IA 212:

COMPUTER
FORENSICS AND
INVESTIGATION
Lecture 2: FAT Concepts and
Analysis
 File Allocation Table (FAT)
Relevance of FAT:
FAT is one of the simplest fi le
systems found in common
operating systems.
FAT is the primary fi le system of
the Microsoft DOS and Windows 9x
operating systems.
Other operating systems have
NTFS as the default fi le system
while maintaining support for FAT.
2
IA 212
 File Allocation Table (FAT)
Relevance of FAT:
FAT is supported by all Windows
and most Unix operating systems.
o So it is very likely to be
encountered in investigations.
FAT is frequently found in compact
fl ash cards for digital cameras
and USB fl ash drives.

IA 212 3
 File Allocation Table (FAT)
Relevance of FAT:
Concepts associated with FAT fi le
system are easy to grasp.
o But it may be in the interest of
forensic investigators to
understand data hiding
locations, addressing issues,
and other subtle behaviors.

IA 212 4
 Introduction to FAT

FAT is a fi le system used by

computers and other digital
devices to manage and organize
data stored on storage devices.
It keeps track of the location of
each fi le on the device by using a
table that maps fi le names to their
physical location on the disk.
The FAT fi le system is considered
simple because it has a small
IA 212 5
number of data structure types.
 Introduction to FAT
The FAT fi le system does not
clearly follow the fi ve category
model.
It consists of two main data
structures:
 File Allocation Table
 Directory Entries
The two structures serve multiple
purposes and belong to multiple
categories of the model.
IA 212 6
 Does not contain any data belonging to
 Introduction to FAT

Each fi le and directory is

allocated a directory entry, that
contains:
File name
File size
Starting address of fi le content
Other metadata
File and directory content is
stored in clusters.
IA 212 7
 Introduction to FAT

If a fi le or directory needs more

than one cluster, those clusters
are found in the FAT structure.
The FAT structure is used to
identify the next cluster in a fi le.
It is also used to identify the
allocation status of clusters.
It stores information belonging to
content and metadata categories.
IA 212 8
 Introduction to FAT

IA 212 9
 Introduction to FAT

Versions of FAT: FAT12, FAT 16,

and FAT32,
Optional extensions and
derivatives include VFAT, and
exFAT.
Major diff erences in the versions
are related to the size of entries in
the FAT structure.
All versions are similar in that
they three physical sections to
it:
IA 212 10
 FAT Versions

FAT12
12-bit cluster addresses
It was fi rst introduced in 1980
with MSDOS.
Designed as a fi le system for
Floppy Diskettes.
It was designed for small disks,
with a maximum size of 16MB
and a cluster size of 512 bytes.
IA 212 11
 FAT Versions
FAT12
FAT12 is no longer commonly
used.
It can still be found on some
older devices such as digital
cameras and music players.
FAT16
 The next version of the FAT fi le
system, introduced in 1984 with
the release of MS-DOS 3.0.
IA 212 12
 FAT Versions
FAT16
It supports larger disks than
FAT12, with a maximum size of
2GB and a cluster size of up to
64KB.
FAT16 is still used on some
devices, but it is not as common
as it used to be.
FAT16 was the default system
for DOS and Linux systems that
IA 212 13
 FAT Versions
FAT16
It was used in the fi rst
generation of fl ash memory
portable devices, including MMC
cards, SD mallcards, and a fl
disks, with ash
maximum size
drives.
Also used in internal storage
for old phones, and camera
drives.
IA 212 14
 FAT Versions
FAT32
32 bit cluster addresses (28 bits
used which means 2 28 clusters.
Introduced in 1996 with the
release of Windows 95 OSR2.
It was designed to support larger
disks than FAT16
Drive sizes of up to 8TB with 32kb
clusters.

IA 212 15
 FAT Versions
FAT32
Video applications and large
applications often exceed FAT32
limitations.
It is still widely used today,
particularly on removable
storage devices such as USB
drives and SD cards.

