1
Understanding FAT12
Introduction to Computer Forensics
Kessler/SchirlingFall 2002
2
© Gary C. Kessler, 2002 1
EXP 248 Project #3
• You have a floppy disk image file• Examine floppy to find an address and a
password, and verify MD5 hash• Meta-project
– This project is based on a forensic challenge posted on the Internet, October 2002
– That problem was to find, examine, and open three files on a floppy disk
3
© Gary C. Kessler, 2002 2
HexadecimalDec. Hex0 0x01 0x12 0x23 0x34 0x45 0x56 0x67 0x78 0x89 0x9
10 0xa11 0xb12 0xc13 0xd14 0xe15 0xf16 0x10
To convert a hex (base 16) number to decimal (base 10), multiply each column by the appropriate power of 16....
E.g., convert 0x1ab5 to decimal...
0x1ab5 = 1•163 + 10•162 + 11•161 + 5•160
= 1•4096 + 10•256 + 11•16 + 5•1= 4096 + 2560 + 176 + 5= 6837
4
© Gary C. Kessler, 2002 3
Disk Geometry Terms
• Byte - Basic unit of storage (8 bits)• Sector - Organizational grouping of bytes
on the media– 512B/sector on a floppy
• Cluster - Smallest read/write unit for efficient operation– 1 cluster = 1 sector on a floppy
5
© Gary C. Kessler, 2002 4
Basic Disk Layout• Sector 0 is the Boot Sector
– B/S points to FAT1, FAT2, Root Directory• Boot Sector followed by FAT1 and FAT2
– FATs contain linked lists indicating clusters assigned to files
• FAT2 followed by Root Directory– RootDir contains names of files (and directories),
starting cluster, length– The starting cluster points to a cluster of data on the
medium and an entry in the FATs
6
© Gary C. Kessler, 2002 5
B/S, FAT, Root Directory, & Files
FAT1/FAT20: <unused>1: <unused>2: <end>3: 44: 25: 66: <end>7: <unused>
B/SFAT1FAT2
RootDir
0 1 2 3
4 5 6 7
Root Directorytyui.jpg- start cluster = 3- length = 3
mes.doc- start cluster = 5- length = 2
Boot Sector- FAT type- FAT size- Root Directory size
Sector 0
File tyui.jpg occupies clusters 3, 4, and 2; it has a physical size of 1,536 bytes.
File mes.doc occupies clusters 5 and 6; it has a physical size of 1,024 bytes.
7
© Gary C. Kessler, 2002 6
Copy Image to Floppy
Note that we see only two files... although we've been told that there are three!
8
© Gary C. Kessler, 2002 7
Sector Assignments I
Sector(s) Address Function0 0x0000-0x01ff Boot Sector1-? 0x0200-0x???? File Allocation Table (primary)? File Allocation Table (secondary)? Root Directory? File storage space
The basic format of media is well defined. The Boot Sector is always at the first sector (0) and it is followed by the primary FAT. The Boot Sector will identify the file system, FAT tables size, cluster size, etc.
