FAT
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
Welcome to every day's Dutra forensics. I'm your host, your Sunday said, and I'll be guiding you through today's file system. The fact power system.
00:09
In today's video, we're going to define the fat file system.
00:12
Review some of the basic concepts off the fat follow system,
00:16
gain some understanding of the basic structure and functionality of the system itself.
00:20
So what is the foul allocation table? Also noticed? Effect
00:24
all system.
00:26
It's a simple fall system originally designed for small just on simple file structures. The name is just based around its organization,
00:34
and this allocation table is that at a fixed location at the beginning of the volume,
00:38
two copies of the file allocation tables are kept,
00:42
and this is a way to check the integrity off the
00:47
system itself. If one becomes corrupt or damage, you're able to determine based on the copy
00:53
the fat system structure. If you look at the top right portions video, it's split into the partition boots sectors. Your first copy of a fat system, your Dubica, copy that root folder and then everything else. This is other folders and files.
01:11
The root folder and the file allocation tables are set in a fixed location.
01:15
Its opinion on which fat system you're using. You see at the bottom, right?
01:21
There's three separate fat systems. There's fat. 12 5 16 fat 32.
01:26
A fat file system is allocated by clusters,
01:32
the closer sizes based on which system we're using. Each system has its own default values. Size, as you can tell by the table
01:40
for the fat fall system of cluster number must fit within a 16 bits and must be a power of two.
01:46
So to understand how fouls are allocated,
01:49
not understand how files are allocated within a fat file system.
01:53
As seen from this image,
01:56
zeros are the memory spaces.
01:59
F f f f tends to determine the end of a file. So if you see any,
02:05
if you see these four Hexi decimal values,
02:08
the last that determines the last cluster of a file.
02:13
So the table allocation, as we said, is resized at the beginning of the volume.
02:16
Two copies are kept to protect the volume and their store in a fixed location.
02:22
The root folder, which is located after the duplicate file system, contains an entry for each file is just
02:29
on the roof.
02:30
This is very specific location, the disk, and it's a fix sized
02:36
within the fact file system. We have folders, and these are structured differently. Each folder, as you see on the right, has the following information stored about folder itself.
02:46
It's the name of the folder.
02:47
The Attribute bits Creation, time creation date, Last Access, Last Modified Time, Last Modified Date,
02:55
which is just starting cluster of that file
02:59
and the final size itself.
03:01
The folders have a scent of 32 bit folder entries for each folder and some folder.
03:07
There's no organization to the fat folder structure.
03:12
That folder is given the first available location on the body.
03:15
The starting cluster number is the address of the first cluster to used, so you'll determine its spot. So think of cluster numbers as your address,
03:24
so you may be address upon to three and then you're straight name.
03:29
That is the beginning portion of your clusters, so that is where you be able to find it,
03:34
and then each cluster towards the end of file will have a pointer to the fallen cluster. So if a file takes up multiple spaces, your first closer would say OK, the next portion off. This file is located. Cluster 1235
03:49
you goto Location one truth
03:51
1235 At the end, you'll have a pointer to next. 1236
03:57
At the end of that cluster, you'll have an indication of F f f f, which is the end of that file.
04:04
So you're looking at the screen shot from this illegal profile until that could be used for forensics analysis of an image
04:12
of a virtual hardest contest.
04:15
The image that you're showing is the beginning
04:17
sections of a fat ball system.
04:20
It's important to note that the
04:24
virtual hard this file begins with a master boot record, this master boot record can locate the ended individual partitions. So to you, this might not seem like information or anything that you can relate it to your languages.
04:41
But
04:42
using tools that we have learned earlier were earlier, like the conversions
04:46
from Hexi decimal to binary or decimal can help us understand what these numbers need.
04:53
So this is also format it.
04:57
This information is actually structured. So
05:00
these three these four bites may mean something these additional four bites might mean something
05:06
these four bites might mean something and so on
05:11
this information to you looks like
05:14
Alien nine. Which however,
05:15
once you go down into bites by bites, you can understand what it is. And that's what we're gonna be doing in the next video.
05:25
Not going to start you off with anything right now,
05:28
but for your own time. Go look at the pdf. Find this screenshot. You could even go to the site where I got the screenshots from
05:35
including the next videos
05:38
and see if you can yourself
05:41
breakdown may be the 1st 34 lines of this to determine what it ISS. This is the master boot record of a fat ball system.
05:48
I also want to note that as you can see on the right, if you're looking at eight times, this may be showing actual date time, so it
05:58
it eases your eyes and your conversions
06:01
sound. Here is you can see data content data when you're looking at a file shows the information in this format.
06:10
So in summary in today's lecture, we review the fat follows systems system structure
06:15
the Allah, the way files are located quickly touched upon the root folder.
06:19
How folders are structured within fat file system and reviewed the partition. Boot information wasn't shared about the master boot record, but we'll go into more details on that and then later videos. So I hope you enjoyed today's video and I'll catch you on the next one.
Up Next
Similar Content
