HTCIA International Conference. Atlanta, GA. Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, CRISC, GSEC, GCFA. September 20th,

Similar documents
Reverse Engineering the Microsoft exfat File System

File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)

Advanced Operating Systems

Adam Harrison Principal Consultant - Verizon VTRAC

ECE 598 Advanced Operating Systems Lecture 14

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

File System Interpretation

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

The FAT File System. 1. FAT Overview. 2. Boot Sector, FAT, Root Directory, and Files The FAT F 䤀耄 le System

ECE 598 Advanced Operating Systems Lecture 18

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

ECE 598 Advanced Operating Systems Lecture 17

Machine Language and System Programming

Vorlesung Computerforensik. Kapitel 7: NTFS-Analyse

Windows File System. File allocation table (FAT) NTFS - New Technology File System. used in Windows 95, and MS-DOS

Example Implementations of File Systems

Segmentation with Paging. Review. Segmentation with Page (MULTICS) Segmentation with Page (MULTICS) Segmentation with Page (MULTICS)

File Systems. Martin Děcký. DEPARTMENT OF DISTRIBUTED AND DEPENDABLE SYSTEMS

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

On-disk filesystem structures

Figure 1-1 Example of File System Layout

Microsoft File Allocation Table

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS370 Operating Systems

CS370 Operating Systems

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

makes floppy bootable o next comes root directory file information ATTRIB command used to modify name

COMP 530: Operating Systems File Systems: Fundamentals

COMP091 Operating Systems 1. File Systems

File Systems. What do we need to know?

The Extended MBR (version 1.05) (dated: 01 Nov 2018) by Benjamin David Lunt Copyright (c) Forever Young Software

File Systems: Fundamentals

Long-term Information Storage Must store large amounts of data Information stored must survive the termination of the process using it Multiple proces

Operating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017

FILE SYSTEMS. CS124 Operating Systems Winter , Lecture 23

FILE SYSTEM IMPLEMENTATION. Sunu Wibirama

Typical File Extensions File Structure

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission

Project 3 Help Document

File Systems: Fundamentals

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission 1

File System Internals. Jo, Heeseung

FYSOS and the Simple File System This document pertains to and is written for the purpose of adding this file system to FYSOS found at:

CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

CS370 Operating Systems

File Directories Associated with any file management system and collection of files is a file directories The directory contains information about

File Systems Forensics

File System: Interface and Implmentation

Chapter 6: File Systems

Preview. COSC350 System Software, Fall

Initial Bootloader. On power-up, when a computer is turned on, the following operations are performed:

THOMAS RUSSELL, Information Technology Teacher

Da-Wei Chang CSIE.NCKU. Professor Hao-Ren Ke, National Chiao Tung University Professor Hsung-Pin Chang, National Chung Hsing University

ACCESSDATA SUPPLEMENTAL APPENDIX

A file system is a clearly-defined method that the computer's operating system uses to store, catalog, and retrieve files.

Testing the Date Maintenance of the File Allocation Table File System

Introduction. Secondary Storage. File concept. File attributes

IA32 OS START-UP UEFI FIRMWARE. CS124 Operating Systems Fall , Lecture 6

Computer Systems Laboratory Sungkyunkwan University

File System Internals. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

File Systems Management and Examples

File System. Preview. File Name. File Structure. File Types. File Structure. Three essential requirements for long term information storage

Computer Systems. Assembly Language for x86 Processors 6th Edition, Kip Irvine

FILE SYSTEMS, PART 2. CS124 Operating Systems Fall , Lecture 24

File System Implementation. Sunu Wibirama

Hard Disk Organization. Vocabulary

File systems Computer Forensics

Introduction to OS. File Management. MOS Ch. 4. Mahmoud El-Gayyar. Mahmoud El-Gayyar / Introduction to OS 1

File Systems. CS170 Fall 2018

NTFS Recoverability. CS 537 Lecture 17 NTFS internals. NTFS On-Disk Structure

Chapter 11: Implementing File Systems

Main Points. File layout Directory layout

File Systems. File system interface (logical view) File system implementation (physical view)

Boot Process in details for (X86) Computers

Manual Format Flash Drive Mac And Pc Disk Utility

White Paper Western Digital Comments on Sector Sizes Larger than 512 Bytes

OPERATING SYSTEM. Chapter 12: File System Implementation

Secondary Storage (Chp. 5.4 disk hardware, Chp. 6 File Systems, Tanenbaum)

Informatics 1. Lecture 1: Hardware

Chapter 11: Implementing File Systems. Operating System Concepts 8 th Edition,

Manual Format Windows Xp Hard Drive Fat32 External Harddisk

File System Management

Instructions For Formatting Hard Drive Windows 7 Command Prompt

WINDISK: A File and disk Editor

File Systems. Todays Plan. Vera Goebel Thomas Plagemann. Department of Informatics University of Oslo

CS3600 SYSTEMS AND NETWORKS

File Shredders. and, just what is a file?