9
© Gary C. Kessler, 2002 8
Boot Sector
10
© Gary C. Kessler, 2002 9
Boot Sector Interpretation
0000 eb 3c 90 4d 53 44 4f 53 35 2e 30 00 02 01 01 00 ë<.MSDOS5.0.....0010 02 e0 00 40 0b f0 09 00 12 00 02 00 00 00 00 00 .à.@.ð..........0020 00 00 00 00 00 00 29 cf cd b1 c4 4e 4f 20 4e 41 ......)ÏͱÄNO NA0030 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 33 c9 ME FAT12 3É0040 8e d1 bc f0 7b 8e d9 b8 00 20 8e c0 fc bd 00 7c .Ѽð{.Ù¸. .Àü½.|0050 38 4e 24 7d 24 8b c1 99 e8 3c 01 72 1c 83 eb 3a 8N$}$.Á.è<.r..ë:0060 66 a1 1c 7c 26 66 3b 07 26 8a 57 fc 75 06 80 ca f¡.|&f;.&.Wüu..Ê
Name string (MSDOS5.0)
Bytes/sector (0x0200 = 512) Sectors/cluster
(1)No. of
FATS (2)
Total sectors (0x0b40 = 2880,
or 1.44MB)Media
Descriptor (0xf0 =
removable)
No. of Sectors/FAT (0x0009= 9)
Volume Label ("NO NAME ")
FAT Id. ("FAT12 ")
Maximum No. of Root Directory
Entries (0x00e0 = 224)
11
© Gary C. Kessler, 2002 10
Capacity of this Medium
• FAT12 allocates 12 bits per FAT entry– Limits addressing to 4,096 (212) clusters
• This floppy is configured so that:– 1 cluster = 1 sector– 1 sector = 512B
• This FAT12 table is limited in capacity to 2,097,152 bytes (2MB)– The device itself is only 2880 sectors (1.44MB)
12
© Gary C. Kessler, 2002 11
Sector Assignments II
NOTES:• Boot Sector is 1 sector (0x200 bytes)• There are two FATs, each 9 sectors (0x1200 bytes)• The Root Directory can contain 224 entries, each 32 bytes (7168, or 0x1c00, bytes; 14 sectors)• File storage starts at sector #33 (1+9+9+14), byte #0x4200 (0x200+0x1200+0x1200+0x1c00)
Sector(s) Address Function0 0x0000-0x01ff Boot Sector1-9 0x0200-0x13ff File Allocation Table (primary)10-18 0x1400-0x25ff File Allocation Table (secondary)19-32 0x2600-0x41ff Root Directory33-2879 0x4200- File storage space
0x167fff
13
© Gary C. Kessler, 2002 12
Root DirectoryThe Root Directory starts at sector 19, byte offset 0x2600, and is a series of entries describing files. Each file requires three 32B entries; the first two contain the file's long filename and the last entry contains the short (8.3) filename, attributes, timestamp, start cluster, and size.
The first byte of the entry is the usage indicator:• 0x00 - entry never been used• 0xe5 - file has been deleted
The start cluster in the directory entry points to the first cluster of the data on the medium and acts as a pointer to the cluster linked list in the FAT.
14
© Gary C. Kessler, 2002 13
Sample Root Directory Entry
26a0 43 4f 56 45 52 50 7e 31 4a 50 47 20 00 6d 4d 46 COVERP~1JPG .mMF26b0 2b 2d 2b 2d 00 00 da 43 2b 2d a4 01 e1 3c 00 00 +-+-..ÚC+-¤.á<..
Filename (COVERP~1)
Extension (JPG)
Attributes (0x20=Archive-bit)
Time(0x43da = 17344 = 08:30:52)
hour*2048 + minute*32 + seconds/2
Date(0x2d2b = 11563 = 9/11/2002)
(year-1980)*512 + month*32 + day
Start Cluster (0x01a4 = 420)
Cluster linked list starts at 0x277 (631) bytes offset
into the FAT
File Size(0x00003ce1 = 15,585 bytes)
15,585B = 31 512-byte sectors
15
© Gary C. Kessler, 2002 14
Root Directory Summary
File Name Starting Cluster Length Offset into FAT
?IMMYJ~1.DOC 0x0002 (2) 20,480 (40 sectors) 0x4 (4)
COVERP~1.JPG 0x01a4 (420) 15,585 (31 sectors) 0x277 (631)
SCHEDU~1.EXE 0x0049 (73) 1,000 (2 sectors) 0x6e (110)
Offset into FAT is (starting_cluster*3/2 + 1). This is where the link to the next cluster in the file is located.
16
© Gary C. Kessler, 2002 15
File Allocation TablesFAT table entries are "packed" so that two cluster entries occupy three bytes with the following general format:
yz Zx XY
where xyz is the one pointer entry and XYZ is the second pointer entry.
E.g., bytes 242-244:2d e0 02
refer to clusters 0x02d (45) and 0x02e (46)
• Primary FAT starts at sector 1, byte 0x200 (shown here)• Secondary FAT starts at sector 10, byte offset 0x1400• The starting cluster in the directory is also a pointer into the FATs linking to the next cluster in the file
17
© Gary C. Kessler, 2002 16
Interpreting the FAT0260 41 20 04 43 40 04 45 60 04 47 80 04 ff af 04 4b A [email protected]`.G..ÿ¯.K0270 c0 04 4d f0 ff 00 00 00 00 00 00 00 00 00 00 00 À.Mðÿ...........
