HTCIA International Conference September 20-22, 2010 Atlanta, GA <ul><li>Demystifying the Microsoft Extended File System (...
Agenda <ul><li>About Me </li></ul><ul><li>Why a new file system </li></ul><ul><li>Forensics Relevance </li></ul><ul><li>Fe...
About Me <ul><li>I have been in the IT field for 35+ Years, and in InfoSec for over 15 Years </li></ul><ul><li>I carry man...
Why do we need a new file system? <ul><li>Current Limits Exhausted </li></ul><ul><li>Larger volumes (>2TB) </li></ul><ul><...
Relevance to Forensics Study <ul><li>Digital Evidence Extraction </li></ul><ul><ul><li>Finding the evidence </li></ul></ul...
What happens when you have exFAT formatted media and no exFAT support? September 20th, 2010
Forensics Challenges <ul><li>Linux OS Support </li></ul><ul><ul><li>Tuxera drivers may help </li></ul></ul><ul><li>Mac OS ...
Disclaimer <ul><li>The released specification and implementation is Release 1.00 of exFAT </li></ul><ul><li>The specificat...
Exponents <ul><li>10 2  = 10 times 10 = 100 </li></ul><ul><li>10 3  = 10 times 10 times 10 = 1000 (1K) </li></ul><ul><li>2...
International System of Units (SI) Table <ul><li>File System in powers of 2 </li></ul><ul><li>Device characteristics in po...
Features of exFAT 1.00 <ul><li>Sector sizes from 512 to 4096 bytes </li></ul><ul><li>Clusters sizes to 32MiB </li></ul><ul...
Features of exFAT 1.00 (cont’d) <ul><li>OEM Parameters Sector for device dependent parameters </li></ul><ul><li>12 sector ...
Future Features of exFAT <ul><li>TexFAT (To be released later) </li></ul><ul><ul><li>Exists in Windows CE </li></ul></ul><...
MBR Partition Limitations <ul><li>Microsoft File Systems are limited when stored in a MBR partition </li></ul><ul><li>A pa...
Advantages of exFAT <ul><li>Handle growing capacities in media, increasing capacity to >32 GB. </li></ul><ul><li>> 1000 fi...
Disadvantages of exFAT <ul><li>Not all Windows CE features implemented </li></ul><ul><li>No direct conversion to or from o...
Key Dates for exFAT <ul><li>September 2006 – Windows CE 6.0  </li></ul><ul><li>March 2008 – Windows Vista Service Pack 1 <...
More Key Dates for exFAT <ul><li>December 2009 Sony, Canon & Sanyo License </li></ul><ul><li>January 2010 Funai License (L...
More Key Dates <ul><li>June 1 st  2010 Tuxera Releases Linux & Android exFAT drivers </li></ul><ul><li>June 3 rd  2010 Kin...
SD Card Association <ul><li>New Memory Card </li></ul><ul><li>Consumer Appliances </li></ul><ul><li>Follows SDHC </li></ul...
September 20th, 2010
SDXC Storage Capabilities <ul><li>From 32GB to 2TB on a card </li></ul><ul><li>Exclusively exFAT File System </li></ul><ul...
Support for exFAT <ul><li>Windows XP & Server 2003 </li></ul><ul><ul><li>KB955704 (requires SP2 or SP3) </li></ul></ul><ul...
Reference Standards <ul><li>Bits are numbered right to left </li></ul><ul><ul><li>76543210 </li></ul></ul><ul><li>Decimal ...
Endian <ul><li>Numbering order may vary based on processor type, is determined by the order the data bytes are read from t...
File System Integrity <ul><li>Version Verified </li></ul><ul><li>3 Checksums </li></ul><ul><ul><li>VBR </li></ul></ul><ul>...
exFAT Limits <ul><li>Volume size 128PiB </li></ul><ul><ul><li>MS said 64ZiB </li></ul></ul><ul><ul><li>MS now says 256TiB ...
Data Hide Alert! <ul><li>FAT32 max cluster 32KiB </li></ul><ul><li>exFAT max cluster 32MiB </li></ul><ul><ul><li>This is a...
Volume Space Layout <ul><li>The Main Boot Region </li></ul><ul><ul><li>Contains main VBR </li></ul></ul><ul><li>The Backup...
September 20th, 2010
VBR – Volume Boot Record <ul><li>Contains 12 sectors </li></ul><ul><ul><li>1 sector main boot sector </li></ul></ul><ul><u...
Boot Parameter Block (BPB) <ul><li>OEM Label “EXFAT  ” </li></ul><ul><li>Volume Length (64-bit) [sector] </li></ul><ul><li...
Sectors & Clusters <ul><li>A 2-Shift is a power of 2 </li></ul><ul><ul><li>Another name for exponent </li></ul></ul><ul><l...
Executable Boot Code <ul><li>First 3 bytes of Main Boot Sector </li></ul><ul><ul><li>Jump Code </li></ul></ul><ul><ul><li>...
More Bootable Code <ul><li>Up to 8 Main Extended Boot Sectors </li></ul><ul><ul><li>FAT32 had 3 sector VBR with 1 MEBS </l...
VBR Checksum Sector <ul><li>The 12 th  sector of the VBR </li></ul><ul><li>Repeating 4 byte checksum </li></ul><ul><li>Che...
VBR Checksum Sector September 20th, 2010 <ul><li>Offset  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F </li></ul><ul><li>...
FAT – File Allocation Table <ul><li>When it is used, same as legacy FAT </li></ul><ul><li>Not used when file contiguous </...
Cell Values in FAT Table <ul><li>0x00000000 – No significant meaning </li></ul><ul><li>0x00000001 – Not a valid cell value...
September 20th, 2010
FAT Table Example September 20th, 2010 Offset  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 0000  F8 FF FF FF FF FF FF F...
Allocation Bitmap <ul><li>Keeps track of cluster allocation status </li></ul><ul><ul><li>Zero – Free Cluster </li></ul></u...
Data Hide Alert! <ul><li>The Allocation Bitmap and the UP-Case Table are stored as files, and provide hiding space in the ...
September 20th, 2010
Directories in exFAT <ul><li>Root (VBR Pointer) </li></ul><ul><ul><li>Contains certain critical entries </li></ul></ul><ul...
Data Hide Alert! <ul><li>Manipulation of the Allocation Bitmap, and creation of user directory entries provides the capabi...
Entry Type September 20th, 2010 Type Field Offset (Bits) Size (Bits) In Use 7 1 Category 6 1 Importance 5 1 Code 0 5
Entry Type <ul><li>In Use:   </li></ul><ul><ul><li>0 – Not in Use, 1- In Use </li></ul></ul><ul><li>Category:   </li></ul>...
