Abstract
The objectives of this chapter are to:
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Transition to Advanced Format 4K Sector Hard Drives [Online]. Available at: http://www.seagate.com/ca/en/tech-insights/advanced-format-4k-sector-hard-drives-master-ti/
Brian Carrier. “File System Forensic Analysis”. Addison-Wesley Professional, 2005
Long Filename Specification. http://home.teleport.com/~brainy/lfn.htm
File Allocation System. http://www.ntfs.com/fat-allocation.htm
Author information
Authors and Affiliations
Appendices
Appendix A: Data Structure for the FAT12/16 Partition Boot Sector [2]
Byte offset (within FAT12/16 Partition Boot Sector) in hexadecimal | Length in decimal (bytes) | Byte range in decimal (bytes) | Contents |
---|---|---|---|
0x00 | 36 | 0–35 | See Table 5.1 |
0x24 | 1 | 36–36 | Physical drive number (0x00 for removable media, 0x80 for hard disks) |
0x25 | 1 | 37–37 | Not used |
0x26 | 1 | 38–38 | Extended boot signature to identify if the next three values are valid. The signature is 0x29 |
0x27 | 4 | 39–42 | Volume serial number, which some versions of windows will calculate based on the creation date and time |
0x2b | 11 | 14–25 | Volume label, padded with blanks (0x20) |
0x36 | 8 | 54–61 | File system type label in ASCII standard values include “FAT”, “FAT12”, and “FAT16”, but nothing is required. P.S.: This is not meant to be used to determine drive type, however, some utilities use it in this way |
0x3e | 448 | 28–31 | Not used. It could contain operating system boot code |
0x1fe | 2 | 510–511 | Boot sector signature (0x55 0xAA) |
Appendix B: Data Structure for the FAT32 Partition Boot Sector [2]
Byte offset (within FAT32 Partition Boot Sector) in hexadecimal | Length in decimal (bytes) | Byte range in decimal (bytes) | Contents |
---|---|---|---|
0x00 | 36 | 0–35 | See Table 5.1 |
0x24 | 4 | 36–39 | Sectors per file allocation table (FAT) |
0x28 | 2 | 40–41 | Defines how multiple FAT structures are written to. If bit 7 is 1, only one of the FAT structures is active and its index is described in bits 0–3. Otherwise, all FAT structures are mirrors of each other. |
0x2a | 2 | 42–43 | The major and minor version number (defined as 0) |
0x2c | 4 | 44–47 | Cluster number of root directory start |
0x30 | 2 | 48–49 | Sector number of FS information sector |
0x32 | 2 | 50–51 | Sector number of a copy of this boot sector (0 if no backup copy exists) |
0x34 | 12 | 52–63 | Reserved |
0x40 | 1 | 64–64 | Physical drive number (see FAT12/16 boot sector at offset 0x24) |
0x41 | 1 | 65–65 | Reserved (see FAT12/16 boot sector at offset 0x25) |
0x42 | 1 | 66–66 | Extended boot signature (see FAT12/16 boot sector at offset 0x26) |
0x43 | 4 | 67–70 | ID (serial number) |
0x47 | 11 | 71–81 | Volume label |
0x52 | 8 | 82–89 | FAT file system type: “FAT32 ” |
0x5a | 420 | 90–509 | Not used. It could contain operating system boot code |
0x1fe | 2 | 510–511 | Boot sector signature (0x55 0xAA) |
Appendix C: Checksum Algorithm for LFN Entry [3]
The following C code snippet is used to calculate this checksum:
-
/* Calculating the Checksum */
-
#include <stdio.h>
-
Int main() {
-
// Short file name. For example, "FORENS~1.PDF".
-
// '.' is excluded when calculating the checksum according to a short file name.
-
char name[11] = {'F','O','R','E','N','S','~','1','P','D','F'};
-
unsigned char checksum;
-
int i;
-
checksum=0;
-
for (i = 0; i < 11; i++) {
-
checksum = (((checksum & 1) << 7) | ((checksum & 0xfe) >> 1)) + name[i];
-
-
}
-
printf(" The Checksum for the short file name specified is %#x\n", checksum);
-
return 0;
-
-
}
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Lin, X. (2018). Examining FAT File System. In: Introductory Computer Forensics. Springer, Cham. https://doi.org/10.1007/978-3-030-00581-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-00581-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00580-1
Online ISBN: 978-3-030-00581-8
eBook Packages: Computer ScienceComputer Science (R0)