Escolar Documentos
Profissional Documentos
Cultura Documentos
0704-0188
The public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions,
searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments
regarding this burden estimate or any other aspect of this collection of information, including suggesstions for reducing this burden, to Washington
Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA, 22202-4302.
Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any oenalty for failing to comply with a collection of
information if it does not display a currently valid OMB control number.
PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.
14. ABSTRACT
This tutorial is intended as in-class laboratory exercise for computer forensics classes at the Polytechnic University
of Puerto Rico. It’s specifically designed to provide basic understanding on the functionalities and capabilities of
the tree most used file systems FAT16, FAT32, and NTFS. This document provides an inside or raw view of the
files systems structure and how it handles data. It first covers the creation of a lab environment using openly
available applications and the use of Hexadecimal Editors or Disk Editors to view and modify data.
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 15. NUMBER 19a. NAME OF RESPONSIBLE PERSON
a. REPORT b. ABSTRACT c. THIS PAGE ABSTRACT OF PAGES Alfredo Cruz
UU UU UU UU 19b. TELEPHONE NUMBER
787-622-8000
Standard Form 298 (Rev 8/98)
Prescribed by ANSI Std. Z39.18
Report Title
Computer Forensics TutorialDisk File Systems (FAT16, FAT32, NTFS)
ABSTRACT
This tutorial is intended as in-class laboratory exercise for computer forensics classes at the Polytechnic University of
Puerto Rico. It’s specifically designed to provide basic understanding on the functionalities and capabilities of the
tree most used file systems FAT16, FAT32, and NTFS. This document provides an inside or raw view of the files
systems structure and how it handles data. It first covers the creation of a lab environment using openly available
applications and the use of Hexadecimal Editors or Disk Editors to view and modify data.
Computer Forensics Tutorial
Disk File Systems (FAT16, FAT32, NTFS)
Abstract This tutorial is intended as in-class Oracle Virtual Box: is a general-purpose full
laboratory exercise for computer forensics classes virtualizer for x86 hardware, targeted at server,
at the Polytechnic University of Puerto Rico. It’s desktop and embedded use. Refer to Figure 1.
specifically designed to provide basic
understanding on the functionalities and
capabilities of the tree most used file systems
FAT16, FAT32, and NTFS. This document provides
an inside or raw view of the files systems structure
and how it handles data. It first covers the creation
of a lab environment using openly available
applications and the use of Hexadecimal Editors or
Disk Editors to view and modify data.
Key Terms Electronic Data, Forensics, File Figure 1
Systems, Hex Editor, Storage Device, Tutorial. Oracle Virtual Box
personal computers in a corporate environment. 0x40 Object ID A volume-unique file identifier. Used by the
The NTFS file system also supports data access distributed link tracking service. Not all
files have object identifiers.
control and ownership privileges that are important
0x100 Logged Similar to a data stream, but operations are
for the integrity of critical data. While folders
Utility logged to the NTFS log file just like NTFS
shared on a Windows NT computer are assigned Stream metadata changes. This is used by EFS.
particular permissions, NTFS files and folders can 0xC0 Reparse Used for volume mount points. They are
have permissions assigned whether they are shared
Point also used by Installable File System (IFS) 0x18, 0x1A, and 0x1C match those on FAT16 and
filter drivers to mark certain files as special FAT32 volumes.
to that driver. Table 3
0x90 Index Root Used to implement folders and other BPB and the extended BPB
indexes.
Byte Field
Field Name
0xA0 Index Used to implement folders and other Offset Length
Allocation indexes.
0x0B WORD Bytes Per Sector
0xB0 Bitmap Used to implement folders and other
0x0D BYTE Sectors Per Cluster
indexes.
0x0E WORD Reserved Sectors
0x70 Volume Used only in the $Volume system file.
0x10 3 BYTES always 0
Information Contains the volume version.
0x13 WORD not used by NTFS
0x60 Volume Used only in the $Volume system file.
0x15 BYTE Media Descriptor
Name Contains the volume label.
0x16 WORD always 0
0x18 WORD Sectors Per Track
When a file's attributes can fit within the MFT
0x1A WORD Number Of Heads
file record, they are called resident attributes. For
0x1C DWORD Hidden Sectors
example, information such as filename and time 0x20 DWORD not used by NTFS
stamp is always included in the MFT file record. 0x24 DWORD not used by NTFS
When all of the information for a file is too large to 0x28 LONGLONG Total Sectors
fit in the MFT file record, some of its attributes are 0x30 LONGLONG Logical Cluster Number for the file
nonresident. The nonresident attributes are $MFT
allocated one or more clusters of disk space 0x38 LONGLONG Logical Cluster Number for the file
$MFTMirr
elsewhere in the volume. If all attributes cannot fit
0x40 DWORD Clusters Per File Record Segment
into one MFT record NTFS creates additional
0x44 DWORD Clusters Per Index Block
MFST records and puts the Attribute List attribute 0x48 LONGLONG Volume Serial Number
to the first file's MFT record to describe the 0x50 DWORD Checksum
location of all of the attribute records.
When you format an NTFS volume, the format TFS includes several system files, all of which
program allocates the first 16 sectors for the $Boot are hidden from view on the NTFS volume. A
metadata file. First sector, in fact, is a boot sector system file is one used by the file system to store its
with a "bootstrap" code and the following 15 metadata and to implement the file system. System
sectors are the boot sector's IPL (initial program files are placed on the volume by the Format utility.
loader). To increase file system reliability the very [5].
last sector an NTFS partition contains a spare copy Now that we have a general understanding of
of the boot sector. NTFS file system we can use HxD hex editor to
BIOS parameter block, often shortened to view the raw data of the file system. Figure 7
BPB, is a data structure in the Volume Boot Record illustrates an NTFS partition with the BPB of the
describing the physical layout of a data storage the Boot sector that according with Table 3 are
volume. On partitioned devices, such as hard disks, bytes 0x0B to 0x50.
the BPB describes the volume partition, whereas,
on unpartitioned devices, such as floppy disks, it
describes the entire medium.
The following table (Table 3) describes the
fields in the BPB and the extended BPB on NTFS
volumes. The fields starting at 0x0B, 0x0D, 0x15, Figure 7
BPB of the Boot Sector
Using Table 3 we can find the following:
Sector Size has a value of 0x0200 (512 DEC) =
Sector Size of 512 Bytes.
Sectors per cluster has a value of 0x0004 (04 DEC)
= 4 Sectors per cluster.
$MFT’s location should be in byte 0x30 and
it’s an 8 byte address.
The Hex Value is 0x000000000002AD10 =
175,376. $MFT is located at cluster 175,376.
With the information gathered we can
determine the sector in which $MFT is located:
Location of $MFT = Sectors per cluster * Starting
Cluster of $MFT = 4 * 175,376 = 701,504
$MFT is located at Sector 701,504.
All of this data can be gathered using
automated tools but the point of this exercise is to
look at the raw data of the file system and
understand it.
CONCLUSION
This tutorial should be considered as a good
recourse in the understanding of FAT16, FAT32
and NTFS file systems. Since Digital Forensics is
an evolving field, knowing the inner workings and
structure of the main file systems help a great deal
in the process of data gathering and recovery.
Giving the reader the necessary knowledge to
understand how data is stored and handled by the
different file systems.
REFERENCES
[1] “FAT16 - Computing Knowledgebase”, Retrieved on Oct
19, 2011, http://pc.wikia.com/wiki/FAT16.