Volume Label Directory Entry <ul><li>0x83 or 0x03 Entry </li></ul><ul><li>Primary Entry </li></ul><ul><li>Only resident in...
Volume Label Directory Entry September 20th, 2010 Offset  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 00000000  83 0A 6...
Allocation Bitmap Directory Entry <ul><li>0x81 Entry </li></ul><ul><li>Primary Entry </li></ul><ul><li>Only resident in Ro...
Allocation Bitmap Directory Entry September 20th, 2010 Offset  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 0000  81 00 ...
UP-Case Table Directory Entry <ul><li>0x82 Entry </li></ul><ul><li>Primary Entry </li></ul><ul><li>Only resident in Root D...
UP-Case Table Directory Entry September 20th, 2010 Offset  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 0000  82 00 00 0...
File Directory Entry Set <ul><li>Used to define a file </li></ul><ul><li>May have 3 to 19 entries, or more </li></ul><ul><...
File Directory Entry <ul><li>0x85 or 0x05 Entry </li></ul><ul><li>Primary Entry </li></ul><ul><li>Set Checksum (16 bits) <...
Timestamps & Time Zones <ul><li>3 Timestamps (MAC) </li></ul><ul><li>32 bit DOS Date/Time </li></ul><ul><ul><li>Local Mach...
Timestamp Accuracy <ul><li>FAT32 – Last Access – Date only </li></ul><ul><li>exFAT – Last Access – Date/Time </li></ul><ul...
Timestamp Reliability <ul><li>Timestamps appear to be updated when the file is created or modified. </li></ul><ul><li>Last...
File Attributes September 20th, 2010 Attribute Offset Size Mask Reserved2 6 10 Archive 5 1 0x20 Directory 4 1 0x10 Reserve...
File Directory Entry September 20th, 2010 Offset  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 0000  85 04 D4 92 20 00 0...
Formatted File Directory Entry September 20th, 2010 Root Entry Type Read is: 85 Directory Entry Record Checksum:  92D4 Cal...
Stream Extension Directory Entry <ul><li>0xC0 or 0x40 Entry </li></ul><ul><li>Secondary Entry </li></ul><ul><li>Length of ...
Stream Extension Directory Entry September 20th, 2010 Offset  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 0000  C0 03 0...
Parameters for Samples September 20th, 2010 Bytes Per Sector: 2 to the 09 power is:  512 Sectors Per Cluster: 2 to the 08 ...
Formatted Stream Extension September 20th, 2010 Root Entry Type Read is: C0 Directory Entry Record, Stream Extension Secon...
File Name Extension Directory Entry <ul><li>0xC1 or 0x41 Entry </li></ul><ul><li>Secondary Entry </li></ul><ul><li>Seconda...
File Name Extension Directory Entry September 20th, 2010 Offset  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 0000  C1 0...
Significance of “not in use” flag <ul><li>0x05, 0x40 & 0x41 Entries </li></ul><ul><ul><li>“ Not in use” may mean deleted f...
Summary <ul><li>exFAT is a new generation of the FAT family of Microsoft File Systems </li></ul><ul><li>The need for foren...
Q&A September 20th, 2010
Contact Information <ul><li>E-mail:  [email_address] </li></ul><ul><li>Blog: rshullic.wordpress.com </li></ul><ul><li>Blog...
References <ul><li>Sans Reading Room: </li></ul><ul><li>http://www.sans.org/reading_room/whitepapers/forensics/rss/reverse...
Upcoming SlideShare
Loading in...5
×

Demystifying the Microsoft Extended FAT File System (exFAT)

6,831
-1

Published on

This was a presentation on the exFAT file system given back in September 2010 at the HTCIA conference in Atlanta Ga. This presentation is effectively superseded by a new presentation deck that was uploaded to slideshare on June 6, 2014.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,831
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
83
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • exFAT is specifically designed for Removable media, but can be used for fixed media as well. NTFS is not recommended for removable media, especially because of the lazy write problem. Faster I/O through less file system overhead
  • You need to be able to locate the evidence, just in general You also need to know the hiding places where it can be hidden You need to validate what you found is correct, in order, and complete.
  • If the OS can’t recognize the file system, then it thinks the media is not formatted.
  • Little to nothing available in these areas Exception: Tuxera is the first independent software vendor to sign an exFAT development agreement with Microsoft. Linux and Open Source is used a lot Commercial tools are lacking Encase 6.14.3 in Dec 2009 started logical support, some issues reported FTK 3.2 – Maybe? Little documentation or publications on exFAT internals.
  • Microsoft published a patent that included the exFAT 1.00 specification. This presentation and the paper attempt to stick to the terminology used in the patent/specification as close as possible. Links to the patent and my paper will be on a later slide, and references to the paper will also be on my blog.
  • In some cases you might see ZB or ZIB, technically they are really different, but are close.
  • You never really see another sector size other than 512 bytes, but everyone just assumes that it is only 512 The 4096 size is special to support a device that is used for paging and supports 4K pages. But with the standard format, you can’t adjust sector size Clusters (or blocks) are 32K max in FAT32 Potential capacity, but the FAT can’t support 64Zib in its current configuration The volume label and file names are all 16 bit unicode Filenames to a maximum of 255 characters
  • Microsoft in the KB for Windows XP support indicated a capacity to 64ZiB and a file size maximum to 64ZiB. In reality, the file system can only support up to 128PiB, and the file size up to 16EiB. The volume size is limited by a 32-bit FAT and a 25-bit cluster size giving a 57-bit addressable volume size The file size is limited by the 8-byte (64-bit) number that holds the filesize.
  • With TexFAT there will be 2 FATS and 2 BITMAPS, with exFAT 1.0 – which does not have TexFAT (Transactional FAT) support, there is ony 1 FAT and 1 BITMAP, where previous FAT versions had 2 FATs.
  • Any FS is limited, even FAT32 and NTFS. This is Windows only, we are not talking GUID Partition Table (GPT) Although a MBR uses a 4 byte sector count, remember that the FS can be larger is you make the sectors larger (512 vs. 4096) and this causes a lot of confusion on how big a FS fits.