The Primary FAT starts at Sector 1, byte #0x0200.
Suppose a file has a starting cluster of 0x49 (73).• The file starts on the media at cluster #73• The FAT entry pointing to the next cluster is in the FAT at byte #(73*1.5 + 1) = 110 (0x6e)• Since the FAT starts at 0x0200, the FAT entry for this file is at 0x026e
Example:1. 1st cluster is 0x49 (73). FAT entry starts at high-order nibble of 0x026e (110) = 0x04a (74)2. 2nd cluster is 0x4a (74). FAT entry starts at low-order nibble of 0x0270 (112) = 0x04b (75)3. 3rd cluster is 0x04b (75). FAT entry starts at high-order nibble of 0x0271 (113) = 0x04c (76)4. 4th cluster is 0x04c (76). FAT entry starts at low-order nibble of 0x0273 (115) = 0x04d (77)5. 5th cluster is 0x04d (77). FAT entry starts at high-order nibble of 0x0274 (116) = 0xfff (end of list)
The physical size of this file is five clusters (2560 bytes), and occupies clusters 73, 74, 75, 76, and 77 on the medium. (It is merely a coincidence that the clusters are contiguous.)
18
© Gary C. Kessler, 2002 17
Actually Finding the Data!
• To find the actual location on the medium, the logical cluster number has to be converted to a physical sector number– Subtract 2 from the logical cluster number– Multiply by the number of sectors per cluster (1)– Add to first data sector (33)
• Bottom line: Figure out the cluster number and add 31 to get physical location!
19
© Gary C. Kessler, 2002 18
The Actual Analysis
• We know that there are at least three files on the floppy. How do we get to them?– ?IMMYJ~1.DOC– COVERP~1.JPG– SCHEDU~1.EXE
20
© Gary C. Kessler, 2002 19
Recover ?IMMYJ~1.DOC
• We know that the file is deleted because the first byte in the directory entry is 0xe5
• Offset into FAT is 0x4– Cluster list starts at 0x204
– These FAT locations are 0x000 (unused)• Need to recover this file using undelete
tool or examination with a hex editor
0200 f0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 ðÿÿ.............
21
© Gary C. Kessler, 2002 20
Hex Dump of ?IMMYJ~1.DOCWe find the signature of an Office file (0xd0-cf-11-eo-a1-b1-1a-e1) at sector 33 (0x4200) and continuing through sector 72 (0x91ff).
This corresponds to the 40 sectors advertised as the length in the directory entry for the deleted file.
If we extract that information and open as a file in Word we find...
22
© Gary C. Kessler, 2002 21
The Incriminating Letter
23
© Gary C. Kessler, 2002 22
Examine COVERP~1.JPG
• Starting cluster is given as 0x01a4 (420)– FAT table is empty at offset 0x277 (631)– Note that there is an unknown entry for cluster
0x02b (43) starting at byte 0x0240 in the FAT
– This is an offset of 0x40 (64) bytes into the FAT and would correspond to a starting cluster value of 0x2a (42)!!
0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2b ...............+0240 c0 02 2d e0 02 2f 00 03 31 20 03 33 40 03 35 60 À.-à./..1 [email protected]`0250 03 37 80 03 39 a0 03 3b c0 03 3d e0 03 3f 00 04 .7..9 .;À.=à.?..0260 41 20 04 43 40 04 45 60 04 47 80 04 ff af 04 4b A [email protected]`.G..ÿ¯.K
24
© Gary C. Kessler, 2002 23
Finding COVERP~1.JPG• Length given by DIR command and directory
entry is 15,585 bytes (31 sectors)• We will assume that
– The starting cluster value has been altered, and is really 0x2a (42)
– The cluster linked list starts at 0x0240 (value 0x02b)
– We find that the file is in 31 contiguous sectors 0x02a (42) through 0x048 (72)
0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2b ...............+0240 c0 02 2d e0 02 2f 00 03 31 20 03 33 40 03 35 60 À.-à./..1 [email protected]`0250 03 37 80 03 39 a0 03 3b c0 03 3d e0 03 3f 00 04 .7..9 .;À.=à.?..0260 41 20 04 43 40 04 45 60 04 47 80 04 ff af 04 4b A [email protected]`.G..ÿ¯.K
25
© Gary C. Kessler, 2002 24
Hex Dump of COVERP~1.JPGFile starts at sector 73, as guessed --we calculated the start at sector 42 but remember to add 31!
