FAT Structure File Allocation Table FAT File Systems

FAT Structure

File Allocation Table (FAT) File Systems • Used with all flavors of Windows • Supported by all Windows and UNIX varieties • Used in flash cards and USB thumb drives

The FAT Family • FAT 12, FAT 16, FAT 32 – 12, 16, and 32 are the number of bits used in the FAT for cluster addresses

Sectors • The sector is minimum data storage unit – A sector is usually 512 bytes – A sector is the minimum size read from, or written to, a disk – A sector is the minimum I/O unit – This is a HW thing

Clusters • Files are allocated space in clusters – A cluster is a fixed number of sectors • Must be a power of 2 (1, 2, …, 64, …) – A cluster is the minimum file allocation unit – This is a SW/OS thing

Cluster sizes for FAT

Slack • Slack is the space allocated to a file, but unused – Space at the end of a sector that remains unused by the file – Sectors allocated to the file that the file hasn’t yet used • Slack space often contains useful evidence – Unused bytes in an allocated sector are less useful – Unused sectors in an allocated cluster retain their original contents and are very useful

Unallocated Clusters • When a file is deleted it’s allocated clusters become unallocated • Many clusters on a modern hard drive are unallocated • Unallocated clusters may have been allocated earlier though – These clusters retain their data until they are reallocated to a new file – Deleted files are still recoverable!

Cluster Allocation Algorithms • First available • Best fit • Next available

Partitions Review • • The drive is partitioned Each extended partition has its own partition table Each non-extended partition is referred to as a volume Each volume has a volume boot record or a boot sector • Recovery tools can often find data even if the disk was repartioned – Sectors ending in 0 x 55 AA

DOS Disk Partition 1 Master Boot Record Including Partition Table & Signature Partition 2

Creating a File System • High-level formatting creates file system data structures – Boot sector – Cluster allocation • File Allocation Table (FAT) • $Bitmap in the Master File Table (MFT) for NTFS – Exact details depend on operating system – Root Directory

FAT Partition Starting LBA from partition table Reserved Area FAT Area Directories and Files VBR Measured in Sectors Measured in Clusters First Cluster of FAT File System FAT 12/16 – Reserved area is one sector, the Boot Sector or Volume Boot Record FAT 32 – Reserved area contains many sectors, VBR, FSINFO sector and a backup VBR

VBR Layout 0– 2 3 – 10 11 – 12 13 – 13 14 – 15 16 – 16 17 – 18 19 – 20 21 – 21 22 – 23 24 – 27 28 – 31 32 – 35 Assembly instruction to jump to boot code OEM in ASCII Bytes/sector (512, 1024, 2048, 4096) Sectors/cluster n where n <= 32 K and is a power of 2 Size in sectors of reserved area Number of FATs Maximum number of files in root dir. FAT 16 typically 512, 0 for FAT 32 Number of sectors in file system. If not big enough set to 0, a 4 byter is coming soon Media type: MS states 0 xf 8 for fixed disks and 0 xf 0 for removable 16 -bit size in sectors for each FAT in FAT 12/16 0 for FAT 32 Number of sectors/track and heads Number of sectors before start of partition Number of sectors in the file system Essential if a boot partition No Yes Yes Yes No No Yes

VBR Layout (cont) FAT 12 and FAT 16 36 – 36 37 – 37 38 – 38 BIOS INT 13 h drive number Not used Extended boot signature to identify if the next three values are valid. Signature is 0 x 29 39 – 42 Volume serial number 43 – 53 Volume label in ASCII 54 – 61 File system label in ASCII, FAT, etc. 62 – 509 Not used 510 – 511 Signature value, 0 x. AA 55 Yes No No No

VBR Layout (cont) FAT 32 36 – 39 40 – 41 42 – 43 44 – 47 48 – 49 50 – 51 32 -bit size in sectors of one FAT. Defines how multiple FAT structures are written to. Major and minor version number. Cluster where roor directory can be found. Sector where FSINFO structure can be found. Sector where backup boot sector can be found (usually 6) 52 – 63 Reserved 64 – 64 BIOS INT 13 h drive number 65 – 65 Not used 66 – 66 Extended boot signature to identify if the next three values are valid. Signature is 0 x 29 67 – 70 Volume serial number 71 – 81 Volume label is ASCII 82 – 89 File system label in ASCII, FAT, etc. 90 – 509 Not used 510 – 511 Signature value, 0 x. AA 55 Yes Yes No No No

Reference http: //www. dewassoc. com/kbase/hard_drives/boot_sector. htm

FAT 32 FSINFO 0– 3 4 – 483 484 – 487 488 – 491 492 – 495 496 – 507 508 – 511 Signature 0 x 41615252. Not Used Signature 0 x 61417272 Number of free clusters Next free cluster Not used Signature 0 x. AA 550000 No No

Start of Data • Cluster address of start of data is 2 • Microsoft mandated no “Cluster 0 or 1” addresses • LBA Address of the first cluster of the data area Start of Partition + Reserved Area + # FATS * FAT Size • LBA of root directory

File Allocation Table FAT Cluster Entry 000 … 001 … 002 000 not allocated 003 004 next cluster 004 072 next cluster … … 072 FFF … … MS says nothing in the first 2 clusters. end of file

