Files, Partitions & File Systems

BACS 371Computer Forensics

Data Hierarchy

ComputerHard Disk DrivePartitionFile

Physical FileLogical File

ClusterSectorWordByteBit

File

Collection of Information written to a disk

Generally created in an application-specific format

Occupies a fixed number of clusters Each file’s cluster has a pointer to the

next cluster in the file The final cluster contains the End of File

(EOF) marker

Files

Logical File Size Exact size of contents of file in bytes

Physical File Size Amount of space a file occupies on disc in

bytes Disk Slack

Unused space between logical end of file and physical end of a cluster

This is different from RAM slack which we will discuss next

<- Logical File Size -> <- Disk Slack ->

Physical File Size

Disk & Ram Slack Example

File Contents:“Hello world!”12 bytes

2nd Sector

3rd Sector

RAM Slack:512 bytes – 12 bytes = 500 bytes

Disk Slack:4096 Bytes – 512 Bytes = 3584 Bytes

Assumptions:• Sector Size = 512 Bytes• Cluster Size = 4KB = 8 Sectors

1st Sector

Partitions

A partition is a logical volume within a physical volume (i.e., disk).

The Master Boot Record (MBR) of a disk defines the partitions found on the physical disk.

An MBR can define 4 primary partitions (max).

These partitions can be defined as “logical partitions.”

Logical partitions are capable of being further subdivided into smaller logical partitions.

Partition Table• 4 Entries• First Entry Starts at

offset 0x01BE

Master Boot Record (MBR)

MBR “Signature”• 0x55AA

Executable Code• Machine Language Code• Processor Specific• Decodes Partition Table• 446 bytes long

446

Disk Partitions (Physical and extended)

Master Boot Record

1st Partition (physical)

2nd Partition (physical)

PBR

PBR

3rd Partition (Extended)

Unallocated space

PBR PBR PBR

Extended MBR

Logical Partition

#1

Logical Partition

#2

Logical Partition

#3 PBR = Partition Boot Record

1

2

3

4

1

2

3

4

Partition Layout

http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

Extended Partition Layout

http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch28/f28zs07_big.jpg

MBR with Extended Boot Record

446

Extended Boot Record

446

FAT File System

File Systems(See http://www.ntfs.com)

A method for storing and organizing computer files and the data they contain to make it easy to find and access them

File System Types FAT (File Allocation Table)

FAT12 FAT16 FAT32 exFAT

NTFS (New Technology File System) Functions

Manage “free space” Allocate clusters to file Track time (MAC – Modify, Access, Create)

A FAT file system is composed of four different sections.

The Boot Sector (aka Partition Boot Record, BIOS Parameter Block, Drive Parameter Block or Reserved Sector). This is always the first sector of the partition and includes some basic file system information (in particular, its type), pointers to the location of the other sections and the operating system's boot loader code.

The FAT Region. This contains two copies of the File Allocation Table for the sake of redundancy, although the extra copy is rarely used, even by disk repair utilities. These are maps of the partition, indicating how the clusters are allocated.

The Root Directory Region. This is a Directory Table that stores information about the files and directories in the root directory. With FAT32 it can be stored anywhere in the partition, however with earlier versions it is always located immediately after the FAT Region.

The Data Region. This is where the actual file and directory data is stored and takes up most of the partition. The size of files and subdirectories can be increased arbitrarily (as long as there are free clusters) by simply adding more links to the file's chain in the FAT. Note however, that each cluster can be taken only by one file, and so if a 1KB file resides in a 32KB cluster, 31KB are wasted.

FAT File System

Partition Boot Sector

FAT 1 FAT 2 (Duplicate)

Root Directory

Other folders and all files

This is all contained within a partition.

Partition Boot RecordAKA File System Boot Sector

The first physical sector in a logical volume C 0, H 1, S 1 for first partition

Contains Code File System Specification Information

BIOS Parameter Block

Executable Code• Machine Language Code• Processor Specific• Decodes BPB • Searches for OS

PBR “Signature”• 0x55AA

Partition Boot Record (PBR)

Partition Boot Record (FAT32 File

system)

010 - 210 Jump Instruction (3 bytes)

310 - 1010 OEM ID (8 Bytes)

1110 - 8310 BIOS Parameter Block (BPB)

(includes all below plus additional fields)

all offsets in this section are from start of the BPB counting from 0

offset 1110 Bytes Per Sector 2 Bytes

offset 1310 Sectors Per Cluster 1 Byte

offset 2110 Media Descriptor 1 Byte

offset 2410 Sectors Per Track 2 Bytes

offset 2610 Number of Heads 2 Bytes

offset 2810 Hidden Sectors 4 Bytes

offset 3210 Total Sectors 4 Bytes

6210 - 51110 Bootstrap Code (448 Bytes)

Ends with 55 AANOTE: Offsets are from start of Partition, not start of Drive!

Decoding a Partition Boot Record (BIOS Parameter Block – BPB)

Jump Instruction• Offset 0 10

• 3 bytes

OEM Name• Offset 3 10

• 8 bytes• Decode as ASCII• “MSDOS5.0”

Bytes Per Sector• Offset 11 10

• 2 bytes• Decode as Number• (Swap “endian”)• 0x0200 = 512

Sectors Per Cluster• Offset 13 10

• 1 byte• Decode as Number• 0x08 = 8• 8 * 512 = 4096 bytes/cluster

Media Type• Offset 21 10

• 1 byte• Decode from Table• 0xF8 means HD

Sectors per Track• Offset 24 10

• 2 bytes• Decode as Number• (Swap “endian”)• 0x003F = 63

Heads• Offset 26 10

• 2 bytes• Decode as Number• (Swap “endian”)• 0x00FF = 255

Total Sectors• Offset 32 10

• 4 bytes• Decode as Number• (Swap “endian”)• 0x000E37BA = 931,770• 477,066,240 Bytes