Note that the file signature
FF D8 FF E0 00 10 4A 46 49 46 00 01 01
(particularly the string JFIF) is a sign that this is a JPEG file.
26
© Gary C. Kessler, 2002 25
The Incriminating Graphic
27
© Gary C. Kessler, 2002 26
Examine SCHEDU~1.EXE• Starting cluster is given as 0x0049 (73);
valid FAT entries are found at 0x026e
– Following the linked list in the FAT shows that this file is located at clusters 0x49 thru 0x4d (73-77)
• True location is clusters 104-108– The directory entry for this file shows a length
of 1000 bytes (2 sectors); true length appears to be 5 sectors (2560 bytes)
0260 41 20 04 43 40 04 45 60 04 47 80 04 ff af 04 4b A [email protected]`.G..ÿ¯.K0270 c0 04 4d f0 ff 00 00 00 00 00 00 00 00 00 00 00 À.Mðÿ...........
28
© Gary C. Kessler, 2002 27
Hex Dump of SCHEDU~1.EXEFile starts, as expected, at sector 104.
Note the file signature at the beginning:
50 4B
(the string PK), indicative of a ZIP file.
Note also the file name shown in the header, Scheduled Visits.xls, suggesting that this archive contains an Excel spreadsheet.
But why is there a .EXE extension? Remember that the file extension is not a definitive indicator of file type!
29
© Gary C. Kessler, 2002 28
Definitely Not Executable...
30
© Gary C. Kessler, 2002 29
Opening With WinZIPOpening with WinZIP shows the name of the compressed file Scheduled visits.xls... but the "+" indicates that the file is password protected.
The recovered letter alludes to a previously used password:
"I emailed you the schedule... To open it, use the same password that you sent me before with that file."
31
© Gary C. Kessler, 2002 30
Searching for Hidden TextSearch for hints or clues to the password.
Looking for meaningful text strings by scrolling through media is one approach, as is specific text searches.
Search on keyword password returned nothing, as did keyword pass.
The string pw, however, had a hit! This is located in unused space in the sector preceding SCHEDU~1.EXE.
32
© Gary C. Kessler, 2002 31
Applying the Password
goodtimes
33
© Gary C. Kessler, 2002 32
The Incriminating Spreadsheet
34
© Gary C. Kessler, 2002 33
Sector Assignments III
Sector(s) Address Function0 0x0000-0x01ff Boot Sector1-9 0x0200-0x13ff File Allocation Table (primary)10-18 0x1400-0x25ff File Allocation Table (secondary)19-32 0x2600-0x41ff Root Directory33-72 0x4200-0x91ff DATA: ?IMMYJ~1.DOC73-103 0x9200-0xcfff DATA: COVERP~1.JPG
104-108 0xd000-0xd9ff DATA: SCHEDU~1.EXE109-2878 0xda00-
0x167dff DATA: All bytes set to 0xf62879 0x167e00-
0x167fff DATA: All bytes set to 0x00
35
© Gary C. Kessler, 2002 34
Summary
• Three files found on the medium– JIMMYJ~1.DOC (Word file)
• Deleted– COVERP~1.JPG (JPEG graphics file)
• Starting cluster altered in Root Directory– SCHEDU~1.EXE (ZIP archive with Excel file)
• File extension changed• Password-protected• File size altered in Root Directory
36
© Gary C. Kessler, 2002 35
Conclusion
• In-depth analysis of a floppy can be done manually... just barely
• Analysis of a large hard drive requires automated tools