Session 06 - FAT Filesystem

Requirements:

Task 1: Start your hex editor and load the forensic image

  1. If you're using HxD, then open the Tools menu and choose Open disk image...
  2. Check the MD5 hash of the image: (if you're on Linux, you know what to do), otherwise in HxD, select Analysis then Checksums, choose MD5 and click OK.
  3. Keep a record of the MD5 (remember, you should be doing this as part of your contemporaneous notes anyway).
  4. Does the hash match the one at the top of this document? Make a note if it does or doesn't.

Task 2: Analysis and interpretation of the FAT16 Reserved Area/Boot Sector

Hint on using offsets: To find a hexadecimal offset, add the row offset to the column offset.

Example: Offset 0x1A would be the intersection of row 00000010, column A (as seen below, you'll find the value 0xFF).

How to read hex offsets

  1. In which sector is the Boot sector located?

Click to reveal answer
Sector 0

  1. Use the handout (mentioned at the top of this document) and examine the sector you identified in 1 to complete the following table:

Hint: Make sure you reverse the byte order for values stored in more than 1 byte (recall: little-endian).

Table 1:

DescriptionOffset (hex)Length (bytes)Value (decimal)
Bytes per sector
Sectors per cluster
No. of reserved sectors before FAT1
No. of FAT tables
No. of sectors per FAT

Click to reveal answer
Description Offset (hex) Length (bytes) Values (decimal)
Boot sector 0x0B 2 0x0200 = 512
Sectors per cluster 0x0D
 1 0x01 = 1
No. of reserved sectors before FAT1 0x0E
 2 0x0002 = 2
No. of FAT tables 0x10
 1 0x02 = 2
No. of sectors per FAT 0x16
 2 0x0079 = 121

Task 3: Find the Root Directory and Data Regions

  1. Use your answers from Task 2 to calculate the offset from the start of the volume to the Root Directory using the following formula:
RDO (Root Directory Offset)
NRS (No. of Reserved Sectors before FAT1)
NFT (No. of FAT Tables)
SF  (Sectors per FAT)

RDO = NRS + (NFT * SF)

Click to reveal answer
2 + (2 * 121) = 244 sectors

  1. Enter the Root Directory Offset into the Sector box in HxD (if you're using another hex editor it should have similar functionality) to jump to that sector, as seen in the figure below.

HxD go to sector

  1. Use the handout to record the size of EACH directory entry in bytes. What size (in bytes) did you record?

Click to reveal answer
32 bytes

  1. The size of the Root Directory is found using the following formula:
RDS (Root Directory Size)
MNE (Max no. of Entries = 512)
SEE (Size of Each Entry)
NBS (No. of Bytes per Sector)

RDS = MNE * SEE / NBS

Use Table 1 and your answer from Task 3 to record the size of the Root Directory. What's the size (in sectors)?


Click to reveal answer
32 sectors

  1. Use your previous answers to determine the sectors for regions in the following Volume Map.

Note: In the diagram and table, regions are marked with letters so it'll be easier to refer to them as you continue this exercise.

Volume Map

RegionAnswer
G
H
J
K

Click to reveal answer
Region Answer
G 0
H 2
J 244
K 276

  1. What is the cluster number of the sector you identified in your answer above to the "K" region?

Hint: You may need to refer to your notes from class


Click to reveal answer
Cluster #2

Task 4: Find the starting cluster for each file

  1. Navigate to the sector where the Root Directory starts.
  2. Refresh your memory from Task 3 on the size of each directory entry (see your answer to Task 3.3).
  3. Starting at the top-left, highlight the number of bytes that you had to your answer to Task 3.3. (This is the FIRST directory entry).
  4. Locate the rows that begin with the filenames listed in Table 2 (Each row with a filename is the start of a directory entry).
  5. Use the handout to record in the table below the Directory Entry offsets, which map to the properties in Table 2.
DescriptionOffset (hex)=(dec)Size (bytes)
Extension
File size (bytes)
Starting cluster

Click to reveal answer
Description Offset (hex)=(dec) Size (bytes)
Extension 0x08 = 8 3
File size (bytes) 0x1C = 28 4
Starting Cluster 0x1A = 26 2

  1. Remember: The offsets above are relative to the Directory Entry record.
  2. Use your answers above to complete Table 2 below.
FilenameExtensionFile size (bytes)Starting Cluster
FILEA
FILEB
FILEC
FILED

Click to reveal answer
Filename Extension File size (bytes) Starting Cluster
FILEA TXT "01 06 00 00" = 0x601 = 1537 "03 00" = 0x0003 = 3
FILEB TXT "00 02 00 00" = 0x200 = 512 "07 00" = 0x0007 = 7
FILEC TXT "FE 09 00 00" = 0x09FE = 2558 "08 00" = 0x0008 = 8
FILED TXT "32 0E 00 00" = 0x0E32 = 3634 "0D 00" = 0x000D = 13

Task 5: Find the starting cluster for each file

  1. Start by completing this data region table by using your answers from above:
Data regionData
First Cluster
First Sector
Bytes per Cluster

Click to reveal answer
Data region Data
First Cluster 2
First Sector 276
Bytes per Cluster 512

  1. Go to the sector where FAT1 is located and complete the following table.

Hints:

  • The start of the FAT entry is F8 FF
  • FAT entries/clusters are numbered/counted from 0 in the FAT table
  • Each FAT entry is 2 bytes long

Table 3:

File nameCluster chain (FAT entries)
File A
File B
File C
File D

Click to reveal answer
Filename Cluster Chain (FAT entries)
FILEA 3->4, 4->5, 5->6, 6->FFFF
FILEB 7->FFFF
FILEC 8->9, 9->10, 10->11, 11->12, 12->FFFF
FILED 13->14, 14->15, 15->16, 16->17, 17->18, 18->19, 19->20, 20->FFFF

  1. Examine the content of each of the clusters in Table 3.

Is there anything unusual about any of these files? If so, record your observation and interpretation in your contemporaneous notes.


Click to reveal answer
text "DESTROY PIZZA 14 NOV AT 1400" in file slack for FILED.TXT