Cyber Forensics - Unit IV - FAT

1. DEPARTMENT OF INFORMATION TECHNOLOGY
Subject Code : CS6004 Staff Name : R. Arthy, AP/IT
Subject Name: Cyber Forensics Class : IV IT
FILE ALLOCATION SYSTEM (FAT)
Introduction
 FAT x – File Allocation Table – family of file systems for DOS/Windows operating
systems
o FAT table – stores info. on status of all clusters on the disk = ‘table of content’
o x = 12, 16, 32 – number of bits used for cluster identification/numbering
 bit-size of each FAT table entry
 Example

2.  Example: FAT16 capacity
Can 700 MB disk drive be formatted with a FAT16 file system using 4KB clusters?
FAT16 ⇒ 216
= 65536 clusters
216
clusters * 4 Kbytes = 26
* 210
* 4 * 210
bytes
max capacity = 64 * 4 MB = 256 MB
 In Microsoft file structures, sectors are grouped to form clusters
o Storage allocation units of one or more sectors
 Clusters range from 512 bytes up to 32,000 bytes each
 Combining sectors minimizes the overhead of writing or reading files to a disk
 Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT
o First sector of all disks contains a system area, the boot record, and a file
structure database
 OS assigns these cluster numbers, called logical addresses
 Sector numbers are called physical addresses
 Clusters and their addresses are specific to a logical disk drive, which is a disk
partition
Major Section
1) Boot Sector – occupies the 1st cluster on the disk
 Contains specific information about organization of the file system, including: type
of FAT (12/16/32) system,
o # of bytes per sector,
o # of sectors per track,
o # of sectors per cluster,
o # of read heads,

3. o # of FAT tables,
o # of clusters per FAT table, etc.
2) FAT Tables
 keep track of allocation status of different data clusters
o entry N relates to data cluster N – the actual value is a pointer to another FAT
entry
o set of clusters that constitute one file are defined by a set of linked FAT entries
 multiple FATs (FAT1 & FAT2) ensure redundancy in case of data corruption – FAT2
is a backup of FAT 1
o typically used on portable (more vulnerable) media
Example: Use of FAT system

4.  FAT entry values
3) Root Directory (FAT12/16 only)
 stores Directory Table – table of 32-byte long entries for each file & directory created
on the disk
4) Data Area
 contains file & directory data – occupies remaining sectors (clusters) on the disk
 first cluster of Data Area is numbered 2; though, this is physical sector 33!

5. Example: (Root) Directory Table entries in bytes
Example: File fragmentation / cluster allocation in FAT
Example: Final Exam 2010
 Assume a computer employs the FAT16 file system with components as shown
below:

6. o A file, containing a set of numbers, is stored on this computer under the name
YourFile.txt.
o Using the provided information, identify the first six numbers stored in
YourFile.txt.
Disk Partitions
 A partition is a logical drive
 Windows OSs can have three primary partitions followed by an extended partition
that can contain one or more logical drives
 Hidden partitions or voids
o Large unused gaps between partitions on a disk
 Partition gap
o Unused space between partitions

7.  The partition table is in the Master Boot Record (MBR)
o Located at sector 0 of the disk drive
 MBR stores information about partitions on a disk and their locations, size, and
other important items
 In a hexadecimal editor, such as WinHex, you can find the first partition at offset
0x1BE
o The file system’s hexadecimal code is offset 3 bytes from 0x1BE for the
first partition
Examining FAT Disks
 File Allocation Table (FAT)
o File structure database that Microsoft originally designed for floppy disks
 FAT database is typically written to a disk’s outermost track and contains:
o Filenames, directory names, date and time stamps, the starting cluster
number, and file attributes

8.  Three current FAT versions
o FAT16, FAT32, and exFAT (used by Xbox game systems)
 Cluster sizes vary according to the hard disk size and file system
 Microsoft OSs allocate disk space for files by clusters
o Results in drive slack
 Unused space in a cluster between the end of an active file and the end of the cluster
 Drive slack includes:
o RAM slack and file slack
 An unintentional side effect of FAT16 having large clusters was that it reduced
fragmentation
o As cluster size increased
 When you run out of room for an allocated cluster
o OS allocates another cluster for your file, which creates more slack space on
the disk
 As files grow and require more disk space, assigned clusters are chained together
o The chain can be broken or fragmented
 When the OS stores data in a FAT file system, it assigns a starting cluster position to
a file

9.  Slack Space in FAT
o phenomenon caused by the way how computers store data/files:
 files are allocated cluster-sized chunks
 regardless of the actual size of data in the file data may not be
big enough to fill (all) segments, i.e. clusters
 sector slack - space between EOF and end of last sector that file was written to known
as RAM slack as OS pulls any info available in RAM at that point (memory dump) to
fill this space – e.g. logon IDs, passwords, segments of other files
 cluster slack - remaining sectors in cluster known as file slack – contains whatever
was last written by disk in those sectors (e.g. parts of a deleted file)
Data for the file is written to the first sector of the first assigned cluster
 When this first assigned cluster is filled and runs out of room
o FAT assigns the next available cluster to the file
 If the next available cluster isn’t contiguous to the current cluster
o File becomes fragmented
Deleting FAT Files
 In Microsoft OSs, when a file is deleted
o Directory entry is marked as a deleted file
 With the HEX E5 character replacing the first letter of the filename

10.  FAT chain for that file is set to 0
 Data in the file remains on the disk drive
 Area of the disk where the deleted file resides becomes unallocated disk space
o Available to receive new data from newly created files or other files needing
more space