windows 98, and Windows Me. Features include:

  • Drives of up to 2 terabytes are supported (Windows 2000 only supports up to 32 gigabytes)
  • Since FAT32 uses smaller clusters (of 4 kilobytes each), it uses hard drive space more efficiently. This is a 10 to 15 percent improvement over FAT or FAT16.
  • The limitations of FAT or FAT 16 on the number of root folder entries have been eliminated. In FAT32, the root folder is an ordinary cluster chain, and can be located anywhere on the drive.
  • File allocation mirroring can be disabled in FAT32. This allows a different copy of the file allocation table then the default to be active.


Comparison of FAT Versions

Table adapted from: http://en.wikipedia.org/wiki/File_Allocation_Table


FAT12 FAT16 FAT32
Developer Microsoft
Full Name File Allocation Table
(12-bit version) (16-bit version) (32-bit version)
Introduced 1977 (Microsoft Disk BASIC) July 1988 (MS-DOS 4.0) August 1996 (Windows 95 OSR2)
Partition identifier 0x01 (MBR) 0x04, 0x06, 0x0E (MBR) 0x0B, 0x0C (MBR)

EBD0A0A2-B9E5-4433

-87C0-68B6B72699C7 (GPT)
Structures FAT12 FAT16 FAT32
Directory contents Table
File allocation Linked List
Bad blocks Linked List
Limits FAT12 FAT16 FAT32
Max file size 32 MiB 2 GiB 4 GiB
Max number of files 4,077 65,517 268,435,437
Max filename size 8.3 or 255 characters when using LFNs
Max volume size 32 MiB 4 GiB 2 TiB
Features FAT12 FAT16 FAT32
Dates recorded Creation, modified, access
Date range January 1, 1980 - December 31, 2107
Forks Not natively
Attributes Read-only, hidden, system, volume label, subdirectory, archive
Permissions No
Transparent compression Per-volume, Stacker, DoubleSpace, DriveSpace No
Transparent encryption Per-volume only with DR-DOS No


Applications of FAT

Due to its low cost, mobility, and non-volatile nature, flash memory has quickly become the choice medium for storing and transferring data in consumer electronic devices. The majority of flash memory storage is formatted using the FAT file system. In addition, FAT is also frequently used in electronic devices with miniature hard drives.

Examples of devices in which FAT is utilized include:

  • USB thumb drives
  • Digital cameras
  • Digital camcorders
  • Portable audio and video players
  • Multifunction printers
  • Electronic photo frames
  • Electronic musical instruments
  • Standard televisions
  • PDAs

Forensics Issues

Data Recovery

Recovering directory entries from FAT filesystems as part of recovering deleted data can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.

File Slack

File slack is data that starts from the end of the file written and continues to the end of the sectors designated to the file. There are two types of file slack, RAM slack, and Residual slack. RAM slack starts from the end of the file to the end of that cluster that the last part of the file was written to. Residual slack starts at the next cluster and goes to the last cluster allocated for the file. File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact.


References:


http://en.wikipedia.org/wiki/File_Allocation_Table

http://www.microsoft.com

http://www.ntfs.com

http://support.microsoft.com/kb/q154997/#XSLTH3126121123120121120120

http://www.dewassoc.com/kbase/hard_drives/boot_sector.htm

http://www2.tech.purdue.edu/cpt/courses/cpt499s/