FAT Size (Sectors)• Offset 36 10

• 4 bytes• Decode as Number• (Swap “endian”)• 0x0000038D = 909• 465,408 Bytes (*512)• 58,176 Entries (/4)• 238,288,896 bytes addressed (*4096)

File System Type• Offset 82 10

• 8 bytes• Decode as ASCII• “FAT32 ”

Partition Boot Sector Decoded

File Allocation Table

A partition is divided up into identically sized clusters, small blocks of contiguous space. Cluster sizes vary depending on the type of FAT file system being used and the size of the partition, typically cluster sizes lie somewhere between 2KB and 32KB. Each file may occupy one or more of these clusters depending on its size; thus, a file is represented by a chain of these clusters (referred to as a singly linked list). However these chains are not necessarily stored adjacently on the disk's surface but are often instead fragmented throughout the Data Region.

The File Allocation Table (FAT) is a list of entries that map to each cluster on the partition. Each entry records one of five things:

the address of the next cluster in a chain a special end of file (EOF) character that indicates the end of a

chain a special character to mark a bad cluster a special character to mark a reserved cluster a zero to note that that cluster is unused

FAT Content

Database of File names Directory names Date and time stamps (MAC)

Modify Access Create

Starting cluster number Attributes

Archive Hidden System Read Only

Located on outermost track of disk

File Allocation Table (FAT)

Directory table

A directory table is a special type of file that represents a directory (nowadays commonly known as a folder). Each file or directory stored within it is represented by a 32 byte entry in the table. Each entry records the name, extension, attributes (archive, directory, hidden, read-only, system and volume), the date and time of creation, the address of the first cluster of the file/directory's data and finally the size of the file/directory.

Aside from the Root Directory Table in FAT12 and FAT16 file systems which occupies the special Root Directory Region location, all Directory Tables are stored in the Data Region.

Legal characters for DOS file names include the following: Upper case letters A-Z Numbers 0-9 Space (though trailing spaces are considered to be padding

and not a part of the file name)  ! # $ % & ( ) - @ ^ _ ` { } ~ ' Values 128-255

Directory to FAT interaction

Root Directory

FAT32

32-bit Cluster Numbers Only 28 bits actually used Addresses 228 Clusters (~ 268,435,438) Drive sizes ~ 1TB (228 clusters * 4096 Bytes

per cluster ~ 1.1TB) WinXP limited to 32GB using FAT32 Max file size in FAT32 is 232-1 bytes ~ 4GB

Advantages of FAT32 over FAT16

FAT32 offers smaller cluster sizes -> less wasted space

FAT32 systems can reallocate and change the size of the root directory

FAT32 drives can contain a copy of the boot record(s) –> less prone to failure

Allow for long file names

Long File Names “Trick”

Phony entries are added to the Directory Tables

Entries are marked with a volume label attribute

Each phony entry can contain up to 13 UTF-16 characters (26 bytes)

Long File Names Entries

Red entries are short file name entries. Blue are for a long file name. Read the long filename entries from the bottom to the top. Note that first byte in each group of long filenames are 01, 02, 03, 04, 05, and 06 (or’ed with 40 to indicate the last segment). Filename entries have 0F in 12th byte. Directory entries have a 10 in this position (indicating a directory).

Multiple Directory Entries for a file with a “long” filename. There are 4 entries to contain the long file name, and 1 entry to contain the complete set of file information including the “short” file name.

FAT Root Directory

Single Directory Entry for a file with a “short” filename.

Volume ID Directory Entry

Designates Attribute Bits• 0x08 = Volume Label• 0x20 = Archive• 0x0F = Long File Name

File System Comparisons

Criteria NTFS5 NTFS FAT32 FAT16

Operating SystemWindows 2000Windows XPVista, Win 7

Windows NTWindows 2000Windows XP

Windows 98Windows ME

Windows 2000Windows XPVista, Win 7

DOSAll versions of

Microsoft Windows

 

Limitations

Max Volume Size 2TB 2TB 2TB 2GB

Max Files on Volume Nearly Unlimited Nearly Unlimited Nearly Unlimited ~65000

Max File Size Limit Only by Volume Size

Limit Only by Volume Size

4GB 2GB

Max Clusters Number Nearly Unlimited Nearly Unlimited 268435456 65535

Max File Name Length Up to 255 Up to 255 Up to 255 Standard - 8.3Extended - up to 255

Criteria NTFS5 NTFS FAT32 FAT16Unicode File Names Unicode Character Set Unicode Character Set System Character Set System Character Set

System Records Mirror MFT Mirror File MFT Mirror File Second Copy of  FAT Second Copy of  FAT

Boot Sector Location First and Last Sectors First and Last Sectors First Sector First Sector

File Attributes Standard and Custom Standard and Custom Standard Set Standard Set

Alternate Streams Yes Yes No No

Compression Yes Yes No No

Encryption Yes No No No

Object Permissions Yes Yes No No

Disk Quotas Yes No No No

Sparse Files Yes No No No

Reparse Points Yes No No No

Volume Mount Points Yes No No No

File Names 256 Char 256 Char 256 Char 8.3 Names

File System Features

Overall Performance

Built-In Security Yes Yes No No

Recoverability Yes Yes No No

PerformanceLow on small

volumesHigh on Large

Low on small volumes 

High on Large

High on small volumes

Low on large

Highest on small volumes

Low on large

Disk Space Economy

Max Max AverageMinimal on large

volumes

Fault Tolerance Max Max Minimal Average

Criteria NTFS5 NTFS FAT32 FAT16