IA 212 16
 FAT Versions
Virtual File Allocation Table
(VFAT)
Original FAT fi le system used on
MSDOS had a fi le name
limitation.
File names could not exceed 8
characters and 3 characters for
extension.
It is an extension of members of
the FAT fi le
IA 212
system family 17
 FAT Versions
VFAT
Instead of just the old-style "8.3"
all-uppercase fi lenames, VFAT
fi lenames support Unicode,
mixed case, and can be as long
as 255.
VFAT operates in protected
mode and serves as an interface
between applications and
the File Allocation Table (FAT).
IA 212 18
 FAT Versions
VFAT
VFAT is a hack that works by
storing the extended fi lename in
one or more extra directory
entries that appear before the
"real" directory entry.
Most software that is not VFAT-
aware will ignore the extra
entries, thinking they are
volume labels, and thus
something
IA 212
that should be 19
 FAT Versions
exFAT
The Extended File Allocation Table
(exFAT) fi le system was introduced
in 2006.
It exists as a middle ground
between the older FAT32 and the
more modern NTFS formats.
ExFAT was made to be very portable
and optimized for fl ash drives.
Helps you to store fi les much larger
than
IA 212 the 4 GB allowed by FAT32 20
 FAT Versions
exFAT
It’s lightweight like FAT32, but
without the same fi le size
restrictions.
Overall, it's not as widely
compatible as FAT32, but more
broadly compatible than NTFS.
exFAT can restore deleted fi les
after unintentional deletion from
the exFAT fi le system.
IA 212 21
 Layout of the FAT File System

The layout of the FAT fi le

system consists of 3 physical
sections:
Reserved area – for fi le system
category.
FAT area – primary and backup
FAT structures.
Data area – clusters used for
storing fi le and directory content.
IA 212 22
 FAT File System Data
In order to analyze the FAT
File System, it is necessary to
locate the 3 physical layout
areas.
 The reserved area starts at sector
0, and its size is given in the boot
sector.
o In FAT12/16, the reserved area is
typically only 1 sector, but
FAT32 will typically reserve
IA 212 23
 FAT File System Data
In order to analyze the FAT
File System, it is necessary to
locate the 3 physical layout
areas.
The FAT area begins in the sector
after the reserved area.
o Its size is calculated by
multiplying the number of FAT
structures by the size of each
FAT, both of which can be found
IA 212 24
 FAT File System Data
In order to analyze the FAT
File System, it is necessary to
locate the 3 physical layout
areas.
The data area begin in the sector
after the FAT area.
o Its size can be found by
subtracting the starting address
of the data area from the total
number of sectors in the fi le
IA 212 25
 FAT File System Data
Boot Sector on non-
partitioned devices, e.g., fl ash
disks, the boot sector is the
fi rst sector.
For partitioned devices such as
hard drives, the fi rst sector is
the Master Boot Record
defi ning partitions.
The fi rst sector of partitions
formatted with a FAT fi le
IA 212 26
 FAT System Layout

IA 212 27
 FAT File System Data
The main diff erence between
these layouts is that FAT
12/16’s root directory is at
the beginning of the data
sector, while in the FAT 32’s
root directory can be anywhere
in the data area.
The fi rst 36 bytes are the same in
all.
IA 212 28
 File System Category
The data in the File System
Category describes the general
fi le system and can be found in
the boot sector data
structure.
The boot sector is located in
the fi rst sector of the volume
and is part of the reserved
area of the fi le system.
IA 212 29
 The Boot Sector
The boot sector is contained
in the fi rst 512 bytes.
The fi rst 36 bytes of all FAT
boot sector contains the
following details:

IA 212 30
 The Boot Sector

IA 212 31
 The Boot Sector
Bytes 510 and 511 have
signatures 0x55 and 0xAA
respectively.

IA 212 32
 Example of FAT32 Image

IA 212 33
 Analysis
In order to analyze a disk or
fi nd hidden data, it is
necessary to know the layout of
fi le systems.
It is also important to know which
OS formatted the disk.
Several places not used by the
fi le system could contain hidden
data.
In
IA 212
the reserved area, at the end 34
 Analysis
Several places not used by the
fi le system could contain
hidden data.
Between the end of the fi le system
and the end of the volume.
FAT32 systems have a backup boot
sector in sector 6:
oI A The
212 primary and backup copies could be
compared to fi nd inconsistencies.
o If values in the primary have been
changed, the backup may contain original 35
 Analysis Scenario

Imagine that the fi rst 32

sectors of a disk are damaged
and cannot be read. What do
you do?
First, fi nd the start of the fi le
system.
The signature for a FAT fi le system
is 0x55 and 0xAA in the fi nal two
36
bytes of the boot sector.
 Analysis Scenario
Upon fi nding the signature,
additional test can be
conducted on a range of values
that are valid for a given data
structure.
For example, byte 13 of the boot
sector identifi es how many
sectors in a cluster.
The byte 13 of the boot sector
must
IA 212
have a value that is a power 37
 Analysis Scenario
Upon fi nding the signature,
additional test can be
conducted on a range of values
that are valid for a given data
structure.
Any other value would indicate
that the sector was not part of a
FAT fi le system boot sector, even
though it contained the signature.
IA 212 38
 Content Category
The content category
comprises of fi le and directory
contents.

