Analyse Fat And Recover Files

Published Date: 02 Nov 2017

Introduction

This exercise contributes to the deliverable 1.2 – Technical Report of the coursework assessment. The exercise comprises of three parts:

Analyse a FAT file system in order to establish a number of characteristics about the file system.

Analyse the file system in order to recover the files in the image by filling in the FAT table that has been corrupted (either accidently or deliberately). For this part of the assessment you need to identify where the files are located in the image in terms of their starting cluster and then the number of clusters allocated to them. You complete the FAT table by writing in the cluster numbers for each file.

A short research based exercise requiring you to do some background reading.

1. Identify file system characteristics (weighting 0.2).

File systems store data about the file system in specific locations so an OS can ‘mount’ the file system and access its contents, that is the files and associated file data stored within it. For example they store how many sectors there are in a cluster and number of sectors in the file system. On moodle is a digital evidence file containing a FAT file system where you have to find the following data values using EnCase.

Type of FAT file system.

Number of sectors per cluster.

Number of sectors in the reserved area.

Total number of sectors in the file system.

The media type of the storage device that has been formatted with FAT.

The number of sectors in each FAT.

Sectors per track in storage device.

Number of heads in storage device.

Volume serial number.

You need to state whereabouts in the file system you found these items of data. You are to use the GPS to give you this information. When you found them use the "Quick Bookmark" feature to ascertain the decimal value of the hex value of the data taking into account the number of bytes that make up the data and endianness. Complete the following table with your answers:

Item

GPS

Value (give both the hexadecimal and decimal value)

1 FAT 32

PS 63 LS 0 S0 082 FO 82 LE 5

20 Hex = 32 Decimal

2 16 SECTORS PER CLUSTER

PS 63 LS 0 SO 013 FO 13 LE 1

10 Hex = 16 Decimal

3

PS 63 LS 0 SO 014 FO 14 LE 2

26 00 = Little Endian,

00 26 = Big Endian .

26 Hex = 38 Decimal

4

PS 63 LS 0 SO 031 FO 31 LE 4

00 01 EE 1F = Little Endian

1F EE 01 0 = Big Endian.

1F EE 01 00 Hex = 2,092,545 Decimal

5

PS 63 LS 0 SO 021 FO 21 LE 1

F8 Hex = 248 Decimal

6

PS 63 LS 0 SO 036 FO 36 LE 4

FD 03 00 00 = in Little Endian

00 00 03 FD = Big Endian.

FD 03 00 00 Hex = 1021 Decimal

7

PS 63 LS 0 SO 024 FO 24 LE 2

3F 00 Hex = 63 Decimal

8

PS 63 LS 0 SO 026 FO 26 LE 2

00 40 Hex = 64 Decimal

9

Serial Number :

3491131974

PS 63 LS 0 SO 067 FO 67 LE 4

D0 16 72 46 Hex = 3491131974 Decimal

The notes contain details on many of these data values where you are to use sources such as the module textbook (Carrier 2005) or webpages such as http://support.microsoft.com/kb/140418. If you use an alternative source, then state the website URL in your list of references in the technical report.

2. Analyse FAT and recover files (weighting 0.5)

Both FATs in the digital evidence file are corrupt but the ROOT directory is intact where the files reported in the ROOT directory are the only files in the file system. What you have to do is to work out the following:

List the files and directories identifying their name and size, where possible, in bytes in the order they are in the file system.

Identify any deleted files.

The first cluster allocated to each file.

The number of clusters allocated to each file.

The size on disk the file occupies based on the number of clusters

The last cluster allocated to each file as a result.

A list of cluster numbers allocated to the file starting with the first cluster. That is the full list of numbers for the file based on its size.

To help in determing 6 for each file in the ROOT directory assume that most of the time files are allocated consecutive clusters so that the storage device can retrieve the file data as quickly as possible minimising head movement in hard disk drives. Also the first cluster allocated to a new file in the file system is after the last cluster allocated to the last file stored in the file system (discounting fragmentation). Use the information in the ROOT directory to work out the above five items of data and complete the table below:

Filename

File or Directory

Logical Size (in bytes)

First cluster allocated to file

Number of clusters allocated to file

Size on disk

Last cluster allocated

REPORT.doc

file

83968

48

11

90112

48+11=59

INTERE~1.jpG

Image file

31506

11170

4

32768

11170+4=11174

MYDOCU~1

Directory

0

11174

1

0

11174+1=11175

FILE.TXT

Text file

10

11193

1

8192

11193+1=11194

FILE.PPT

Deleted file

113152

11179

14

114688

11179+14=11193

Add more rows where necessary.

For the list of clusters what you have to do for each file is to produce a list of cluster numbers that have been allocated to the files as they would appear in the FAT. For example, if the file system allocated cluster 5 as the first cluster and you determine the file is 5 clusters in size in total, then the list of cluster numbers is 5, 6, 7, 8, 9. What you have to do is then work out how these cluster numbers would be stored in the FAT with respect to the type of FAT in use. For example if it was the FAT16 file system you would see the numbers in consecutive locations in the FAT of :

06

00

07

00

08

00

09

00

FF

FF

What you have to do is work out the list of numbers for the files and directories in the digital evidence file.

No files were fragmented in this example but consider how you would look for signs of fragmentation in the files in the file system and write down you answer below:

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

3. Research exercise (weighting 0.3)

Find out about the exFAT file system and present a synopsis of the major differences between FAT, FAT32 and exFAT file systems, followed by a conclusion identifying elements in the boot sector and/or FSINFO or relevant sector useful for a forensic examiner. For example, find out what is the maximum size the file system can support, what is the maximum size of a file the file system can support, how many files can there be in the root directory, what is the size of a directory entry, what is the maximum length of a filename, in what character encoding are filenames store in, etc.

