Boot Sector

The boot sector is located in the first sector of FAT file system and contains the bulk of the file system category of data. FAT12/16 and FAT32 have different versions of the boot sector, but they both have the same initial 36 bytes. The data structure for the first 36 bytes is given in Table 10.1, and the data structures for the remaining bytes are given in Tables 10.2 and 10.3.

Table 10.1. Data structure for the first 36 bytes of the FAT boot sector.

Byte Range

Description

Essential

02

Assembly instruction to jump to boot code.

No (unless it is a bootable file system)

310

OEM Name in ASCII.

No

1112

Bytes per sector. Allowed values include 512, 1024, 2048, and 4096.

Yes

1313

Sectors per cluster (data unit). Allowed values are powers of 2, but the cluster size must be 32KB or smaller.

Yes

1415

Size in sectors of the reserved area.

Yes

1616

Number of FATs. Typically two for redundancy, but according to Microsoft it can be one for some small storage devices.

Yes

1718

Maximum number of files in the root directory for FAT12 and FAT16. This is 0 for FAT32 and typically 512 for FAT16.

Yes

1920

16-bit value of number of sectors in file system. If the number of sectors is larger than can be represented in this 2-byte value, a 4-byte value exists later in the data structure and this should be 0.

Yes

2121

Media type. According to the Microsoft documentation, 0xf8 should be used for fixed disks and 0xf0 for removable.

No

2223

16-bit size in sectors of each FAT for FAT12 and FAT16. For FAT32, this field is 0.

Yes

2425

Sectors per track of storage device.

No

2627

Number of heads in storage device.

No

2831

Number of sectors before the start of partition.[1]

No

3235

32-bit value of number of sectors in file system. Either this value or the 16-bit value above must be 0.

Yes

[1] My testing has shown that for file systems in an extended partition, Windows sets this value based on the beginning of the extended partition, not the beginning of the disk.

Table 10.2. Data structure for the remainder of the FAT12/16 boot sector.

Byte Range

Description

Essential

035

See Table 10.1.

Yes

3636

BIOS INT13h drive number.

No

3737

Not used.

No

3838

Extended boot signature to identify if the next three values are valid. The signature is 0x29.

No

3942

Volume serial number, which some versions of Windows will calculate based on the creation date and time.

No

4353

Volume label in ASCII. The user chooses this value when creating the file system.

No

5461

File system type label in ASCII. Standard values include "FAT," "FAT12," and "FAT16," but nothing is required.

No

62509

Not used.

No

510511

Signature value (0xAA55).

No

Table 10.3. Data structure for the remainder of the FAT32 boot sector.

Byte Range

Description

Essential

035

See Table 10.1.

Yes

3639

32-bit size in sectors of one FAT.

Yes

4041

Defines how multiple FAT structures are written to. If bit 7 is 1, only one of the FAT structures is active and its index is described in bits 03. Otherwise, all FAT structures are mirrors of each other.

Yes

4243

The major and minor version number.

Yes

4447

Cluster where root directory can be found.

Yes

4849

Sector where FSINFO structure can be found.

No

5051

Sector where backup copy of boot sector is located (default is 6).

No

5263

Reserved.

No

6464

BIOS INT13h drive number.

No

6565

Not used.

No

6666

Extended boot signature to identify if the next three values are valid. The signature is 0x29.

No

6770

Volume serial number, which some versions of Windows will calculate based on the creation date and time.

No

7181

Volume label in ASCII. The user chooses this value when creating the file system.

No

8289

File system type label in ASCII. Standard values include "FAT32," but nothing is required.

No

90509

Not used.

No

510511

Signature value (0xAA55).

No

The first value in the boot sector, bytes 0 to 2, is a boot code instruction tells the computer where to find the code needed to boot the operating system. If the file system is not used to boot the computer, the value is not needed. You could use this value to identify what boot code is used. Note that DOS and Windows require that the value be set on non-bootable file systems, but other OSes, such a Linux, do not.

The media type value is used to identify if the file system is on fixed or removable media, but Microsoft Windows does not use it. A second copy of the media type exists in the file allocation table, and it is the one that Windows uses [Microsoft 2001]. The concepts of the other fields were discussed in Chapter 9.

From bytes 36 onward, FAT12 and FAT16 have a different layout than FAT32. The one value that they both have in common is the signature 0x55 in byte 510 and 0xAA in byte 511. Note that this is the same signature at the same location that the DOS partition table uses in its first sector (you'll also see it again in the first NTFS sector). The data structure values for the rest of the FAT12 and FAT16 boot sector are given in Table 10.2.

The data structure for the rest of the FAT32 boot sector is given in Table 10.3.

The difference between the FAT12/16 and FAT32 boot sector is that the FAT32 sector includes data to make the file system more scalable and flexible. There can be different policies for how the FAT structures are written to and a backup copy of the boot sector exists. There is also a version field, but there seems to be only one version used by Microsoft at the time of this writing.

The data between bytes 62 to 509 in a FAT12/16 file system, and bytes 90 to 509 in a FAT32 file system do not have a specified purpose, but are typically used to store boot code and error messages. Here is a hex dump of the first sector of a FAT32 file system from a Windows XP system:


# dcat f fat fat-4.dd 0 | xxd

0000000: eb58 904d 5344 4f53 352e 3000 0202 2600 .X.MSDOS5.0...&.

0000016: 0200 0000 00f8 0000 3f00 4000 c089 0100 ........?.@.....

0000032: 4023 0300 1d03 0000 0000 0000 0200 0000 @#..............

0000048: 0100 0600 0000 0000 0000 0000 0000 0000 ................

0000064: 8000 2903 4619 4c4e 4f20 4e41 4d45 2020 ..).F.LNO NAME

0000080: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3.....

0000096: 7b8e c18e d9bd 007c 884e 028a 5640 b408 {......|.N..V@..

0000112: cd13 7305 b9ff ff8a f166 0fb6 c640 660f ..s......f...@f.

0000128: b6d1 80e2 3ff7 e286 cdc0 ed06 4166 0fb7 ....?.......Af..

[REMOVED]

0000416: 0000 0000 0000 0000 0000 0000 0d0a 5265 ..............Re

0000432: 6d6f 7665 2064 6973 6b73 206f 7220 6f74 move disks or ot

0000448: 6865 7220 6d65 6469 612e ff0d 0a44 6973 her media....Dis

0000464: 6b20 6572 726f 72ff 0d0a 5072 6573 7320 k error...Press

0000480: 616e 7920 6b65 7920 746f 2072 6573 7461 any key to resta

0000496: 7274 0d0a 0000 0000 00ac cbd8 0000 55aa rt............U.

The first line shows us that the OEM name is "MSDOS5.0," which may have been generated by a Windows 2000 or XP system. The data is written in little endian ordering, so the data structure fields that are numbers will appear in reverse order and strings will appear in the expected order. Bytes 11 to 12 show us that each sector is 512 bytes, (0x0200) and byte 13 shows us that the size of each cluster in the data area is 2 sectors, which is 1024 bytes. Bytes 14 to 15 show us that there are 38 (0x0026) sectors in the reserved area, so we know that the FAT area will start in sector 38, and byte 16 shows that there are two FAT structures. Bytes 19 to 20 contain the 16-bit file system size value and it is 0, which means that the 32-bit field in bytes 32 to 35 must be used. This field shows us that the size of the file system is 205,632 (0x00032340) sectors. Bytes 28 to 31 show that there are 100,800 (0x0001 89c0) sectors before the start of this file system, which may have been allocated to a small partition. For example, this could be a dual boot system, or there could be a hibernation partition for a laptop. The partition table should be analyzed for more information.

This image is FAT32, so we need to apply the appropriate data structure from now on. Bytes 36 to 39 show that the size of each FAT structure is 797 (0x0000 031d) sectors, and because we know there will be two FAT structures, the total size of the FAT area will be 1,594 sectors. Bytes 48 to 49 show that the FSINFO information is located in sector 1, and bytes 50 to 51 show that the backup copy of the boot sector is in sector 6.

The volume serial number is located in bytes 67 to 70, and its value is 0x4c194603. The volume label is in bytes 71 to 81 and has the value "NO NAME" (plus four spaces). We will see later that the real label is stored in another location in the file system. The type label is in bytes 82 to 89, and it is "FAT32" (plus three spaces) for this system. Bytes 90 to 509 are not used by the file system, but we can see data here that is used if the system tries to boot from this file system. Bytes 510 and 511 have the signature 0xAA55 value. The output from running the fsstat tool from TSK on this image was given in Chapter 9.

As mentioned in Chapter 9, some versions of Windows will assign the volume serial number using the file system creation date and time values. I found that Windows 98 does this, but that Windows XP does not. The calculation is broken up into the upper 16 bits and the lower 16 bits [Wilson 2003]. With the exception of the year, each field in the date is converted to a 1-byte hexadecimal value and placed in its location in the equation. The year gets a 2-byte hexadecimal value. Figure 10.1 shows the process. The upper 16 bits are the result of adding the hours, minutes, and year. The lower 16 bits are the result of adding the month, day, seconds, and tens of seconds. The sample file system image we looked at is from a Windows XP system and it does not use this calculation.

Figure 10.1. Process for calculating the volume serial number from the creation date and time.


Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net