FAT fi le systems use the term

cluster for its data units in
Data Area.
A cluster is a group of consecutive
sectors.
IA 212 39
 Content Category

The number of sectors must be a

power of 2.
That is 1, 2, 4, 8, 16, 32, 64, …
Each cluster has an address and
the address of the fi rst cluster is
2.
o There are no clusters with
IA 212 40
address 0 or 1.
 Finding the First Cluster

Finding the fi rst cluster (cluster

2) is not easy because it is not at
the beginning of the fi le system.

IA 212 41
 Finding the First Cluster

The procedure for fi nding it is

diff erent depending on whether
it is FAT12/16 or FAT32.
In a FAT 12/16 system, the
number of root directory entries
are given in the boot sector.
 Cluster 2 starts in the next sector.

IA 212 42
 Finding the First Cluster
For example, consider a FAT16
fi le system with 32 sectors
allocated for the root directory.
If the data area starts in sector
1224, then the root directory
spans from sector 1224 to 1255.
If we have 2048 byte clusters,
then cluster 2 would start at 1256
and cluster 3 would start at 1260 .
IA 212 43
 Cluster Allocation Status
The status of a cluster (whether
allocated or not) is found in the
FAT structure.
The basic concept of the FAT is
that it has one entry for each
cluster in the fi le system.
If the table entry is 0, then the
cluster corresponding to that table
entry is not allocated to a fi le.
All
IA 212 other values mean that the 44
 Cluster Allocation Example
From the fi le allocation table on
the right:
Clusters 3, 6, and 8 are allocated;
clusters 2, 4, 5, 7, and 9 are
unallocated.
Clusters 6 and 8 are only partially
fi lled; the unused portion is slack
space.
File gary.txt: logical size is 1,034
bytes, physical size is 2,048 bytes
(slack
IA 212
= 1,014 B) 45
 Allocation Algorithms
To fi nd an unallocated cluster
the OS scans the FAT for an entry
with a 0 in it.
Most operating systems do not
clear cluster contents when
unallocated

IA 212 46
 Analysis Techniques
When analyzing the content
category, there are several
places where data could be
hidden:
Clusters can be marked as ‘bad’
o Bad clusters should be
examined, because the OS does
not look at them.

IA 212 47
 Analysis Techniques
When analyzing the content
category, there are several
places where data could be
hidden:
The size of the data are might not
be a multiple of the cluster size.
o This means there could be a few
sectors at the end of the data
area that are not part of a
cluster.
IA 212 48
 Analysis Scenario
Imagine a FAT 16 fi le system in
which you need to locate cluster
812.
The only tool available is a hex
editor.
First, view the boot sector, which
is located at sector 0 of the fi le
system and process it.
.
IA 212 49
 Analysis Scenario
Processing this indicates that
there are 6 reserved sectors:
Two FATS, each FAT is 249 sectors
Each cluster is 32 sectors
There are 512 directory entries in
the root directory.

IA 212 50
 Metadata Category
This category includes data that
describe fi les and directories in
directory entries
Where content is stored, dates
and times, and permissions.
In an FAT fi le system, this
information is stored in a
directory entry structure.
Every fi le or directory is allocated
aI A 2directory
12 entry. 51
 Metadata Category
In an FAT fi le system, this
information is stored in a
directory entry structure.
Exists anywhere in the Data
area.
Each directory entry is 32 bytes:
fi le attributes, size, starting
cluster, dates and times.

