As investigators and information security professionals, we have to constantly be aware of changing file systems to track data changes and accurately apply attribution to system changes.
In 2006 Microsoft released a successor to the FAT32 file system named the Extended FAT file system - labeled exFAT for short. exFAT was initially released for the Windows CE handheld device and in 2008 a version of exFAT was released for Microsoft Desktop and Server operating systems. Today exFAT is licensed and supported on many devices and systems, including Unix/Linux systems. The SD card association, with the release of the Secured Digital Extended Capacity (SDXC) memory card, has adopted exFAT as the standard file system for SDXC media which is used in cameras, cell phones and other consumer electronics.
exFAT is implemented in a different file system organization than the legacy predecessor FAT family file systems such as FAT12/16/32, and the forensics investigator will be required to know and understand this new format as forensics examinations are conducted using this new file system.
Robert Shullich, Enterprise Security Architect at Tower Group Companies, will give a great overview of the exFAT file system and the implications for investigators.
exFAT topics to be covered in the session:
• File System Limits
• Relevance to forensics computing and digital investigation
• Hiding places to look out for – where criminals can hide things
File System Layout and Internals