  • Windows would not format FAT32 beyond 32GB, it required using a FAT32 format on a different OS Some Windows utilities did not work properly with volume spaces GT 32GB, but you can mount a device that was GT 32GB Limitations of FAT32 File System: http://support.microsoft.com/kb/184006 SDXC predecessor (SDHC) had a max spec of 32GB. SDXC picks up from 32GB. SD 4.0 Specification – 300MB/s I/O speeds http://www.flashmemorysummit.com/English/Collaterals/Proceedings/2009/20090813_S204_Lin_Yee.pdf Starting at 104 mega bytes per second, and later to 300 mega bytes per second http://www.letsgodigital.org/en/20985/sdxc-cards/
  • The SDXC media will not be backward compatible Cameras and other devices have been announced, but I haven’t actually seen any devices yet, so it sounds like media is being announced and shipped with nothing that can read them.
  • New Devices may accept SDHC, but older devices will not.
  • With Sony adopting the XC memory stick to exFAT, plus the SD market, is almost 90% of the market today.
  • There are discussions of creation of exFAT on a Vista or Windows 7 machine that can’t be seen on Vista. This is usually a case of creating the media on a machine with exFAT support and then trying to read the media on a different machine without exFAT support. The common mistake is creation of the file system on removable media with a Vista SP1 (or higher machine) and trying to read it on a machine with Vista RTM.
  • exFAT uses 16 bit Unicode strings
  • It is important to note that Pentium processers use the little-endian format, so numbers stored in the file system are stored in little-endian. This can be significant because you need to change the order of the bytes in order to read the values from a hex dump.
  • Currently use exFAT 1.00, but if a later version of exFAT is in use, it will check the version # and not mount the FS unless it can suppoort it Checksums protect against corruption and viruses If there is a problem with critical directory entries, the FS should not mount.
  • FAT32 required a minimum of 65,525 clusters. exFAT does not have this restriction.
  • 4 Regions defined on the volume The FAT tables reside outside the cluster heap
  • Details follow in the next slides
  • If there was no restriction, then the size of a cluster could be 4 255
  • If the sector size is &gt; 512 bytes, all space on the first sector of the VBR )Main Boot Sector) is not used.
  • Unlike the first sector, the other 8 bot sectors can use the entire sector and the signature marker is moved to the last 8 bytes of the sector
  • Repeats over and over again, 4 bytes = 32 bit checksum Can be used to determine if the VBR was modified 3 bytes in the VBR are not calculated in the checksum This sector does not have a signture
  • The BITMAP is used to track cluster allocation, and the FAT is only required for re-assembling the original file. If the original file is contiguous, then the FAT isn’t needed for THAT file. We will see later that a flag in the directory record is used to tell the FS whether the FAT should be used or ignored.
  • Because there is no floppy support, there is only one possible media descriptor value Cluster 0 and 1 are not defined, so 0 &amp; 1 are not significant(Same as legacy FAT) Since the FAT is no longer used for cluster allocation, 0 (zero) is no longer significant (used to be unused)
  • The 3 main critical records: Allocation Bitmap, UP-Case Table, and Root Directory will use FAT chains. The Root Directory can grow and since it is dynamic in its growth, most likely will fragment. The UP-CASE Table and Allocation bitmap should be static and not grow or change, although theoretically they could probably be relocated and moved somewhere else on the volume. The locations (cluster addresses) of the 3 special metadata files may change, this is based on one formatting and in reality these files could eventually end up in any cluster.
  • If there are 2 FATs in a TexFAT Transactional Safe exFAT environment, then each FAT is paired with a allocation bitmap The allocation BITMAP is pointed to by a 0x81 entry.
  • This is an eye chart, but the idea is to show how to get to the bitmap. You start at the VBR (BPB), go to the root directory, look up the 0x81 entry to get the cluster address, and then go into the BITMAP table.
  • We will see details of the directory entry construction later, including what we mean by an entry type.
  • The first byte of every directory entry is the “entry type” and describes the directory entry.
  • When a file set is not in use, it is usually (but not always) a deleted file When a volume label is not in use, it means no volume label Only files have secondary entries so far Missing Benign entries usually won’t prevent the file system from being mounted. 0x80 is not defined.
  • Primary and Critical
  • Since we use 16 bit unicode without string termination, we need the length of the volume label – in unicode characters.
  • Primary and Critical. If the FS can’t find the BITMAP table, it can’t mount the FS
  • This was a small volume. 63 bytes can support maximum of 63x8 = 504 clusters.
  • Filenames are stored case insensitive, so when a search is done, the filenames are converted to upper case (folded). The UP-CASE table is used to convert the filename to all uppercase.
  • The UP-Case table is less than 6K – imagine if it was in a 32K cluster, now imagine if it was in a 32MB cluster, the amount of available slack space.
  • File Entry Set would have a File, Stream Extensions, and up to 17 File Name Extension for a total of 19. Later, when a new exFAT version comes out, the ACL will be another secondary entry bringing this up to 20. As more file secondary entries are added, let’s say one for encryption, this increases to a max of 255 secondaries.
  • Attributes and Timestamps in later slides Checksum is across the Primary and all secondaries in the set.
  • Modified, Access, and Create. Timestamps are NOT stored in this order, but MAC is a common acronym in the literature. Timestamps are not one single field like NTFS which uses a 64 bit value. exFAT combines pieces to make a UTC value. TZ offset is absent in Vista SP1, and does not appear in the exFAT 1.00 spec.
  • The standard DOS Date/Time, also used in the previous FAT versions, does not count to the second, but double seconds. To get seconds, a 33 bit number would have been needed.
  • FAT and exFAT timestamp behavior varies, but is just not reliable as far as last accessed.
  • These are pretty much the same as previous FAT versions. Since we have a separate volume label entry, there is no attribute for it, and since we don’t have 8.3 support, there is no LFN (Long File Name) attribute either.
  • The update behavior on the 10ms Modified is also not predictable, sometimes it is just set to zero. Note that the create time is really 3B866244 (reversed because of little-endian)
  • In order to validate the analysis in reverse engineering the FS, I had to write a C program to format the directory entries. This is an example of the output. All the timestamps are even because of the double seconds. But since the create is 168, this means that the create time was really 12:18:09.68 Secondary count is 4, meaning that this file set is 5 entries, 1 File, 1 Stream, and 3 filename.
  • There is 2 file lengths, one is supposed to be te file length and the other the amount of data actually written into the file so far. Length of name is needed because there is no string termination, but the file name (max 255) may require multiple directory entries (we will see later). This is where the FS indicates whether the FAT is used, if the FAT Invalid flag is set, then the FAT is ignored.
  • Since these values can vary based on the format parameters, for reference this is what the samples in this presentation is using.
  • Another output from the C program. Allocation possible indicates that the directory entry specifies a cluster address field FAT invalid indicates that this file does not use the FAT This file is 18MB and required 143 clusters to store the file. As we said before, there are 3 filename entries (each holds 15 characters of the filename), and as we see above, the filename is 40 characters in length.