You can present the major differences in tabluar form, for example below is an incomplete table you can use as a starting point. You will have to add more rows for the items of data you find out about the file systems.

File system

FAT16

FAT32

exFAT

Maximum file size (in bytes)

2GB (Limit Only

by Volume Size) of 2147483648 Bytes

4GB minus 2 Bytes = 4294967296 – 2 = 4294967294 bytes

16EB = 18446744073709400000

Bytes

Maximum size of file sysem (in byte or sectors)

2GB for very OS.

4GB for most OS

32GB for very OS.

2TB for most OS

128PB

= 1441151880758559000 Bytes

Number of files in ROOT directory

512

No limit

No limit

Built-In Security

n/a

n/a

Yes

minimal ACL only

Maximum of clusters

65520 = 2 power of 16

2 power of 28 ( 4 isnt addressable) = 4177918

4294967295

Max File Name Length

Standard - 8.3

Extended - up to 255

255

255

Boot Sector Location

First Sector

First Sector and

Copy in Sector #6

Sectors 0 to 11

Copy in 12 to 23

NTFS.com. 2011. NTFS vs FAT. [ONLINE] Available at: http://www.ntfs.com/ntfs_vs_fat.htm. [Accessed 27 April 13]

Extend this table based on the data you find out about the file system.

For the conclusion, identify the features in the boot sector and/or FSINFO record useful to a forensic examiner when analysing the file system. For example, FAT boot sector permits the discovery of the number of sectors in the file system. Does exFAT have a boot sector to allow an examiner to derive the same information? If they do, whereabouts in terms of sectors, clusters and offset locations within those sectors or clusters will they find that data and in what form will it be, e.g. 8 bit byte or 32 bit little endian value.

The following would be useful to examiers as they would be able to exrtract files in unallocted sectors. When analysing file systems. the FAT boot sector permits the discovery of the number of sectors in the file system.

Bytes 11 to 12 – bytes per sector the values including 512, 1024, 2048 and 4096.

Bytes 13 to 13 – sectors per cluster ( the data unit). These are to the power 2, however cluster size has to be 32kb or smaller.

Bytes 14 to 15 –actuall size in sectors in the reserved area.

Bytes 17 to 18 –maximum number of files in the root directory for the FAT12 and the FAT16. There is no 0 for the FAT32 and it is usually 512 for FAT16.

Bytes 19 to 20 –16 bit value of number of sectors in the file systems. If number of sectors is larger than, this can be represented in this 2 byte value, a 4byte value exsists later in the data structure and then this should be 0.

Bytes 22 to 23 – are 16 bit is in the sectors of each FAT for FAT12 and FAT16, the field is 0 for FAT32.

(Carrier, B 2005. File System Forensic Analysis 1st ed. Page 254: Addison-Wesley)

The word limit for the part 3 research exercise is 500 words.

State your sources using the Harvard Referencing system. If you are unsure about how to reference using the Harvard system, then seek advice from the Learning Centre.

Criteria

Part 1

Mark

Criteria

0

No attempt

1-29

Significantly incomplete or incorrect with no indication of how data was obtained.

30-39

Contains many errors with little indication of how data was obtained.

40-49

All data items found with minor errors and omissions.

50-59

All data items found with correct GPS data, minor errors in interpretation of values obtained

60-69

All data items found with correct GPS data and correct values extracted with minor errors in how the data was interpreted.

70+

All data items found with correct GPS, correct values extracted with the correct interpretations

Part 2

Mark

Criteria

0

No attempt

1-29

Significantly incomplete or incorrect with no indication of how data was obtained.

30-39

Contains many errors with little indication of how data was obtained.

40-49

Found all files and identified first cluster allocated to file and the size of the file. No list of clusters presented for any file.

50-59

Found all files, identified first cluster for file, found the size of the file and correctly calculated the number of clusters used to store the file data. Produced a list of clusters for 1 file in the file system.

60-69

Found all files, identified first cluster for file, found the size of the file and correctly calculated the number of clusters used to store the file data. Produced a list of clusters for 2 files in the file system.

70+

Found all files, identified first cluster for file, found the size of the file and correctly calculated the number of clusters used to store the file data. Correct identification of which file is out of location with valid reason. Each file has a full list of cluster numbers allocated to it. Produced a list of clusters for at least 3 files in the file system.

Part 3

Mark

Criteria

0

No attempt

1-29

Significantly incomplete or incorrect with no references to sources of information about the file systems.

30-39

Contains many errors with few sources to information about the file systems.

40-49

Basic table submitted that covers items discussed in sessions and lecture notes. Contains minor errors and omissions.

Sources to information about the file systems stated in Harvard referencing system.

50-59

File system features found exceeds what is described in lecture notes and in sessions. Basic attempt at identifying differences in file systems in terms of where to look for key items of file system information useful to an examiner when processing a file system in an evidence file.

Sources to information about the file systems stated in Harvard referencing system.

60-69

File system features found exceeds what is described in lecture notes and in sessions. Good attempt at identifying differences in file systems in terms of where to look for key items of file system information useful to an examiner when processing a file system in an evidnce file.

Sources to information about the file systems stated in Harvard referencing system.

70+

File system features found significantly exceeds what is described in lecture notes and in sessions. Excellent and indepth attempt at identifying differences in file systems in terms of where to look for key items of file system information useful to an examiner when processing a file system in an evidence file

Sources to information about the file systems stated in Harvard referencing system.