Fat file systems

FORENSICS ASSIGNMENT 1 FAT FILE SYSTEMS 2015

Danny O’Leary - 20067817

Q1. Make forensic duplicates of the image clearly identifying any controls you have put in place? The forensic duplicates that I made were done by using md5sum and using the dd command to make the duplicate ensuring that the md5sum for both is the same, this way we know that the copy is forensically sound. The controls put in place are the md5sums on the files, throughout the process of restoring the file, regular md5sum checks make sure that everything is still the same md5sum.

Q2. Illustrate and name where the major data structures that you require for the examination lie on the analysis image. Reserved 0 - 0 0 1

Boot Sector: 0

Fat Area 9

Data Area: 19 - 2879 18

FAT 0: 1 – 9

FAT 1: 10 – 18

19

32

2879

Root Directory 19 – 32 Cluster Area: 33 -2879

From the illustration you can see all of the major data structures. The boot sector is contained in sector 0, with the reserved section also. The FAT area ranges from sector 1 -18 with FAT 0 ranging from 1 – 9, and FAT 1 ranging from 10 – 18. The Data area ranges from 19 – 2879 with the root directory ranging from 19-32, and then finally the cluster area ranging from 33 – 2879.

Q3. Decode the hexadecimal data for a directory entry of your choice. Explain the concept of a cluster chain. Follow the cluster chain corresponding to the file. How big is the file and what data units (memory addresses) does it occupy. The directory entry that I have chosen is the directory entry that I found earlier which is located at sector 33 which was an rtf file.

Decoding Process: This is for the first byte of the file. Along with the next 10 bytes being for the name of the file. 0

1

2

3

4

5

6

7

8

9

10

46

49

4C

45

32

20

20

20

52

54

46

F

I

L

E

2

space space space R

T

F

From this we can see that the directory is called “FILE2.RTF�.

Byte 11 is the attribute of the directory and what permissions it could have 11 00

Byte 12 is reserved. 12 10

Byte 13 is created time (10ths of a second) 13 C6

Bytes 14 and 15 are for created time in the format (hours:mins:secs) 14

15

47

72

Bytes 16 and 17 are for created day 16

17

62

47

Bytes 18 and 19 are for accessed day 18

19

00

00

20 and 21 are high 2 bytes of the first cluster. 20

21

00

00

Byte 22 and 23 are for the last written time 22

23

47

72

Byte 24 and 25 are for the last written date 24

25

62

47

26 and 27 are for the low 2 bytes of the first cluster address 26

27

00

07

Next is the file size in bytes. Contained in byte 28 – byte 31 28

29

30

31

AB

11

00

00

Change to:

00 00 11 AB

File size is 4523 bytes.

Check:

A cluster chain starts with a directory entry which contains the starting cluster of the file that’s in question. After you have found this, you can use the FAT structure to find the rest of the clusters. The first cluster contains where to find the next cluster, and then you can repeat this process until you find a cluster that contains the words “EOF” for end of file. In this example you can see that we start at sector 35, and sector 35 is now pointing to sector 40. Now we know that the file continues at sector 40 so we can go to that one and check for anymore clusters.

When we check sector 40, we see that the directory entry reaches its end point as it is annotated by the words “EOF�.

I used the istat command to figure out the file size and what data areas the file is occupying.

It is located in sectors 1823-1831.

From decoding we found out that the file size was 4,523 bytes.

Q4. What happens during the storage and deletion process for a file in this type of file system. To store files in FAT12, it uses a next available approach. So when a file is saved in a FAT12 type file system, it is stored in clusters. Then if the size of the file exceeds the size of the cluster, then it is stored in the next available cluster, and the first cluster will include information about where the cluster the file is being stored at is located. (Technet.microsoft.com, 2015) An example of this process would be how a file would be created. It could be placed in a directory that already exists, and the process that’s carried out involves reading from the boot sector which is located at sector 0, and then is able to locate the FAT structures, data area and also the root directory. It is then able to locate the directory of the file so it processes each directory entry in the root directory and looks for the file and is able to tell the directory attribute set. From this it’s able to locate the file. It then can follow the cluster chain starting from the first cluster for the file and then following and then processes any other cluster until it finds one that is unallocated. In the unallocated cluster, it stores the file information such as the file name, size name and the time. It then allocates clusters to the file, and it is written to the directory entry, if the file size is bigger than just one cluster, it will find the next available cluster to store the information in. (Carrier, 2005) Here is a diagram of the process:

(Carrier, 2005)

When a file is deleted in this type of system, the directory information and the file remain on the hard drive. A deleted file is denoted with “0xE5.”. The file is only truly deleted when it’s overwritten by the system. (Forensicswiki.org, 2015) An example of this process would be if there was a file to be deleted, the first thing that the system would do is read the boot sector, and locate the FAT structures, data area and also the root directory. The next thing that it would do is locate the root directory by processing every directory that’s contained in the root directory, and find the one that is matching the directory in question. It would then process the contents of the starting cluster to

find the directory entry. It will then use the FAT structure to determine the cluster chain for the file. The FAT entries are then set to 0, and the directory entry is unallocated by setting the first byte to 0xE5. (Carrier, 2005)

(Carrier, 2005)

Q5. Search for and recover the following files documenting clearly the steps taken. An allocated file A deleted image file A file with a mismatched extension The steps documented for these files can be found in the other pdf called “Forensic Assignment – Documentation”. The allocated file is one of the two rtf files that were found at the start of the process, and the deleted file was the other rtf that was found. The file with a mismatched extension was the png file that was considered a jpg file in the directory entry that was also recovered. Each file is also included.

References Carrier, B. (2005). File system forensic analysis. Boston, Mass.: Addison-Wesley. Forensicswiki.org, (2015). FAT - ForensicsWiki. [online] Available at: http://forensicswiki.org/wiki/FAT [Accessed 22 Nov. 2015]. Technet.microsoft.com, (2015). How FAT Works: Local File Systems. [online] Available at: https://technet.microsoft.com/en-us/library/cc776720(v=ws.10).aspx#w2k3tr_fat_how_tkuc [Accessed 22 Nov. 2015].