  • Allocation not possible indicates that there is no cluster address in the entry. FAT Invalid has no meaning
  • Filename is 40 characters (80 bytes) and takes 3 entries to store it.
  • When the entries are not in use, some may be overwritten, and some ma not. This means that a complete set may not exist.
  • I need followers
  • My paper on exFAT and the Microsoft Patent that exposes the specification
  • Demystifying the Microsoft Extended FAT File System (exFAT)

    1. 1. HTCIA International Conference September 20-22, 2010 Atlanta, GA <ul><li>Demystifying the Microsoft Extended File System (exFAT) </li></ul>September 20th, 2010 Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, CRISC, GSEC, GCFA
    2. 2. Agenda <ul><li>About Me </li></ul><ul><li>Why a new file system </li></ul><ul><li>Forensics Relevance </li></ul><ul><li>Features </li></ul><ul><li>Advantages </li></ul><ul><li>Timelines </li></ul><ul><li>Support </li></ul><ul><li>Limits </li></ul><ul><li>Internals </li></ul>September 20th, 2010
    3. 3. About Me <ul><li>I have been in the IT field for 35+ Years, and in InfoSec for over 15 Years </li></ul><ul><li>I carry many IT and InfoSec certifications </li></ul><ul><li>This research was part of a term project for a forensics class for my masters in Forensic Computing </li></ul><ul><li>I then expanded the term paper into a practical paper for my SANS GCFA certification </li></ul><ul><li>A link to the SANS paper and my blog is at the end of this presentation </li></ul>September 20th, 2010
    4. 4. Why do we need a new file system? <ul><li>Current Limits Exhausted </li></ul><ul><li>Larger volumes (>2TB) </li></ul><ul><li>Larger files sizes (>4GB) </li></ul><ul><li>Faster I/O </li></ul><ul><ul><li>(UHS-1: 104 MB/2 - UHS-2: 300MB/s) </li></ul></ul><ul><li>Removable Media </li></ul><ul><li>Flexibility </li></ul><ul><li>Extensibility </li></ul><ul><li>NTFS Features without the overhead </li></ul>September 20th, 2010
    5. 5. Relevance to Forensics Study <ul><li>Digital Evidence Extraction </li></ul><ul><ul><li>Finding the evidence </li></ul></ul><ul><ul><li>Including the hiding places </li></ul></ul><ul><ul><li>Validation </li></ul></ul><ul><li>Daubert Expert Testimony </li></ul><ul><ul><li>Need to know and understand file org </li></ul></ul><ul><li>New Media (SD Cards) will drive exFAT adoption, and the potential for CP investigations. </li></ul>September 20th, 2010
    6. 6. What happens when you have exFAT formatted media and no exFAT support? September 20th, 2010
    7. 7. Forensics Challenges <ul><li>Linux OS Support </li></ul><ul><ul><li>Tuxera drivers may help </li></ul></ul><ul><li>Mac OS Support </li></ul><ul><li>Open Source Tools </li></ul><ul><li>Commercial Tools </li></ul><ul><ul><li>Encase </li></ul></ul><ul><ul><li>FTK </li></ul></ul><ul><li>Documentation </li></ul>September 20th, 2010
    8. 8. Disclaimer <ul><li>The released specification and implementation is Release 1.00 of exFAT </li></ul><ul><li>The specification mentions additional features that were not implemented yet, but may at a future time/ Some of these are Windows CE holdovers </li></ul><ul><li>Both may be presented today </li></ul><ul><li>Some directory entries will be skipped </li></ul>September 20th, 2010
    9. 9. Exponents <ul><li>10 2 = 10 times 10 = 100 </li></ul><ul><li>10 3 = 10 times 10 times 10 = 1000 (1K) </li></ul><ul><li>2 2 = 2 times 2 = 4 </li></ul><ul><li>2 9 = 2*2*2*2*2*2*2*2*2 = 512 </li></ul><ul><li>2 10 = 2*2*2*2*2*2*2*2*2*2 = 1024 (1K) </li></ul><ul><li>2 12 = 2*2*2*2*2*2*2*2*2*2*2*2 = 4096 </li></ul>September 20th, 2010
    10. 10. International System of Units (SI) Table <ul><li>File System in powers of 2 </li></ul><ul><li>Device characteristics in power of 10 </li></ul>September 20th, 2010 Shorthand Longhand Nth Bytes KiB Kibibyte 2 10 1024 MiB Mebibyte 2 20 1024 KiB GiB Gibibyte 2 30 1024 MiB TiB Tebibyte 2 40 1024 GiB PiB Pebibyte 2 50 1024 TiB EiB Exbibyte 2 60 1024 PiB ZiB Zebibyte 2 70 1024 EiB YiB Yobibyte 2 80 1024 ZiB
    11. 11. Features of exFAT 1.00 <ul><li>Sector sizes from 512 to 4096 bytes </li></ul><ul><li>Clusters sizes to 32MiB </li></ul><ul><li>Root Directory Unlimited </li></ul><ul><li>Subdirectories to 256MiB </li></ul><ul><li>Built for speed, less overhead than NTFS but has some of the NTFS features </li></ul><ul><li>UTC Timestamp Support </li></ul><ul><ul><li>Vista/Server 2008 SP2+, XP with KB </li></ul></ul>September 20th, 2010
    12. 12. Features of exFAT 1.00 (cont’d) <ul><li>OEM Parameters Sector for device dependent parameters </li></ul><ul><li>12 sector VBR, support of larger boot program </li></ul><ul><li>Potential capacity to 64ZiB </li></ul><ul><ul><li>Current support ≈ 128 PiB </li></ul></ul><ul><li>Up to 2,796,202 files per subdirectory </li></ul><ul><li>File Names max to 255 Characters </li></ul><ul><li>Unicode File Names and Volume Labels </li></ul>September 20th, 2010
    13. 13. Future Features of exFAT <ul><li>TexFAT (To be released later) </li></ul><ul><ul><li>Exists in Windows CE </li></ul></ul><ul><ul><li>Transaction Safe exFAT </li></ul></ul><ul><li>ACL (To be released later) </li></ul><ul><ul><li>Exists in Windows CE </li></ul></ul><ul><li>Encryption Support? </li></ul><ul><ul><li>Not announced, but mentioned how easy to add </li></ul></ul>September 20th, 2010
    14. 14. MBR Partition Limitations <ul><li>Microsoft File Systems are limited when stored in a MBR partition </li></ul><ul><li>A partition is defined by a Master Boot Record </li></ul><ul><li>A MBR uses a 4 byte value for number of sectors </li></ul><ul><li>To get the maximum volume size, exFAT cannot be created within a partition </li></ul>September 20th, 2010