IA 212 52
 Metadata Category
In an FAT fi le system, this
information is stored in a
directory entry structure.
When a new fi le or directory is
created, a directory entry in the
parent directory (..) is allocated
for it
Searched by using full name
FAT structure is used to fi nd
remaining clusters.
IA 212
53
 Directory Entry Structures

IA 212 54
 Directory Entry Data Structures

IA 212 55
 Directory Entry
The 11th byte in the directory
entry has an attribute fi eld that
can contain 7 diff erent
attributes.
Directory attribute
Long fi le name attribute
Volume label – only one directory
entry should have this label
Read-only attribute
IA 212 56
 Directory Entry
The 11th byte in the directory
entry has an attribute fi eld that
can contain 7 diff erent
attributes.
Hidden attribute
System attribute
Archive attribute
The allocation status of a
directory entry is determined by
using the fi rst byte.
IA 212 57
 Directory Entry
With an allocated entry, the fi rst
byte stores the fi rst character
in the fi le name
It is replaced by 0xe5 when the
entry becomes unallocated.

IA 212 58
 Cluster Chains
If a FAT entry is non-zero, it
contains the address of the next
cluster, an EOF, or a bad
sector indicator.

IA 212 59
 Creation Times in Directory Entries

IA 212 60
 Directories
When a new directory is created
a cluster is allocated and wiped
with zeros.
The size fi eld is always zero.
To fi nd the size of the directory,
go to the starting cluster and
follow the cluster chain until
EOF

IA 212 61
 Directories
The fi rst two directory entries in
a directory entry are:
Current directory (.)
Parent directory (..)
o Time fi elds may be used to verify
creation time of a directory.
o However we cannot confi rm the
last written date because . and ..
entries are not updated for each
directory modifi cation
IA 212 62
 Directory Entry Allocation

IA 212 63
 Searching for Deleted Directories
When unallocated, the fi rst letter
of a fi le name is changed to _
(0xe5)
Thus, if two fi les had similar
names: A-1.dat and B-1.dat, they
would now both be _-1.dat
When a directory is deleted and
its entry is reallocated, the
cluster for that directory is
orphaned
IA 212 64
 Analysis Scenario
The command dls allows us to
extract the unallocated space.
#dls –f fat Fat-10.dd > fat-
10.dls
The command sigfi nd can be
used to search for a signature.
Example: the fi rst 4 bytes of a
directory is always “. “

IA 212 65
 Analysis Scenario
Example: the fi rst 4 bytes of a
directory is always “. “
This is a period followed by 3
spaces-current directory.
Has the hex code of 0x2e202020

IA 212 66
 Analysis Scenario
The command #sigfi nd –b 512
2e202020 fat-10.dls indicates
the signature is found in sector
180 and others:

IA 212 67
 Viewing Contents of Sector 180
Three entries are shown in the
command output:
The fi rst two are for . and ..
Entries
The . entry points to cluster 6,479
(0x194f) The .. entry points to
cluster 3,548 (0x0ddc)

IA 212 68
 Viewing Contents of Sector 180
The third entry is for a fi le that
starts in cluster 6,486 (0x1956)
with a size of 53, 248 bytes
(0xd000).
File recovery could be performed
on this fi le now that we know its
starting address and size.

IA 212 69
 File Name Category
FAT does not diff erentiate
between a fi le name address
and metadata address.
This is the same as what was there
in the metadata category.
So far, what we saw were
fi lenames with 8 characters plus
a 3-character extension (SFN).
 SFN entry contains time, size,
and
I A 2 1 2 starting cluster information 70
 File Name Category
A fi le may also have a longer,
more descriptive fi le name.
LFN If there are > 13 characters,
more LFN entries are used.

IA 212 71
 Finding Hidden Data
Unused sectors in the reserved
area.
Between the end of the fi le
system and the end of the
volume:
Compare the number of sectors in
the fi le system (given in boot
sector) with the number of sectors
in the volume to fi nd volume
slack.
IA 212 72
 Finding Hidden Data
Between the last entry in the
primary FAT and the start of the
backup copy or between the last
valid entry in the backup FAT and
the start of the data area:
Compare the size of each FAT with
the size needed for the number of
clusters in the fi le system.

IA 212 73
 Finding Hidden Data
Between the last entry in the
primary FAT and the start of the
backup copy or between the last
valid entry in the backup FAT and
the start of the data area:
Someone could create a directory
with only a few fi les and use the
rest of the directory space for
hiding data.
Compare the allocated size of the
IA 212 74
 Finding Hidden Data

IA 212 75