- Create a FAT32
# dd if=/dev/zero of=./fat32.dd bs=1024000 count=34
# mkfs.vfat -F 32 fat32.dd
- Identify created FAT32
# file fat32.dd
fat32.dd: x86 boot sector, mkdosfs boot message display, code offset 0x58, OEM-ID " mkdosfs", Media descriptor 0xf8, heads 64, sectors 68000 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 523, serial number 0x98118991, label: " "
- FAT Layout
| BR | Reserved | FAT #1 | FAT #2 | Root Directory | Data |
|---|
(2) FAT32
| BR | Reserved | FAT #1 | FAT #2 | Root Directory | Data |
|---|
- Tracking a FAT32
For Tracking a file system, I input a jpeg file named forensics.jpg.
- Boot Sector
You can identify total Sectors, size of per sector, root directory cluster, size of FAT.
- FAT32 Table
| Media Type | Partition State | Cluster 2 | Cluster 3 |
| Cluster 4 | Cluster 5 | Cluster 6 | Cluster 7 |
| Cluster 8 | Cluster 9 | Cluster 10 | Cluster 11 |
| Cluster 12 | Cluster 13 | Cluster 14 | Cluster 15 |
| ....................... | ...................... | ...................... | ...................... |
# Medial Type - Hard Disk : F8 FF FF 0F
# Partition State - Nomal : FF FF FF FF
# Cluster 2 - Cluster of Root Directory
| Hex Value | Description |
| 0x?0000000 | Empty Cluster |
| 0x?0000001 | Reserved Cluster |
| 0x?0000002 ~ 0x?FFFFFEF | Used Cluster / Each number is cluster number |
| 0x?FFFFFF0 ~ 0x?FFFFFF6 | Reserved Cluster |
| 0x?FFFFFF7 | Bad Cluster like bad sector |
| 0x?FFFFFF8 ~ 0x?FFFFFFF | End of Cluster |
- Moving to FAT1 and FAT2
(1) Moving to FAT1
512 * 32 = 16384 => 0x4000 Move to 0x4000 offset
Because The size of Reseved in FAT32 is 32Sector.
FAT size is 523 Sectors => 523 * 512 = 267776 => 0x41600
(2) Moving to FAT2
The size of FAT is 26776. => 523 * 512 => 0x41600
Boot Sector + Reserved + FAT1 = FAT2
0 + 0x4000 + 0x41600 = 0x45600
Boot Sector + Reserved + FAT1 = FAT2
0 + 0x4000 + 0x41600 = 0x45600
The end of FAT3 is 0x86C00 offset. => 0x45600 + 0x41600
The next of FAT2 is Directory Entry.
- Directory Entry
| Name | Extender | Attr | NT Res | Reserved | Create Time | |||||
| Create Date | Last Access Date | First Cluster High Bytes | Write Time | Write Date | First Cluster Low Bytes | File Size | ||||
# 0 offset of Name
-> 0x00
This Directory is Empty. including under this directory.
-> 0xE5
Deleted Data
-> 0x05
Deleted Data for Japanese. / if it uses 0xE5, It will happen crash.
-> 0x20
If name length is below 8, it uses 0x20.
# Attribute
| Hex Value | Attribute/td> | Description |
| 0x01/td> | Read Only | Read Only Attribute |
| 0x02/td> | Hidden | Hidden File Attribute |
| 0x04/td> | System | OS File |
| 0x08/td> | Volume Label | Volume Label, It must be root and only one. |
| 0x10/td> | Directory | Directory |
| 0x20/td> | Archive | Nomal File |
| 0x0F/td> | Long File Name Entry | Long File Name Entry not Directory Entry |
# Directory Entry Sample
The size of forensics.jpg is 33 Sectores. => 17192 / 512 = 33
forensics.jpg is From 3 sector to 36 Sectors.
File's First : From Data's 3 sector.
File's End : To Data's 33 sector.
File : forensics.jpg
URL : http://pchs.peachschools.org/sites/pchs.peachschools.org/files/computer-forensics.jpeg
No comments:
Post a Comment