    15. 15. Advantages of exFAT <ul><li>Handle growing capacities in media, increasing capacity to >32 GB. </li></ul><ul><li>> 1000 files in a single directory. </li></ul><ul><li>Speeds up storage allocation processes. </li></ul><ul><li>Breaks file size 4 GB barrier. </li></ul><ul><li>Supports interoperability with future desktop OSs. </li></ul><ul><li>Provides an extensible format. </li></ul><ul><li>Large cluster sizes </li></ul>September 20th, 2010
    16. 16. Disadvantages of exFAT <ul><li>Not all Windows CE features implemented </li></ul><ul><li>No direct conversion to or from other FS </li></ul><ul><li>Cannot use CONVERT command to NTFS </li></ul><ul><li>No Floppy Support </li></ul><ul><li>Mostly a Microsoft Desktop and Server World </li></ul><ul><ul><li>No Support for Older MS systems </li></ul></ul><ul><ul><li>No Support for Non-MS systems </li></ul></ul><ul><ul><li>No XBOX, PS3 or other special devices </li></ul></ul>September 20th, 2010
    17. 17. Key Dates for exFAT <ul><li>September 2006 – Windows CE 6.0 </li></ul><ul><li>March 2008 – Windows Vista Service Pack 1 </li></ul><ul><li>January 2009 – Announcement at CES of SDXC specification </li></ul><ul><li>January 2009 – Windows XP Drivers Available </li></ul><ul><li>May 2009 – Windows Vista Service Pack 2 </li></ul><ul><li>August 2009 – Tuxera Signs File System IP Agreement with Microsoft </li></ul><ul><li>March 2009 – Pretec Releases first SDXC Cards </li></ul><ul><li>December 2009 – Microsoft (re)announces exFAT license program for third-parties </li></ul><ul><li>December 2009 – SDXC laptops due soon </li></ul><ul><li>December 2009 – Diskinternals releases exFAT recovery utility </li></ul><ul><li>December 2009 – Encase support </li></ul>September 20th, 2010
    18. 18. More Key Dates for exFAT <ul><li>December 2009 Sony, Canon & Sanyo License </li></ul><ul><li>January 2010 Funai License (LCD TV) </li></ul><ul><li>February 2010 Panasonic License </li></ul><ul><li>February 2010 Panasonic 64/48GB SDXC </li></ul><ul><li>February 2010 Sony Memory Stick XC </li></ul><ul><li>February 2010 Sandisk Ultra XC 64GB Card 3.0 Spec $350 </li></ul>September 20th, 2010
    19. 19. More Key Dates <ul><li>June 1 st 2010 Tuxera Releases Linux & Android exFAT drivers </li></ul><ul><li>June 3 rd 2010 Kingston Releases Class 10 SDXC 64GB Card 60 MB/s read, 35 MB/s write. </li></ul>September 20th, 2010
    20. 20. SD Card Association <ul><li>New Memory Card </li></ul><ul><li>Consumer Appliances </li></ul><ul><li>Follows SDHC </li></ul><ul><li>Specification for 2TB Capacity </li></ul>September 20th, 2010
    21. 21. September 20th, 2010
    22. 22. SDXC Storage Capabilities <ul><li>From 32GB to 2TB on a card </li></ul><ul><li>Exclusively exFAT File System </li></ul><ul><li>300 MB/s I/O Transfer </li></ul><ul><li>Storage </li></ul><ul><ul><li>4,000 RAW images </li></ul></ul><ul><ul><li>100 HD movies </li></ul></ul><ul><ul><li>or 60 hours of HD recording </li></ul></ul><ul><ul><li>17,000 fine-grade photos </li></ul></ul><ul><ul><li>in a single directory </li></ul></ul>September 20th, 2010
    23. 23. Support for exFAT <ul><li>Windows XP & Server 2003 </li></ul><ul><ul><li>KB955704 (requires SP2 or SP3) </li></ul></ul><ul><li>Vista & Server 2008 SP1 </li></ul><ul><li>Vista & Server 2008 SP2 </li></ul><ul><ul><li>(Adds UTC timestamp support) </li></ul></ul><ul><li>Windows 7 </li></ul>September 20th, 2010
    24. 24. Reference Standards <ul><li>Bits are numbered right to left </li></ul><ul><ul><li>76543210 </li></ul></ul><ul><li>Decimal Offsets (zero based) </li></ul><ul><li>Little-Endian numbers </li></ul><ul><li>Unsigned numbers </li></ul><ul><li>Sectors vs. Clusters </li></ul><ul><li>Strings are 16 bit Unicode </li></ul><ul><li>Strings not Terminated </li></ul>September 20th, 2010
    25. 25. Endian <ul><li>Numbering order may vary based on processor type, is determined by the order the data bytes are read from the register. </li></ul><ul><li>A 32 bit number is read as 4 8 bit bytes </li></ul><ul><li>If I have the number 0x01 02 03 04 </li></ul><ul><li>Big-Endian will store it as: </li></ul><ul><ul><li>0x 01 02 03 04 </li></ul></ul><ul><li>Little-Endian will store it as: </li></ul><ul><ul><li>0x 04 03 02 01 </li></ul></ul>September 20th, 2010
    26. 26. File System Integrity <ul><li>Version Verified </li></ul><ul><li>3 Checksums </li></ul><ul><ul><li>VBR </li></ul></ul><ul><ul><li>UP-Case Table </li></ul></ul><ul><ul><li>File Set </li></ul></ul><ul><li>Critical Directory Entries </li></ul><ul><li>Other Checks and Balances </li></ul><ul><li>File System should NOT mount if failures </li></ul>September 20th, 2010
    27. 27. exFAT Limits <ul><li>Volume size 128PiB </li></ul><ul><ul><li>MS said 64ZiB </li></ul></ul><ul><ul><li>MS now says 256TiB </li></ul></ul><ul><li>File Size 16 EiB (64 bit number) </li></ul><ul><ul><li>Bigger than volume size </li></ul></ul><ul><li>Subdirectory 256MiB </li></ul><ul><li>Sector 512-4096 bytes (2 9 -2 12 ) </li></ul><ul><li>Cluster 32MiB (2 25 ) </li></ul><ul><li>No floppy support </li></ul><ul><li>No FAT32 minimum cluster (65,525) restriction </li></ul><ul><li>No 8.3 file name support </li></ul>September 20th, 2010
    28. 28. Data Hide Alert! <ul><li>FAT32 max cluster 32KiB </li></ul><ul><li>exFAT max cluster 32MiB </li></ul><ul><ul><li>This is an increase of 1024 fold </li></ul></ul><ul><li>Potential for massive slack space </li></ul>September 20th, 2010