Chapter 12: File System Implementation

Implementing Hard Drives

A+ Guide to Hardware: Managing, Maintaining, and Troubleshooting, 5e. Chapter 6 Supporting Hard Drives

Lesson 09: SD Card Interface

Older geometric based addressing is called CHS for cylinder-head-sector. This triple value uniquely identifies every sector.

bytes per disk block (a block is usually called sector in the disk drive literature), sectors in each track, read/write heads, and cylinders (tracks).

Chapter 12: File System Implementation

There is a general need for long-term and shared data storage: Files meet these requirements The file manager or file system within the OS

Input & Output 1: File systems

Chapter 4. File Systems. Part 1

File system internals Tanenbaum, Chapter 4. COMP3231 Operating Systems

File Systems. CS 4410 Operating Systems. [R. Agarwal, L. Alvisi, A. Bracy, M. George, E. Sirer, R. Van Renesse]

A+ Guide to Managing and Maintaining Your PC. How Hardware and Software Work Together

Transcription:

HTCIA International Conference September 20-22, 22 2010 Atlanta, GA Demystifying the Microsoft Extended File System (exfat) Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, CRISC, GSEC, GCFA September 20th, 2010 1

Agenda About Me Why a new file system Forensics Relevance Features Advantages Timelines Support Limits Internals September 20th, 2010 2

About Me I have been in the IT field for 35+ Years, and in InfoSec for over 15 Years I carry many IT and InfoSec certifications This research was part of a term project for a forensics class for my masters in Forensic Computing I then expanded the term paper into a practical paper for my SANS GCFA certification A link to the SANS paper and my blog is at the end of this presentation September 20th, 2010 3

Why do we need a new file system? Current Limits Exhausted Larger volumes (>2TB) Larger files sizes (>4GB) Faster I/O (UHS-1: 104 MB/2 - UHS-2: 300MB/s) Removable Media Flexibility Extensibility NTFS Features without the overhead September 20th, 2010 4

Relevance to Forensics Study Digital Evidence Extraction Finding the evidence Including the hiding places Validation Daubert Expert Testimony Need to know and understand file org New Media (SD Cards) will drive exfat adoption, and the potential for CP investigations. September 20th, 2010 5

What happens when you have exfat formatted media and no exfat support? September 20th, 2010 6

Forensics Challenges Linux OS Support Tuxera drivers may help Mac OS Support Open Source Tools Commercial Tools Encase FTK Documentation September 20th, 2010 7

Disclaimer The released specification and implementation is Release 1.00 of exfat The specification mentions additional features that were not implemented yet, but may at a future time/ Some of these are Windows CE holdovers Both may be presented today Some directory entries will be skipped September 20th, 2010 8

Exponents 10 2 = 10 times 10 = 100 10 3 = 10 times 10 times 10 = 1000 (1K) 2 2 = 2 times 2 = 4 2 9 = 2*2*2*2*2*2*2*2*2 = 512 2 10 =2*2*2*2*2*2*2*2*2*2 222222222 = 1024 (1K) 2 12 = 2*2*2*2*2*2*2*2*2*2*2*2 = 4096 September 20th, 2010 9

International System of Units (SI) Table File System in powers of 2 Shorthand Longhand Nth Bytes KiB Kibibyte 2 10 1024 Device characteristics in power of 10 GiB Gibibyte 2 30 1024 MiB MiB Mebibyte 2 20 1024 KiB TiB Tebibyte 2 40 1024 GiB PiB Pebibyte 2 50 1024 TiB EiB Exbibyte 2 60 1024 PiB ZiB Zebibyte 2 70 1024 EiB YiB Yobibyte 2 80 1024 ZiB September 20th, 2010 10

