Demonstrate your understanding of the FAT file system and how to recover a file

Question

Demonstrate your understanding of the FAT file system and how to recover a file manually.

Tools:

Using any Linux or Windows

xxd, dd, and 4860.2.2015.dd (sha1 = 315fc97827005d4d34d27891388a7c295b2ea2b5)

Use the associated image 4860.2.2015.dd and answer the questions below:

https://www.dropbox.com/s/15n5qsmz4s1h7up/4860.2.2015.dd?dl=0

This link below is what's in the link above, the only difference is that I've extracted the .dd file just in case"

https://www.dropbox.com/s/zuh37kjcs8angq8/files.zip?dl=0

1. What type of file system is on the image?

2. What is the EXACT image size?

3. At what hex offset does the first FAT start?

4. At what hex offset does the second FAT start?

5. Why are there two FATs?

6. At what offset does the root directory start?

7. How many bytes does each root directory entry comprise per file?

8. According to the root directory, how many files are in allocated space? List their names here:

9. According to the root directory, how many files are in unallocated space? List their names here:

10. Why are there 0s from x200 to x390?

11. What’s the difference between line x2600 and line x2620 (that is, explain what they represent)?

12. Why are some entries represented as “FILE ….” and others “f.i.l.e. ….”?

Explanation / Answer

FAT FileSystem:

           The FAT (File Allocation Table) file system was first developed in the mid 1970’s. Microsoft's FAT32, released with Windows 95, remains the standard format for removable storage media today. This is primarily due it its cross platform compatibility between Windows and Macintosh computers and is why external USB storage devices vendors use it as their default file system.

          The most recent update to FAT was in 2006 when Microsoft released "exFAT". This was done to improve the performance of the file system on large hard drives and to break the FAT32 maximum file size limit of 4GB.

FAT Recovery

         When a disk is formatted with the FAT file system, a Volume Boot Record (VBR) is created. The VBR's code is executed directly when the disk is booted and it is responsible for providing information to the operating system about the location of the other structures, including the FAT, Root directory and data area.

FAT Directory Entries

      Every file on a FAT hard disk is stored in a directory . The top level directory is referred to as the “Root”. On a FAT file system the Root directory is given special status and is usually positioned on the disk directly after the FAT. Other directories can be located anywhere in the data area of the disk.

A directory entry is:

           A twelve, sixteen or thirty two byte data structure (depending on FAT 12/16 or 32 format);
      Stored in the cluster (or clusters) allocated to the files parent directory;
    Contains the attributes of the file it represents, including:

Deleted Files

The allocation status of a file in a FAT file system is determined by the first byte of its directory entry. For an active file, the first byte is the first character of the file name. When a file is deleted the first byte is replaced with the deleted file marker, 0xE5.

File Allocation Table

File Allocation Table is the mechanism by which the FAT file system tracks the location of individual storage clusters for each file on a disk.

Related Questions

Navigate

• Browse (All)
• Browse D
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.