    29. 29. Volume Space Layout <ul><li>The Main Boot Region </li></ul><ul><ul><li>Contains main VBR </li></ul></ul><ul><li>The Backup Boot Region </li></ul><ul><ul><li>Contains backup VBR </li></ul></ul><ul><li>The FAT Region </li></ul><ul><ul><li>Contains FAT Table(s) </li></ul></ul><ul><li>The Data Region (Cluster Heap) </li></ul><ul><ul><li>This is where data resides </li></ul></ul>September 20th, 2010
    30. 30. September 20th, 2010
    31. 31. VBR – Volume Boot Record <ul><li>Contains 12 sectors </li></ul><ul><ul><li>1 sector main boot sector </li></ul></ul><ul><ul><ul><li>Jump Code (3 bytes) </li></ul></ul></ul><ul><ul><ul><li>BPB (BIOS Parameter Block) </li></ul></ul></ul><ul><ul><ul><li>Boot Strap Code </li></ul></ul></ul><ul><ul><li>8 sectors main extended boot sectors </li></ul></ul><ul><ul><li>1 sector OEM parms </li></ul></ul><ul><ul><li>1 sector reserved </li></ul></ul><ul><ul><li>1 sector VBR Checksum </li></ul></ul>September 20th, 2010
    32. 32. Boot Parameter Block (BPB) <ul><li>OEM Label “EXFAT ” </li></ul><ul><li>Volume Length (64-bit) [sector] </li></ul><ul><li>FAT Location & Size [sector] </li></ul><ul><li>Heap Location & Size [sector, cluster] </li></ul><ul><li>Volume Serial Number </li></ul><ul><li>Location of Root Directory [cluster] </li></ul><ul><li>Volume Flags </li></ul><ul><li>Sector and Cluster Sizes [2-shift] </li></ul><ul><li>Percent in use </li></ul><ul><li>File System Revision (0x0010=1.00) </li></ul>September 20th, 2010
    33. 33. Sectors & Clusters <ul><li>A 2-Shift is a power of 2 </li></ul><ul><ul><li>Another name for exponent </li></ul></ul><ul><li>Sector size and sectors per cluster </li></ul><ul><ul><li>Each stored in 1 byte </li></ul></ul><ul><ul><li>Theoretical maximum is 2 255 </li></ul></ul><ul><ul><li>Sector Size Maximum 2 12 </li></ul></ul><ul><ul><li>Sectors per cluster is derived </li></ul></ul><ul><ul><li>Cluster Size Maximum is 2 25 </li></ul></ul>September 20th, 2010
    34. 34. Executable Boot Code <ul><li>First 3 bytes of Main Boot Sector </li></ul><ul><ul><li>Jump Code </li></ul></ul><ul><ul><li>0xEB7690 </li></ul></ul><ul><li>Offset 120 size 390 </li></ul><ul><ul><li>Remainder of boot code </li></ul></ul><ul><li>Offset 510 </li></ul><ul><ul><li>End signature marker </li></ul></ul><ul><ul><li>0xAA55 = “55AA” </li></ul></ul><ul><li>Offset 512 </li></ul><ul><ul><li>Unused if defined </li></ul></ul>September 20th, 2010
    35. 35. More Bootable Code <ul><li>Up to 8 Main Extended Boot Sectors </li></ul><ul><ul><li>FAT32 had 3 sector VBR with 1 MEBS </li></ul></ul><ul><ul><li>Entire sector can be used for boot code </li></ul></ul><ul><ul><li>Last 8 bytes of sector is marker </li></ul></ul><ul><ul><li>0xAA550000 = “000055AA” </li></ul></ul><ul><li>Larger capacity for boot virus! </li></ul>September 20th, 2010
    36. 36. VBR Checksum Sector <ul><li>The 12 th sector of the VBR </li></ul><ul><li>Repeating 4 byte checksum </li></ul><ul><li>Checksum of previous 11 sectors </li></ul><ul><li>Flags and Percent excluded </li></ul><ul><ul><li>These are volatile and change often </li></ul></ul><ul><li>Boot Sector Virus & Checksum </li></ul>September 20th, 2010
    37. 37. VBR Checksum Sector September 20th, 2010 <ul><li>Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F </li></ul><ul><li>00000000 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul><ul><li>00000010 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul><ul><li>00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul><ul><li>00000030 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul><ul><li>00000040 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul><ul><ul><ul><ul><li>Lines 00000050 through 01BF repeated </li></ul></ul></ul></ul><ul><li>000001C0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul><ul><li>000001D0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul><ul><li>000001E0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul><ul><li>000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ </li></ul>
    38. 38. FAT – File Allocation Table <ul><li>When it is used, same as legacy FAT </li></ul><ul><li>Not used when file contiguous </li></ul><ul><li>Never used for cluster allocation </li></ul><ul><li>FAT 32 has 32 bit cells, uses 28 bits </li></ul><ul><li>exFAT has 32 bit cells, uses 32 bits </li></ul><ul><ul><li>There is no 64 bit FAT </li></ul></ul><ul><li>Maximum clusters is 2 32 -11 </li></ul><ul><li>With TexFAT – 2 FAT Tables (2 Bitmaps) </li></ul><ul><li>Addressed by pointer in VBR </li></ul><ul><li>Size stored in VBR </li></ul>September 20th, 2010
    39. 39. Cell Values in FAT Table <ul><li>0x00000000 – No significant meaning </li></ul><ul><li>0x00000001 – Not a valid cell value </li></ul><ul><li>0xFFFFFFF6 – Largest Value </li></ul><ul><li>0xFFFFFFF7 – Bad Block </li></ul><ul><li>0xFFFFFFF8 – Media Descriptor </li></ul><ul><ul><li>Fixed Disk </li></ul></ul><ul><li>0xFFFFFFF9-0xFFFFFFFE – Not Defined </li></ul><ul><li>0xFFFFFFFF – End of File (EOF) </li></ul>September 20th, 2010
    40. 40. September 20th, 2010
    41. 41. FAT Table Example September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0000 F8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0010 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Media Reserved UP-Case Table Allocation Bit Map Root Directory
