Saturday , 27 April 2024

Everything a Security Analyst need to know about FAT File System

 

For understanding disk-based forensics we need to know about each file system, how it works and what it’s made up of. In this article we will share you everything that we know, and you should know about FAT

FAT stands for File Allocation Table. It is one of the most widely used file system and the reason, you will know about that at the end of the article not directly skipping to the end but after reading the article. 😉

What is FAT?

File Allocation Table is just a table used to indicate where files can be found in the disk. FAT doesn’t story any file names. It stores long list of blocks that represents clusters on the disk.

It will have a file starting address that would point to the certain cluster number then FAT links us to the clusters that belongs to that file.

For example, we have a file that is stored and can be found at the address 6. FAT doesn’t store the data directly. It stores the pointer that points us to 6.

Directory with all the file names is stored separately.

For storing FAT table, we also need a space and that depends on size of the disk. Every entry in FAT would take size of the pointer and that size of the pointer is defined by

FAT12: stores 4096 addresses or entries and size is 12 bits

FAT16: stores 65536 addresses/clusters and size is 16 bits.

FAT32: stores 4294967296 addresses and size is 32 bits.

Layout of FAT

FAT disk layout consists of 3 things

  1. FAT area: The area where the table resides
  2. Directory area: The area for storing directories. We talked about this earlier in this post.
  3. Data area: the place where exactly data resides.

How FAT entry or address is stored in the table?

FAT entry is nothing but the number of the next cluster and last cluster used by the file.

Example: 0x?FFF8’Here lies the data of the file’0x?FFFF

0x?FFF8 – First cluster

0x?FFFF –  Last cluster

0x?0000 – Value used to indicate unused sector. If any entry has taken less memory than default memory size then the remaining memory is filled with 0s.

0x?FFF7 – Value used to indicate bad sectors

Must Read: File System Basics for Forensic Analyst

In FAT entry it won’t store any number about last cluster. Any number that starts with FFF8 is treated as starting point to file and any cluster number that has FFFF is treated as last cluster.

In FAT entry it won’t store last cluster number. It will just link us to the file and until system encounters FFFF the complete group of clusters are treated as single file.

Root directory is in boot block. Root directory is a directory which contains all the directories in the file system. Boot block is nothing but a fixed place in a hard drive that runs when system boots to find files. All the directories in the root directory contains

Name

Time information (created, modified)

Starting cluster of the files.

This is very simple file system that’s why it is much used.

0 Shares

About Manindra Simhadri

Information Security Analyst, Traveler, Biker and a free lancer.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

themetf