Features of exfat 1.00 Sector sizes from 512 to 4096 bytes Clusters sizes to 32MiB Root Directory Unlimited Subdirectories to 256MiB Built for speed, less overhead than NTFS but has some of the NTFS features UTC Timestamp Support Vista/Server 2008 SP2+, XP with KB September 20th, 2010 11

Features of exfat 1.00 (cont d) OEM Parameters Sector for device dependent parameters 12 sector VBR, support of larger boot program Potential capacity to 64ZiB Current support 128 PiB Up to 2,796,202, files per subdirectory File Names max to 255 Characters Unicode File Names and Volume Labels September 20th, 2010 12

Future Features of exfat TexFAT (To be released later) Exists in Windows CE Transaction Safe exfat ACL (To be released later) Exists in Windows CE Encryption Support? Not announced, but mentioned how easy to add September 20th, 2010 13

MBR Partition Limitations Microsoft File Systems are limited when stored in a MBR partition A partition is defined by a Master Boot Record A MBR uses a 4 byte value for number of sectors To get the maximum volume size, exfat cannot be created within a partition September 20th, 2010 14

Advantages of exfat Handle growing capacities in media, increasing capacity to >32 GB. > 1000 files in a single directory. Speeds up storage allocation processes. Breaks file size 4 GB barrier. Supports interoperability with future desktop OSs. Provides an extensible format. Large cluster sizes September 20th, 2010 15

Disadvantages of exfat Not all Windows CE features implemented No direct conversion to or from other FS Cannot use CONVERT command to NTFS No Floppy Support Mostly a Microsoft Desktop and Server World No Support for Older MS systems No Support for Non-MS systems No XBOX, PS3 or other special devices September 20th, 2010 16

Key Dates for exfat September 2006 Windows CE 6.0 March 2008 Windows Vista Service Pack 1 January 2009 Announcement at CES of SDXC specification January 2009 Windows XP Drivers Available May 2009 Windows Vista Service Pack 2 August 2009 Tuxera Signs File System IP Agreement with Microsoft March 2009 Pretec Releases first SDXC Cards December 2009 Microsoft (re)announces exfat license program for third-parties December 2009 SDXC laptops due soon December 2009 Diskinternals releases exfat recovery utility December 2009 Encase support September 20th, 2010 17

More Key Dates for exfat December 2009 Sony, Canon & Sanyo License January 2010 Funai License (LCD TV) February 2010 Panasonic License February 2010 Panasonic 64/48GB SDXC February 2010 Sony Memory Stick XC February 2010 Sandisk Ultra XC 64GB Card 3.0 Spec $350 September 20th, 2010 18

More Key Dates June 1 st 2010 Tuxera Releases Linux & Android exfat drivers June 3 rd 2010 Kingston Releases Class 10 SDXC 64GB Card 60 MB/s read, 35 MB/s write. September 20th, 2010 19

SD Card Association New Memory Card Consumer Appliances Follows SDHC Specification for 2TB Capacity September 20th, 2010 20

September 20th, 2010 21

SDXC Storage Capabilities From 32GB to 2TB on a card Exclusively exfat File System 300 MB/s I/O Transfer Storage 4,000 RAW images 100 HD movies or 60 hours of HD recording 17,000 fine-grade photos in a single directory September 20th, 2010 22

Support for exfat Windows XP & Server 2003 KB955704 (requires SP2 or SP3) Vista & Server 2008 SP1 Vista & Server 2008 SP2 (Adds UTC timestamp support) Windows 7 September 20th, 2010 23

Reference Standards Bits are numbered right to left 76543210 Decimal Offsets (zero based) Little-Endian numbers Unsigned numbers Sectors vs. Clusters Strings are 16 bit Unicode Strings not Terminated September 20th, 2010 24

Endian Numbering order may vary based on processor type, is determined by the order the data bytes are read from the register. A 32 bit number is read as 4 8 bit bytes If I have the number 0x01 02 03 04 Big-Endian will store it as: 0x 01 02 03 04 Little-Endian will store it as: 0x 04 03 02 01 September 20th, 2010 25

File System Integrity Version Verified 3 Checksums VBR UP-Case Table File Set Critical Directory Entries Other Checks and Balances File System should NOT mount if failures September 20th, 2010 26

exfat Limits Volume size 128PiB MS said 64ZiB MS now says 256TiB File Size 16 EiB (64 bit number) Bigger than volume size Subdirectory 256MiB Sector 512-4096 bytes (2 9-2 12 ) Cluster 32MiB (2 25 ) No floppy support No FAT32 minimum cluster (65,525) restriction No 8.3 file name support September 20th, 2010 27