    42. 42. Allocation Bitmap <ul><li>Keeps track of cluster allocation status </li></ul><ul><ul><li>Zero – Free Cluster </li></ul></ul><ul><ul><li>One – Allocated Cluster </li></ul></ul><ul><li>1 Byte = Tracking of 8 Clusters </li></ul><ul><li>Bit Zero – Byte Zero = Cluster 2 </li></ul><ul><ul><li>Cluster 0 & Cluster 1 are not defined </li></ul></ul><ul><li>Addressed by Directory Entry </li></ul><ul><li>With TexFAT – 2 of these (FAT Pairing) </li></ul>September 20th, 2010
    43. 43. Data Hide Alert! <ul><li>The Allocation Bitmap and the UP-Case Table are stored as files, and provide hiding space in the metadata </li></ul><ul><li>These files are static, typically won’t move, and have slack space. </li></ul><ul><li>Nothing prevents someone from moving these files elsewhere in the cluster heap, and actually making them larger </li></ul>September 20th, 2010
    44. 44. September 20th, 2010
    45. 45. Directories in exFAT <ul><li>Root (VBR Pointer) </li></ul><ul><ul><li>Contains certain critical entries </li></ul></ul><ul><ul><li>Almost unlimited in size </li></ul></ul><ul><li>Subdirectory (by File Entry) </li></ul><ul><ul><li>Contains file sets </li></ul></ul><ul><ul><li>256MiB Max size </li></ul></ul><ul><ul><li>No physical “.” or “..” entries </li></ul></ul><ul><li>Uses 16 Bit Unicode for strings </li></ul><ul><li>Every Entry 32 bytes in size </li></ul><ul><li>Entry 0x00 is end of directory </li></ul><ul><li>Has capabilities for user entries </li></ul>September 20th, 2010
    46. 46. Data Hide Alert! <ul><li>Manipulation of the Allocation Bitmap, and creation of user directory entries provides the capability of hiding a file system within the file system </li></ul><ul><li>It may also be possible to hide data within the directory metadata itself </li></ul>September 20th, 2010
    47. 47. Entry Type September 20th, 2010 Type Field Offset (Bits) Size (Bits) In Use 7 1 Category 6 1 Importance 5 1 Code 0 5
    48. 48. Entry Type <ul><li>In Use: </li></ul><ul><ul><li>0 – Not in Use, 1- In Use </li></ul></ul><ul><li>Category: </li></ul><ul><ul><li>0 – Primary, 1 – Secondary </li></ul></ul><ul><li>Importance: </li></ul><ul><ul><li>0 – Critical, 1 – Benign </li></ul></ul><ul><li>Code: Identifies the entry </li></ul>September 20th, 2010
    49. 49. Volume Label Directory Entry <ul><li>0x83 or 0x03 Entry </li></ul><ul><li>Primary Entry </li></ul><ul><li>Only resident in Root Directory </li></ul><ul><li>Contains the Volume Label </li></ul><ul><li>16 bit Unicode </li></ul><ul><li>0x03 means no volume label </li></ul>September 20th, 2010
    50. 50. Volume Label Directory Entry September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 83 0A 65 00 78 00 46 00 41 00 54 00 2D 00 31 00 ƒ.e.x.F.A.T.-.1. 00000010 32 00 38 00 4B 00 00 00 00 00 00 00 00 00 00 00 2.8.K........... Type Volume Name Length (10) Volume Label (exFAT-128K)
    51. 51. Allocation Bitmap Directory Entry <ul><li>0x81 Entry </li></ul><ul><li>Primary Entry </li></ul><ul><li>Only resident in Root Directory </li></ul><ul><li>Points to the Allocation Bitmap </li></ul><ul><ul><li>If TexFAT, then 2 of these </li></ul></ul><ul><ul><li>Flag bits says which FAT/Bitmap </li></ul></ul><ul><li>Cluster Address of Bitmap </li></ul><ul><li>Size of Bitmap </li></ul>September 20th, 2010
    52. 52. Allocation Bitmap Directory Entry September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0010 00 00 00 00 02 00 00 00 3F 00 00 00 00 00 00 00 Type Cluster Address (Cluster 2) Size (63 bytes)
    53. 53. UP-Case Table Directory Entry <ul><li>0x82 Entry </li></ul><ul><li>Primary Entry </li></ul><ul><li>Only resident in Root Directory </li></ul><ul><li>File names are case insensitive </li></ul><ul><li>Used to fold file name </li></ul><ul><li>Table has a checksum (32 bits) </li></ul>September 20th, 2010
    54. 54. UP-Case Table Directory Entry September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 82 00 00 00 0D D3 19 E6 00 00 00 00 00 00 00 00 0010 00 00 00 00 03 00 00 00 CC 16 00 00 00 00 00 00 Type Cluster Address (3) Length (0x16CC = 5,836) Table Checksum
    55. 55. File Directory Entry Set <ul><li>Used to define a file </li></ul><ul><li>May have 3 to 19 entries, or more </li></ul><ul><li>1 Primary, many Secondary </li></ul><ul><li>Is considered an array </li></ul><ul><ul><li>Must be in order </li></ul></ul><ul><ul><li>Must be contiguous (no gaps) </li></ul></ul><ul><li>Entire Set has Checksum </li></ul>September 20th, 2010
    56. 56. File Directory Entry <ul><li>0x85 or 0x05 Entry </li></ul><ul><li>Primary Entry </li></ul><ul><li>Set Checksum (16 bits) </li></ul><ul><ul><li>Not modified on file delete </li></ul></ul><ul><li>Secondary Count </li></ul><ul><ul><li># Secondary entries that follow </li></ul></ul><ul><li>File Attributes </li></ul><ul><li>Timestamps </li></ul>September 20th, 2010
    57. 57. Timestamps & Time Zones <ul><li>3 Timestamps (MAC) </li></ul><ul><li>32 bit DOS Date/Time </li></ul><ul><ul><li>Local Machine Time </li></ul></ul><ul><li>10ms Offset (MC) </li></ul><ul><li>TZ Offset (MAC) </li></ul><ul><ul><li>15 minute increments </li></ul></ul><ul><ul><li>7 bit signed number </li></ul></ul><ul><ul><li>±16 hours </li></ul></ul><ul><ul><li>Present with UTC support </li></ul></ul>September 20th, 2010
    58. 58. Timestamp Accuracy <ul><li>FAT32 – Last Access – Date only </li></ul><ul><li>exFAT – Last Access – Date/Time </li></ul><ul><li>All DOS DATE/TIME Double Seconds </li></ul><ul><li>10ms adds 0-1990 ms to time </li></ul><ul><li>10ms only for Create/Modify </li></ul>September 20th, 2010
