Examining FAT File System

Abstract

The objectives of this chapter are to:

Appendices

Appendix A: Data Structure for the FAT12/16 Partition Boot Sector [2]

Byte offset (within FAT12/16 Partition Boot Sector) in hexadecimal	Length in decimal (bytes)	Byte range in decimal (bytes)	Contents
0x00	36	0–35	See Table 5.1
0x24	1	36–36	Physical drive number (0x00 for removable media, 0x80 for hard disks)
0x25	1	37–37	Not used
0x26	1	38–38	Extended boot signature to identify if the next three values are valid. The signature is 0x29
0x27	4	39–42	Volume serial number, which some versions of windows will calculate based on the creation date and time
0x2b	11	14–25	Volume label, padded with blanks (0x20)
0x36	8	54–61	File system type label in ASCII standard values include “FAT”, “FAT12”, and “FAT16”, but nothing is required. P.S.: This is not meant to be used to determine drive type, however, some utilities use it in this way
0x3e	448	28–31	Not used. It could contain operating system boot code
0x1fe	2	510–511	Boot sector signature (0x55 0xAA)

Appendix B: Data Structure for the FAT32 Partition Boot Sector [2]

Byte offset (within FAT32 Partition Boot Sector) in hexadecimal	Length in decimal (bytes)	Byte range in decimal (bytes)	Contents
0x00	36	0–35	See Table 5.1
0x24	4	36–39	Sectors per file allocation table (FAT)
0x28	2	40–41	Defines how multiple FAT structures are written to. If bit 7 is 1, only one of the FAT structures is active and its index is described in bits 0–3. Otherwise, all FAT structures are mirrors of each other.
0x2a	2	42–43	The major and minor version number (defined as 0)
0x2c	4	44–47	Cluster number of root directory start
0x30	2	48–49	Sector number of FS information sector
0x32	2	50–51	Sector number of a copy of this boot sector (0 if no backup copy exists)
0x34	12	52–63	Reserved
0x40	1	64–64	Physical drive number (see FAT12/16 boot sector at offset 0x24)
0x41	1	65–65	Reserved (see FAT12/16 boot sector at offset 0x25)
0x42	1	66–66	Extended boot signature (see FAT12/16 boot sector at offset 0x26)
0x43	4	67–70	ID (serial number)
0x47	11	71–81	Volume label
0x52	8	82–89	FAT file system type: “FAT32 ”
0x5a	420	90–509	Not used. It could contain operating system boot code
0x1fe	2	510–511	Boot sector signature (0x55 0xAA)

Appendix C: Checksum Algorithm for LFN Entry [3]

The following C code snippet is used to calculate this checksum:

• /* Calculating the Checksum */

• #include <stdio.h>

• Int main() {

  • // Short file name. For example, "FORENS~1.PDF".

  • // '.' is excluded when calculating the checksum according to a short file name.

  • char name[11] = {'F','O','R','E','N','S','~','1','P','D','F'};

  • unsigned char checksum;

  • int i;

  • checksum=0;

  • for (i = 0; i < 11; i++) {

    • checksum = (((checksum & 1) << 7) | ((checksum & 0xfe) >> 1)) + name[i];

  • }

  • printf(" The Checksum for the short file name specified is %#x\n", checksum);

  • return 0;

• }