Data Hide Alert! FAT32 max cluster 32KiB exfat max cluster 32MiB This is an increase of 1024 fold Potential for massive slack space September 20th, 2010 28

Volume Space Layout The Main Boot Region Contains main VBR The Backup Boot Region Contains backup VBR The FAT Region Contains FAT Table(s) The Data Region (Cluster Heap) This is where data resides September 20th, 2010 29

September 20th, 2010 30

VBR Volume Boot Record Contains 12 sectors 1 sector main boot sector Jump Code (3 bytes) BPB (BIOS Parameter Block) Boot Strap Code 8 sectors main extended boot sectors 1 sector OEM parms 1 sector reserved 1 sector VBR Checksum September 20th, 2010 31

Boot Parameter Block (BPB) OEM Label EXFAT Volume Length (64-bit) [sector] FAT Location & Size [sector] Heap Location & Size [sector, cluster] Volume Serial Number Location of Root Directory [cluster] Volume Flags Sector and Cluster Sizes [2-shift] Percent in use File System Revision (0x0010=1.00) 1.00) September 20th, 2010 32

Sectors & Clusters A2-Shift is a power of 2 Another name for exponent Sector size and sectors per cluster Each stored in 1 byte Theoretical maximum is 2 255 Sector Size Maximum 2 12 Sectors per cluster is derived Cluster Size Maximum is 2 25 September 20th, 2010 33

Executable Boot Code First 3 bytes of Main Boot Sector Jump Code 0xEB7690 Offset 120 size 390 Remainder of boot code Offset 510 End signature marker 0xAA55 = 55AA Offset 512 Unused if defined September 20th, 2010 34

More Bootable Code Up to 8 Main Extended Boot Sectors FAT32 had 3 sector VBR with 1 MEBS Entire sector can be used for boot code Last 8 bytes of sector is marker 0xAA550000 = 000055AA Larger capacity for boot virus! September 20th, 2010 35

VBR Checksum Sector The 12 th sector of the VBR Repeating 4 byte checksum Checksum of previous 11 sectors Flags and Percent excluded These are volatile and change often Boot Sector Virus & Checksum September 20th, 2010 36

VBR Checksum Sector Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. 00000010 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. 00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. 00000030 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. 00000040 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. Lines 00000050 through 01BF repeated 000001C0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. 000001D0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. 000001E0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. 000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ. ÉÐ. ÉÐ. ÉÐ. September 20th, 2010 37

FAT File Allocation Table When it is used, same as legacy FAT Not used when file contiguous Never used for cluster allocation FAT 32 has 32 bit cells, uses 28 bits exfat has 32 bit cells, uses 32 bits There is no 64 bit FAT Maximum clusters is 2 32-11 With TexFAT 2 FAT Tables (2 Bitmaps) Addressed by pointer in VBR Size stored in VBR September 20th, 2010 38

Cell Values in FAT Table 0x00000000 No significant meaning 0x00000001 Not a valid cell value 0xFFFFFFF6 Largest Value 0xFFFFFFF7 Bad Block 0xFFFFFFF8 Media Descriptor Fixed Disk 0xFFFFFFF9-0xFFFFFFFE 0xFFFFFFFE Not Defined 0xFFFFFFFF End of File (EOF) September 20th, 2010 39

September 20th, 2010 40

FAT Table Example Media Reserved Allocation Bit Map UP-Case Table Root Directory Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0000 F8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0010 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 September 20th, 2010 41

Allocation Bitmap Keeps track of cluster allocation status Zero Free Cluster One Allocated Cluster 1 Byte = Tracking of 8 Clusters Bit Zero Byte Zero = Cluster 2 Cluster 0 & Cluster 1 are not defined Addressed by Directory Entry With TexFAT 2 of these (FAT Pairing) September 20th, 2010 42

Data Hide Alert! The Allocation Bitmap and the UP-Case Table are stored as files, and provide hiding space in the metadata These files are static, typically won t move, and have slack space. Nothing prevents someone from moving these files elsewhere in the cluster heap, and actually making them larger September 20th, 2010 43