    59. 59. Timestamp Reliability <ul><li>Timestamps appear to be updated when the file is created or modified. </li></ul><ul><li>Last Accessed Timestamp appear to be updated when file is created or modified. </li></ul><ul><li>Last Accessed Timestamp appear NOT modified on file read. </li></ul><ul><li>Forensics Implication on MAC time analysis </li></ul>September 20th, 2010
    60. 60. File Attributes September 20th, 2010 Attribute Offset Size Mask Reserved2 6 10 Archive 5 1 0x20 Directory 4 1 0x10 Reserved1 3 1 System 2 1 0x04 Hidden 1 1 0x02 Read-Only 0 1 0x01
    61. 61. File Directory Entry September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 85 04 D4 92 20 00 00 00 44 62 86 3B F1 62 BA 3A 0010 44 62 86 3B A8 00 EC EC EC 00 00 00 00 00 00 00 Type # Secondary Entries Set Checksum (0x92D4) Attributes (0x0020 = Archive) Create Modified TZ Offset CMA EC = GMT-5 Accessed Create 10ms Modified 10ms
    62. 62. Formatted File Directory Entry September 20th, 2010 Root Entry Type Read is: 85 Directory Entry Record Checksum: 92D4 Calculated Checksum is: 92D4 Size Directory Set (bytes): 160 Secondary Count 004 File Attributes: 0020 Archive Create Timestamp: 3B866244 12/06/2009 12:18:08 Last Modified Timestamp: 3ABA62F1 05/26/2009 12:23:34 Last Accessed Timestamp: 3B866244 12/06/2009 12:18:08 10 ms Offset Create A8 168 10 ms Offset Modified 00 0 Time Zone Create EC 236 Value of tz is: GMT -05:00 Time Zone Modified EC 236 Value of tz is: GMT -05:00 Time Zone Last Accessed EC 236 Value of tz is: GMT -05:00
    63. 63. Stream Extension Directory Entry <ul><li>0xC0 or 0x40 Entry </li></ul><ul><li>Secondary Entry </li></ul><ul><li>Length of Name </li></ul><ul><li>Length of File (2 of them) </li></ul><ul><li>Cluster address of first data block </li></ul><ul><li>Name Search Hash value </li></ul><ul><li>Secondary Flag </li></ul><ul><ul><li>FAT Invalid </li></ul></ul><ul><ul><li>Allocation Possible </li></ul></ul>September 20th, 2010
    64. 64. Stream Extension Directory Entry September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 C0 03 00 28 AD 3C 00 00 1F 46 1D 01 00 00 00 00 0010 00 00 00 00 05 00 00 00 1F 46 1D 01 00 00 00 00 Entry Flags (Alloc Possible/Fat Invalid) Length of File Name (0x28= 40) Name Hash (0x3CAD) Cluster (5) Data Length 0x011d461f = 18,695,711
    65. 65. Parameters for Samples September 20th, 2010 Bytes Per Sector: 2 to the 09 power is: 512 Sectors Per Cluster: 2 to the 08 power is: 256 Bytes per Cluster: 131072 (128K)
    66. 66. Formatted Stream Extension September 20th, 2010 Root Entry Type Read is: C0 Directory Entry Record, Stream Extension Secondary Flags: 03 Flag Bit 0: Allocation Possible Flag Bit 1: FAT Chain Invalid Length of UniCode Filename is: 40 Name Hash Value is: AD3C Stream Extension First Cluster 5 Cluster 5 is Allocated Stream Extension Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143 Stream Extension Valid Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143
    67. 67. File Name Extension Directory Entry <ul><li>0xC1 or 0x41 Entry </li></ul><ul><li>Secondary Entry </li></ul><ul><li>Secondary Flags </li></ul><ul><ul><li>Allocation not possible </li></ul></ul><ul><ul><li>FAT Invalid </li></ul></ul><ul><li>15 Characters (30 bytes) of Name </li></ul><ul><li>Name in 16 Bit Unicode </li></ul><ul><li>In order (FAT32 LFN was reversed) </li></ul><ul><li>Up to 17 max, total 255 character </li></ul>September 20th, 2010
    68. 68. File Name Extension Directory Entry September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 C1 00 62 00 75 00 73 00 69 00 6E 00 65 00 73 00 Á.b.u.s.i.n.e.s. 0010 73 00 5F 00 6F 00 66 00 5F 00 73 00 65 00 63 00 s._.o.f._.s.e.c . 0000 C1 00 75 00 72 00 69 00 74 00 79 00 5F 00 5F 00 Á.u.r.i.t.y._._. 0010 62 00 75 00 73 00 2D 00 31 00 30 00 35 00 2D 00 b.u.s.-.1.0.5.-. 0000 C1 00 33 00 32 00 6B 00 62 00 70 00 73 00 2E 00 Á.3.2.k.b.p.s... 0010 6D 00 70 00 33 00 00 00 00 00 00 00 00 00 00 00 m.p.3........... File Name = business_of_security__bus-105-32kbps.mp3
    69. 69. Significance of “not in use” flag <ul><li>0x05, 0x40 & 0x41 Entries </li></ul><ul><ul><li>“ Not in use” may mean deleted files </li></ul></ul><ul><ul><li>May also be reallocated rename </li></ul></ul><ul><li>Set Checksum not changed when entries marked “not in use” </li></ul>September 20th, 2010
    70. 70. Summary <ul><li>exFAT is a new generation of the FAT family of Microsoft File Systems </li></ul><ul><li>The need for forensics tools will heat up in 2010 </li></ul><ul><li>We don’t have the right tools yet </li></ul><ul><li>Documentation and support for exFAT is scarce </li></ul>September 20th, 2010
    71. 71. Q&A September 20th, 2010
    72. 72. Contact Information <ul><li>E-mail: [email_address] </li></ul><ul><li>Blog: rshullic.wordpress.com </li></ul><ul><li>Blog: shullich.blogspot.com </li></ul>September 20th, 2010
    73. 73. References <ul><li>Sans Reading Room: </li></ul><ul><li>http://www.sans.org/reading_room/whitepapers/forensics/rss/reverse_engineering_the_microsoft_exfat_file_system_33274 </li></ul><ul><li>Microsoft Patent: </li></ul><ul><li>Microsoft Patent 0164440 (June 25, 2009). Quick Filename Lookup Using Name Hash. </li></ul><ul><li>Pub No. US 2009/0164440 A1 Retrieved December 10, 2009 from </li></ul><ul><li>http://www.pat2pdf.org/patents/pat20090164440.pdf </li></ul>September 20th, 2010
    1. ¿Le ha llamado la atención una diapositiva en particular?

      Recortar diapositivas es una manera útil de recopilar información importante para consultarla más tarde.

    ×