FAT Examination

00:00

welcome to everyday did your forensics. I'm your host just then you said. And today we're gonna examine the fact that system

00:06

before we proceed, how many different flavors of fat file system exist?

00:15

We have three flavors. 12 16 32 If you're come from video 2.3,

00:20

we went over the different flavors. This is 12 16 32 which very bike cluster size.

00:29

If a fat loss system becomes corrupt, is there a back up?

00:32

And if so, where

00:37

there is a backup? And it's the fact to which just a duplicate of the original fat system. And in today's objective, we're gonna examine snippets of a fat ball system, including the boot sector fat one, in fact, to

00:50

root directory and a long founding

00:57

these or similar images to the end of 2.3.

01:00

I recommend having a physical or a digital copy of the following slights. In case you'd like to examine a little further

01:07

in this slide, we're going to review the boot sector. The primary boot sector contains information that a file system uses to access the volumes there. Some systems where the master boot record uses the primary boot record on the system partition to do with the operating system. Kernel falls. So this is just telling into the computer How does how it turns on

01:26

information on where to Rita files, Where does things and where can he find the memory spaces?

01:34

Right now, you may just see a bunch of numbers and zeroes

01:37

on this side is the offset. So this is the memory space, these air, how many bites and memories? So for each, there's about 16.

01:44

The information you see here is part of the primary boot sector. This isn't the whole boot sector because we don't see the final

01:51

end of a sector mark. So how do you read this like, what do these numbers mean? So they're broken up by bites. The 1st 3 bites are drunk instructions. The following eight bytes include the name and tex you may not be able to see and askyb, but once this is converted, it gives you the name of

02:08

it, gives you the name off the O am.

02:10

Falling 25 bites

02:14

is the bio parameter that you have the extended bios parameter and the bootstrap is no end sector mark.

02:21

But if there was you would see a 5555 A Next is thief at one in front to you have the defining of the last close down and file. What you see here are addresses

02:31

these air address civil files. So 99 0 a

02:35

tells us that a file is in this location. You do the same thing for the next 104000000 you know, and at a memory space, 04 is where this values file. And if you see nothing but zeros, that means that the location is available since this is three offset off fat one

02:54

into fat, too.

02:57

You see that the file system is not for you, so it hasn't reached the end of us.

03:01

Now that's examine the root directory In the root directory. You have your 1st 8 bytes, which is the founding padded with spaces. So if you see 20

03:10

that is a value for a space. Part of it is the file extension. So this tells you what the follow is. This is an attribute. Your next one bit is a reserve value. Your next one bit is milliseconds of a timestamp. You have time fire was created. Date fire was created. Date fire was us access.

03:29

Hi. Word of files. First cluster

03:31

time of last, right date of last, right? No word of files. First cluster and the file sizes cluster.

03:38

So this is an example of a loan filing. This fire was purposely given a long name to give this example as you consume. So this image shows the contents of a root directory with two which are the red short found name entries reading from the bottom to the top. In the long entries,

03:54

which is true,

03:55

you can see that the founding this entry is a very long found name. Do you see how it's put together? This is actually a directory. The attributes of a long founding is the value of 46 when the attribute of 10 is three attributes first short entries after the first blue block, where you're kind of defining that it is a long five attributes.

04:15

You go and you can see this one bit that's been highlighted

04:17

is the entry order number in the sequence of a long directory entry. If you look at the block blow, you have 432 and one thes air, the first bites of a long entry me so breaking down each of these sections. Your first bit is the order in the sequence of a long directory. Your next hand is a long directory. Name

04:35

is restricted to the 1st 1 to 5 characters.

04:39

It's in Unicode, and the small next value is thief. Fire attribute. Then you have the type of the type of zero. This is a sub component of a long name. Then you have the check some of the short frowning. You have a 12 bit long directory name characters from 6 to 11 once again in Unicode and small Medium your next. It's just

04:58

two bites that must be zero to be compatible with. The first cluster entry of his small directories

05:02

and then your Last four Bites is a long directory entry name,