September 20th, 2010 44

Directories in exfat Root (VBR Pointer) Contains certain critical entries Almost unlimited in size Subdirectory (by File Entry) Contains file sets 256MiB Max size No physical. or.. entries Uses 16 Bit Unicode for strings Every Entry 32 bytes in size Entry 0x00 is end of directory Has capabilities for user entries September 20th, 2010 45

Data Hide Alert! Manipulation of the Allocation Bitmap, and creation of user directory entries provides the capability of hiding a file system within the file system It may also be possible to hide data within the directory metadata itself September 20th, 2010 46

Entry Type Type Field Offset (Bits) Size (Bits) In Use 7 1 Category 6 1 Importance 5 1 Code 0 5 September 20th, 2010 47

Entry Type In Use: 0 Not in Use, 1- In Use Category: 0 Primary, 1 Secondary Importance: 0 Critical, 1 Benign Code: Identifies the entry September 20th, 2010 48

Volume Label Directory Entry 0x83 or 0x03 Entry Primary Entry Only resident in Root Directory Contains the Volume Label 16 bit Unicode 0x03 means no volume label September 20th, 2010 49

Volume Label Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 83 0A 65 00 78 00 46 00 41 00 54 00 2D 00 31 00 ƒ.e.x.f.a.t.-.1. 00000010 32 00 38 00 4B 00 00 00 00 00 00 00 00 00 00 00 2.8.K... Type Volume Name Length (10) Volume Label (exfat-128k) September 20th, 2010 50

Allocation Bitmap Directory Entry 0x81 Entry Primary Entry Only resident in Root Directory Points to the Allocation Bitmap If TexFAT, then 2 of these Flag bits says which FAT/Bitmap Cluster Address of Bitmap Size of Bitmap September 20th, 2010 51

Allocation Bitmap Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0010 00 00 00 00 02 00 00 00 3F 00 00 00 00 00 00 00 Type Cluster Address (Cluster 2) Size (63 bytes) September 20th, 2010 52

UP-Case Table Directory Entry 0x82 Entry Primary Entry Only resident in Root Directory File names are case insensitive Used to fold file name Table has a checksum (32 bits) September 20th, 2010 53

UP-Case Table Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 82 00 00 00 0D D3 19 E6 00 00 00 00 00 00 00 00 0010 00 00 00 00 03 00 00 00 CC 16 00 00 00 00 00 00 Type Cluster Address (3) Table Checksum Length (0x16CC = 5,836) September 20th, 2010 54

File Directory Entry Set Used to define a file May have 3 to 19 entries, or more 1 Primary, many Secondary Is considered an array Must be in order Must be contiguous (no gaps) Entire Set has Checksum September 20th, 2010 55

File Directory Entry 0x85 or 0x05 Entry Primary Entry Set Checksum (16 bits) Not modified on file delete Secondary Count # Secondary entries that follow File Attributes Timestamps September 20th, 2010 56

Timestamps & Time Zones 3 Timestamps (MAC) 32 bit DOS Date/Time Local Machine Time 10ms Offset (MC) TZ Offset (MAC) 15 minute increments 7 bit signed number ±16 hours Present with UTC support September 20th, 2010 57

Timestamp Accuracy FAT32 Last Access Date only exfat Last Access Date/Time All DOS DATE/TIME Double Seconds 10ms adds 0-1990 ms to time 10ms only for Create/Modify September 20th, 2010 58

Timestamp Reliability Timestamps appear to be updated when the file is created or modified. Last Accessed Timestamp appear to be updated when file is created or modified. Last Accessed Timestamp appear NOT modified on file read. Forensics Implication on MAC time analysis September 20th, 2010 59

File Attributes Attribute Offset Size Mask Reserved2 6 10 Archive 5 1 0x20 Directory 4 1 0x10 Reserved1 3 1 System 2 1 0x04 Hidden 1 1 0x02 Read-Only 0 1 0x01 September 20th, 2010 60

File Directory Entry Type # Secondary Entries Set Checksum (0x92D4) Attributes (0x0020 = Archive) Create Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 85 04 D4 92 20 00 00 00 44 62 86 3B F1 62 BA 3A 0010 44 62 86 3B A8 00 EC EC EC 00 00 00 00 00 00 00 Accessed Modified 10ms Create 10ms Modified TZ Offset CMA EC = GMT-5 September 20th, 2010 61

