Fat File Systems
ArthyR3
306 views
10 slides
May 19, 2020
Slide 1 of 10
1
2
3
4
5
6
7
8
9
10
About This Presentation
Cyber Forensics - Unit IV - FAT
Slide Content
DEPARTMENT OF INFORMATION TECHNOLOGY
Subject Code : CS6004 Staff Name : R. Arthy, AP/IT
Subject Name : Cyber Forensics Class : IV IT
FILE ALLOCATION SYSTEM (FAT)
Introduction
FAT x – File Allocation Table – family of file systems for DOS/Windows operating
systems
o FAT table – stores info. on status of all clusters on the disk = ‘table of content’
o x = 12, 16, 32 – number of bits used for cluster identification/numbering
bit-size of each FAT table entry
Example
Subject Code : CS6004 Staff Name : R. Arthy, AP/IT
Subject Name : Cyber Forensics Class : IV IT
FILE ALLOCATION SYSTEM (FAT)
Introduction
FAT x – File Allocation Table – family of file systems for DOS/Windows operating
systems
o FAT table – stores info. on status of all clusters on the disk = ‘table of content’
o x = 12, 16, 32 – number of bits used for cluster identification/numbering
bit-size of each FAT table entry
Example
Example: FAT16 capacity
Can 700 MB disk drive be formatted with a FAT16 file system using 4KB clusters?
FAT16 ⇒ 2
16
= 65536 clusters
2
16
clusters * 4 Kbytes = 2
6
* 2
10
* 4 * 2
10
bytes
max capacity = 64 * 4 MB = 256 MB
In Microsoft file structures, sectors are grouped to form clusters
o Storage allocation units of one or more sectors
Clusters range from 512 bytes up to 32,000 bytes each
Combining sectors minimizes the overhead of writing or reading files to a disk
Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT
o First sector of all disks contains a system area, the boot record, and a file
structure database
OS assigns these cluster numbers, called logical addresses
Sector numbers are called physical addresses
Clusters and their addresses are specific to a logical disk drive, which is a disk
partition
Major Section
1) Boot Sector – occupies the 1st cluster on the disk
Contains specific information about organization of the file system, including: type
of FAT (12/16/32) system,
o # of bytes per sector,
o # of sectors per track,
o # of sectors per cluster,
o # of read heads,
Can 700 MB disk drive be formatted with a FAT16 file system using 4KB clusters?
FAT16 ⇒ 2
16
= 65536 clusters
2
16
clusters * 4 Kbytes = 2
6
* 2
10
* 4 * 2
10
bytes
max capacity = 64 * 4 MB = 256 MB
In Microsoft file structures, sectors are grouped to form clusters
o Storage allocation units of one or more sectors
Clusters range from 512 bytes up to 32,000 bytes each
Combining sectors minimizes the overhead of writing or reading files to a disk
Clusters are numbered sequentially starting at 0 in NTFS and 2 in FAT
o First sector of all disks contains a system area, the boot record, and a file
structure database
OS assigns these cluster numbers, called logical addresses
Sector numbers are called physical addresses
Clusters and their addresses are specific to a logical disk drive, which is a disk
partition
Major Section
1) Boot Sector – occupies the 1st cluster on the disk
Contains specific information about organization of the file system, including: type
of FAT (12/16/32) system,
o # of bytes per sector,
o # of sectors per track,
o # of sectors per cluster,
o # of read heads,
o # of FAT tables,
o # of clusters per FAT table, etc.
2) FAT Tables
keep track of allocation status of different data clusters
o entry N relates to data cluster N – the actual value is a pointer to another FAT
entry
o set of clusters that constitute one file are defined by a set of linked FAT entries
multiple FATs (FAT1 & FAT2) ensure redundancy in case of data corruption – FAT2
is a backup of FAT 1
o typically used on portable (more vulnerable) media
Example: Use of FAT system
o # of clusters per FAT table, etc.
2) FAT Tables
keep track of allocation status of different data clusters
o entry N relates to data cluster N – the actual value is a pointer to another FAT
entry
o set of clusters that constitute one file are defined by a set of linked FAT entries
multiple FATs (FAT1 & FAT2) ensure redundancy in case of data corruption – FAT2
is a backup of FAT 1
o typically used on portable (more vulnerable) media
Example: Use of FAT system
FAT entry values
3) Root Directory (FAT12/16 only)
stores Directory Table – table of 32-byte long entries for each file & directory created
on the disk
4) Data Area
contains file & directory data – occupies remaining sectors (clusters) on the disk
first cluster of Data Area is numbered 2; though, this is physical sector 33!
3) Root Directory (FAT12/16 only)
stores Directory Table – table of 32-byte long entries for each file & directory created
on the disk
4) Data Area
contains file & directory data – occupies remaining sectors (clusters) on the disk
first cluster of Data Area is numbered 2; though, this is physical sector 33!
Example: (Root) Directory Table entries in bytes
Example: File fragmentation / cluster allocation in FAT
Example: Final Exam 2010
Assume a computer employs the FAT16 file system with components as shown
below:
Example: File fragmentation / cluster allocation in FAT
Example: Final Exam 2010
Assume a computer employs the FAT16 file system with components as shown
below:
o A file, containing a set of numbers, is stored on this computer under the name
YourFile.txt.
o Using the provided information, identify the first six numbers stored in
YourFile.txt.