Data Area Root Directory Reserved Area FAT Area Directories and Files Data Area

FAT Directories 0– 0 1 – 10 11 – 11 12 – 12 13 – 13 14 – 15 16 – 17 18 – 19 20 – 21 22 – 23 24 – 25 26 – 27 28 – 31 First character of file name in ASCII. 0 x 5 e or 0 x 00 if unallocated Characters 2 – 11 of file name in ASCII. File attributes Reserved Create time (tenths of second) Create time ( hours, minutes, seconds) Create day Access day High 2 bytes of first cluster address (0 for FAT 12/16) Write time (( hours, minutes, seconds) Write day Low 2 bytes of first cluster address from start of data area Size of file (0 for directories) in bytes The period is not included in the short name (fixed format. ) Yes Yes No No No Yes

File Attributes Flag Value Description 0000 0001 = 0 x 01 0000 0010 = 0 x 02 0000 0100 = 0 x 04 0000 1000 = 0 x 08 0000 1111 = 0 x 0 f 0001 0000 = 0 x 10 0000 = 0 x 20 Read only Hidden file System file Volume label Long file name Directory Archive Essential No No No Yes Yes No

FAT Directories 0– 0 1 – 10 11 – 11 12 – 12 13 – 13 14 – 15 16 – 17 18 – 19 20 – 21 22 – 23 24 – 25 26 – 27 28 – 31 First character of file name in ASCII. 0 x 5 e or 0 x 00 if unallocated Characters 2 – 11 of file name in ASCII. File attributes Reserved Create time (tenths of second) Create time ( hours, minutes, seconds) Create day Access day High 2 bytes of first cluster address (0 for FAT 12/16) Write time (( hours, minutes, seconds) Write day Low 2 bytes of first cluster address from start of data area Size of file (0 for directories) in bytes The period is not included in the short name (fixed format. ) Yes Yes No No No Yes

Create Time (bytes 14 & 15) Byte 15 Bit 15 14 13 12 11 10 Data hex Data binary Byte 14 9 8 7 6 5 0 x 53 0 1 Hour Minute Seconds 3 2 1 0 0 1 1 0 0 xf 6 0 0 1 1 1 Minute = = 4 1 1 1 Second 010102 = 0 x 0 a = 10 0111112 = 0 x 1 f = 31 101102 = 0 x 16 = 22 (2 second intervals) 44

FAT Directories 0– 0 1 – 10 11 – 11 12 – 12 13 – 13 14 – 15 16 – 17 18 – 19 20 – 21 22 – 23 24 – 25 26 – 27 28 – 31 First character of file name in ASCII. 0 x 5 e or 0 x 00 if unallocated Characters 2 – 11 of file name in ASCII. File attributes Reserved Create time (tenths of second) Create time ( hours, minutes, seconds) Create day Access day High 2 bytes of first cluster address (0 for FAT 12/16) Write time (( hours, minutes, seconds) Write day Low 2 bytes of first cluster address from start of data area Size of file (0 for directories) in bytes The period is not included in the short name (fixed format. ) Yes Yes No No No Yes

Create Date (bytes 17 & 16) Byte 17 Bit 15 14 13 12 11 10 Data hex Data binary Byte 16 9 8 7 6 5 0 x 32 0 0 1 1 4 3 2 1 0 0 1 0 x 81 0 0 Year (From 1980) 1 0 Month 0 0 Day Year = 00110012 = 0 x 19 = 25 (+ 1980) = 2005 Month = 01002 = 0 x 04 = April Day = 000012 = 0 x 01 = 1

Long File Names 0– 0 1 – 10 11 – 11 12 – 12 13 – 13 14 – 25 26 – 27 28 – 31 Sequence number of the LFN structures Last structure is OR’ed with 0 x 40 Deleted is 0 xe 5 First 5 (Unicode) file name characters. File attributes (0 x 0 f) Reserved Checksum Characters 6 – 11 (Unicode) Reserved Characters 12 – 13 (Unicode) The period is included in the long file name. Yes Yes No Yes

Long File Names http: //www. ntfs. com/fat-filenames. htm

((0 x 3 E + 0 x 20 + 0 x 2*0 x. EDF) + 0 x 2*8)*0 x 200 Root Directory

Deleting a FAT File Deleting rootfile 1. txt 1. Read Fat Boot Sector (sector 0 of the volume) to understand structure and location of Reserved, FAT, and Data areas 2. Locate file 1. txt in the Root Directory to determine its starting cluster 3. Set FAT entries for file 1. txt to 0 4. Change filename to ile 1. txt in root directory – Set first character to 0 x. E 5 or 0 x 00

Directory and FAT Existing File Directory file 2 file 3 file 4 … 000 First cluster used by file 1. txt FAT … 001 … 002 O 2 C … 02 C 0 2 D 02 D 0 2 E 02 E F F F …

Directory and FAT Deleted file Directory FAT … 000 First cluster used by file … 001 … 002 ile 1. txt file 2 file 3 file 4 O 2 C … 02 C 0 02 D 0 02 E 0 0 0 …

Deleted File Recovery All Cluster Pointers in the FAT are gone! • Get the first cluster from the directory entry • Get size from directory entry • Calculate the number of clusters allocated to the file, n. • Option 1 Grab the next n-1 consecutive clusters. Call it the file. May have allocated or unallocated clusters from other files. Win. Hex uses this option. • Option 2 Grab the next n-1 unallocated clusters using the FAT. Call it the file. May have unallocated clusters from other deleted files. En. Case uses this option.