Formatted File Directory Entry Root Entry Type Read is: 85 Directory Entry Record Checksum: 92D4 Calculated Checksum is: 92D4 Size Directory Set (bytes): 160 Secondary Count 004 File Attributes: 0020 Archive Create Timestamp: 3B866244 12/06/2009 12:18:08 18 Last Modified Timestamp: 3ABA62F1 05/26/2009 12:23:34 Last Accessed Timestamp: 3B866244 12/06/2009 12:18:08 10 ms Offset Create A8 168 10 ms Offset Modified 00 0 Time Zone Create EC 236 Value of tz is: GMT -05:00 Time Zone Modified EC 236 Value of tz is: GMT -05:00 Time Zone Last Accessed EC 236 Value of tz is: GMT -05:00 September 20th, 2010 62

Stream Extension Directory Entry 0xC0 or 0x40 Entry Secondary Entry Length of Name Length of File (2 of them) Cluster address of first data block Name Search Hash value Secondary Flag FAT Invalid Allocation Possible September 20th, 2010 63

Stream Extension Directory Entry Entry Flags (Alloc Possible/Fat Invalid) Length of File Name (0x28= 40) Name Hash (0x3CAD) Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 C0 03 00 28 AD 3C 00 00 1F 46 1D 01 00 00 00 00 0010 00 00 00 00 05 00 00 00 1F 46 1D 01 00 00 00 00 Cluster (5) Data Length 0x011d461f = 18,695,711 September 20th, 2010 64

Parameters for Samples Bytes Per Sector: 2 to the 09 power is: 512 Sectors Per Cluster: 2 to the 08 power is: 256 Bytes per Cluster: 131072 (128K) September 20th, 2010 65

Formatted Stream Extension Root Entry Type Read is: C0 Directory Entry Record, Stream Extension Secondary Flags: 03 Flag Bit 0: Allocation Possible Flag Bit 1: FAT Chain Invalid Length of UniCode Filename is: 40 Name Hash Value is: AD3C Stream Extension First Cluster 5 Cluster 5 is Allocated Stream Extension Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143 Stream Extension Valid Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143 September 20th, 2010 66

File Name Extension Directory Entry 0xC1 or 0x41 Entry Secondary Entry Secondary Flags Allocation not possible FAT Invalid 15 Characters (30 bytes) of Name Name in 16 Bit Unicode In order (FAT32 LFN was reversed) Up to 17 max, total 255 character September 20th, 2010 67

File Name Extension Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 C1 00 62 00 75 00 73 00 69 00 6E 00 65 00 73 00 Á.b.u.s.i.n.e.s. 0010 73 00 5F 00 6F 00 66 00 5F 00 73 00 65 00 63 00 s._.o.f._.s.e.c. 0000 C1 00 75 00 72 00 69 00 74 00 79 00 5F 00 5F 00 Á.u.r.i.t.y._._. 0010 62 00 75 00 73 00 2D 00 31 00 30 00 35 00 2D 00 b.u.s.-.1.0.5.-. 0000 C1 00 33 00 32 00 6B 00 62 00 70 00 73 00 2E 00 Á.3.2.k.b.p.s... 0010 6D 00 70 00 33 00 00 00 00 00 00 00 00 00 00 00 m.p.3... File Name = business_of_security bus-105-32kbps.mp3 it b 3 September 20th, 2010 68

Significance of not in use flag 0x05, 0x40 & 0x41 Entries Not in use may mean deleted files May also be reallocated rename Set Checksum not changed when entries marked not in use September 20th, 2010 69

Summary exfat is a new generation of the FAT family of Microsoft File Systems The need for forensics tools will heat up in 2010 We don t have the right tools yet Documentation and support for exfat is scarce September 20th, 2010 70

Q&A September 20th, 2010 71

Contact Information E-mail: rshullic@earthlink.net Blog: rshullic.wordpress.com Blog: shullich.blogspot.com com September 20th, 2010 72

References Sans Reading Room: http://www.sans.org/reading_room/whitepapers/forensic s/rss/reverse_engineering_the_microsoft_exfat_file_s ystem_33274 Microsoft Patent: Microsoft Patent 0164440 (June 25, 2009). Quick Filename Lookup Using Name Hash. Pub No. US 2009/0164440 A1 Retrieved December 10, 2009 from http://www.pat2pdf.org/patents/pat20090164440.pdf September 20th, 2010 73

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback