Have you ever wondered how File Allocation Table ( FAT ) maintains the file system structure? Many forensic books and certification exams discuss the structure of the file system, but I yet to see discussion on how the file system links the directory structure together. In this post, I wanted to examine and model the links between files and folders.
Many books discuss the concept that we can navigate the file system by running cd . or cd .. to change directory to the current directory or to the parent of the current directory. The . and .. files turned out to be very important to understand how FAT maintains the directory structure.
Each directory maintains its own Directory Entry ( DE ) in a unique cluster where the root DE is considered as the cluster 0. Cluster 1 was never referenced. Referring to the FAT table, we know that FAT signature in FAT16 is F8FF and another FFFF that refers to the DE. Thus, F8FF is cluster reference 0 while FFFF following F8FF should be the reference to cluster 1. Thus, the first usable cluster for files is cluster 2.
I have created test case on a thumb drive using the following structure:
D:\file1.txt
D:\folder1
->file2.txt
->folder1-1
->file3.txt
I have traced the file system structures to their starting and ending sector numbers to find a pattern that lead me to understand how the files are stored.
The chart of sector numbers was used to develop a model of file structure on storage device.
The model can be verified by examining the actual structure of the DEs to establish the links between the DE entries.
A simplified view of relevant cluster number designations shows the repeating pattern of folders pointing to themselves by referring to the cluster number where the DE resides holding the DE entry for the file and the .. file entry is referring to the parent's DE cluster.
In some cases, we can examine the actual data structures on disk to reveal patterns that can be used to understand how technology works. The steps, documentation, and methodology are all crucial skills for any beginning forensic examiner or analyst while forensic technicians would not have to know technology at this level. Only education and hard work can develop a forensic analyst for a higher level of understanding of data structures while training of forensic technicians will never be able to develop professionals capable of this type of skills. I hope, the type of documents will help even technicians understand that there is more to learn about technology than pushing buttons and reading output from invalidated tools.
No comments:
Post a Comment