Disk Partitions
A partition is a logical drive
Windows OSs can have three primary partitions followed by an extended partition
that can contain one or more logical drives
Hidden partitions or voids
o Large unused gaps between partitions on a disk
Partition gap
o Unused space between partitions
YourFile.txt.
o Using the provided information, identify the first six numbers stored in
YourFile.txt.
Disk Partitions
A partition is a logical drive
Windows OSs can have three primary partitions followed by an extended partition
that can contain one or more logical drives
Hidden partitions or voids
o Large unused gaps between partitions on a disk
Partition gap
o Unused space between partitions
The partition table is in the Master Boot Record (MBR)
o Located at sector 0 of the disk drive
MBR stores information about partitions on a disk and their locations, size, and
other important items
In a hexadecimal editor, such as WinHex, you can find the first partition at offset
0x1BE
o The file system’s hexadecimal code is offset 3 bytes from 0x1BE for the
first partition
Examining FAT Disks
File Allocation Table (FAT)
o File structure database that Microsoft originally designed for floppy disks
FAT database is typically written to a disk’s outermost track and contains:
o Filenames, directory names, date and time stamps, the starting cluster
number, and file attributes
o Located at sector 0 of the disk drive
MBR stores information about partitions on a disk and their locations, size, and
other important items
In a hexadecimal editor, such as WinHex, you can find the first partition at offset
0x1BE
o The file system’s hexadecimal code is offset 3 bytes from 0x1BE for the
first partition
Examining FAT Disks
File Allocation Table (FAT)
o File structure database that Microsoft originally designed for floppy disks
FAT database is typically written to a disk’s outermost track and contains:
o Filenames, directory names, date and time stamps, the starting cluster
number, and file attributes
Three current FAT versions
o FAT16, FAT32, and exFAT (used by Xbox game systems)
Cluster sizes vary according to the hard disk size and file system
Microsoft OSs allocate disk space for files by clusters
o Results in drive slack
Unused space in a cluster between the end of an active file and the end of the cluster
Drive slack includes:
o RAM slack and file slack
An unintentional side effect of FAT16 having large clusters was that it reduced
fragmentation
o As cluster size increased
When you run out of room for an allocated cluster
o OS allocates another cluster for your file, which creates more slack space on
the disk
As files grow and require more disk space, assigned clusters are chained together
o The chain can be broken or fragmented
When the OS stores data in a FAT file system, it assigns a starting cluster position to
a file
o FAT16, FAT32, and exFAT (used by Xbox game systems)
Cluster sizes vary according to the hard disk size and file system
Microsoft OSs allocate disk space for files by clusters
o Results in drive slack
Unused space in a cluster between the end of an active file and the end of the cluster
Drive slack includes:
o RAM slack and file slack
An unintentional side effect of FAT16 having large clusters was that it reduced
fragmentation
o As cluster size increased
When you run out of room for an allocated cluster
o OS allocates another cluster for your file, which creates more slack space on
the disk
As files grow and require more disk space, assigned clusters are chained together
o The chain can be broken or fragmented
When the OS stores data in a FAT file system, it assigns a starting cluster position to
a file
Slack Space in FAT
o phenomenon caused by the way how computers store data/files:
files are allocated cluster-sized chunks
regardless of the actual size of data in the file data may not be
big enough to fill (all) segments, i.e. clusters
sector slack - space between EOF and end of last sector that file was written to known
as RAM slack as OS pulls any info available in RAM at that point (memory dump) to
fill this space – e.g. logon IDs, passwords, segments of other files
cluster slack - remaining sectors in cluster known as file slack – contains whatever
was last written by disk in those sectors (e.g. parts of a deleted file)
Data for the file is written to the first sector of the first assigned cluster
When this first assigned cluster is filled and runs out of room
o FAT assigns the next available cluster to the file
If the next available cluster isn’t contiguous to the current cluster
o File becomes fragmented
Deleting FAT Files
In Microsoft OSs, when a file is deleted
o Directory entry is marked as a deleted file
With the HEX E5 character replacing the first letter of the filename
o phenomenon caused by the way how computers store data/files:
files are allocated cluster-sized chunks
regardless of the actual size of data in the file data may not be
big enough to fill (all) segments, i.e. clusters
sector slack - space between EOF and end of last sector that file was written to known
as RAM slack as OS pulls any info available in RAM at that point (memory dump) to
fill this space – e.g. logon IDs, passwords, segments of other files
cluster slack - remaining sectors in cluster known as file slack – contains whatever
was last written by disk in those sectors (e.g. parts of a deleted file)
Data for the file is written to the first sector of the first assigned cluster
When this first assigned cluster is filled and runs out of room
o FAT assigns the next available cluster to the file
If the next available cluster isn’t contiguous to the current cluster
o File becomes fragmented
Deleting FAT Files
In Microsoft OSs, when a file is deleted
o Directory entry is marked as a deleted file
With the HEX E5 character replacing the first letter of the filename
FAT chain for that file is set to 0
Data in the file remains on the disk drive
Area of the disk where the deleted file resides becomes unallocated disk space
o Available to receive new data from newly created files or other files needing
more space
Data in the file remains on the disk drive
Area of the disk where the deleted file resides becomes unallocated disk space
o Available to receive new data from newly created files or other files needing
more space
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 306
- Slides 10
- Age 2021 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views