Scribd
Upload
8 views

Windows 026

The document discusses the basics of the FAT filesystem, including its components like the volume boot record, file allocation tables, directory entries, and data clusters. It describes what each component contains and its purpose in the filesystem.

Uploaded by

MotivatioNet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views

Windows 026

The document discusses the basics of the FAT filesystem, including its components like the volume boot record, file allocation tables, directory entries, and data clusters. It describes what each component contains and its purpose in the filesystem.

Uploaded by

MotivatioNet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Windows Forensics

Dr. Phil Polstra @ppolstra


PhD, CISSP, CEH http://philpolstra.com
Certifications:
http://www.securitytube-training.com

Pentester Academy: http://www.PentesterAcademy.com


©SecurityTube.net
FAT Filesystem Basics

©SecurityTube.net
FAT Filesystem

Been around since DOS

Three flavors: FAT12, FAT16, & FAT32

Contains File Allocation Tables

De facto standard

Modern versions of Windows won't
install on it
©SecurityTube.net
FAT Layout

Volume Boot Record 1 sector FAT12/16, 32 sectors (usually) FAT32

FAT 1 Primary & backup FAT.


Size = (total clusters) /(FAT Entry size)/512
FAT 2

Root Directory (FAT12/16) FAT32 moved this to data clusters (usually 2)

Files and directories are stored here.


Data Clusters Numbering starts at cluster 2.

©SecurityTube.net
Volume Boot Record

Allows filesystem to tell operating
system about itself

Contains needed and extended
parts

One sector for FAT12/16

Normally 32 sectors for FAT32
©SecurityTube.net
File Allocation Table

Gives status for each cluster
– Available
– Used and file continues to another cluster
– Used and last cluster in a file

First two entries are special

Used to create a cluster chain

Two FAT are normally updated together
©SecurityTube.net
Directory Entries

Contain metadata
– MAC times
– File size

Contains the starting cluster for a
file

Relate file names to cluster chains
©SecurityTube.net
Data Clusters

Where all the files live

All directories (with the possible
exception of root directory) live here
too

The only part of the disk that isn't
overhead

Collection of sectors
©SecurityTube.net

You might also like