Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
HTCIA International ConferenceSeptember 20 22 2010September 20-22, 2010
Atlanta, GA
Demystifying the Microsoft Extended File Demystifying the Microsoft Extended File System (exFAT)System (exFAT)
Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, CRISC, GSEC, GCFA
September 20th, 2010 1
AgendaAgenda
About MeAbout MeWhy a new file systemForensics RelevanceForensics RelevanceFeaturesAdvantagesAdvantagesTimelinesSupportSupportLimitsI t l
September 20th, 2010 2
Internals
About MeAbout Me
I have been in the IT field for 35+ Years, and in ,InfoSec for over 15 YearsI carry many IT and InfoSec certifications This research was part of a term project for a forensics class for my masters in Forensic ComputingI then expanded the term paper into a practical paperI then expanded the term paper into a practical paper for my SANS GCFA certificationA link to the SANS paper and my blog is at the end of this presentation
September 20th, 2010 3
Why do we need a new file system?Why do we need a new file system?
Current Limits ExhaustedLarger volumes (>2TB)Larger files sizes (>4GB)g ( )Faster I/O
(UHS-1: 104 MB/2 - UHS-2: 300MB/s)Removable MediaFlexibilityExtensibilityNTFS Features without the overhead
September 20th, 2010 4
Relevance to Forensics StudyRelevance to Forensics Study
Digital Evidence ExtractionDigital Evidence ExtractionFinding the evidenceIncluding the hiding placesIncluding the hiding placesValidation
Daubert Expert TestimonyDaubert Expert TestimonyNeed to know and understand file org
New Media (SD Cards) will drive exFATNew Media (SD Cards) will drive exFAT adoption, and the potential for CP investigations.
September 20th, 2010 5
What happens when you have exFAT f d di d A ?formatted media and no exFAT support?
September 20th, 2010 6
Forensics ChallengesForensics Challenges
Linux OS SupportLinux OS SupportTuxera drivers may help
Mac OS SupportMac OS SupportOpen Source ToolsCommercial ToolsCommercial Tools
EncaseFTKFTK
Documentation
September 20th, 2010 7
DisclaimerDisclaimer
The released specification andThe released specification and implementation is Release 1.00 of exFATThe specification mentions additional features pthat were not implemented yet, but may at a future time/ Some of these are Windows CE holdoversBoth may be presented todaySome directory entries will be skipped
September 20th, 2010 8
ExponentsExponents
102 = 10 times 10 = 10010 10 times 10 100103 = 10 times 10 times 10 = 1000 (1K)22 = 2 times 2 = 42 = 2 times 2 = 429 = 2*2*2*2*2*2*2*2*2 = 512210 = 2*2*2*2*2*2*2*2*2*2 = 1024 (1K)210 = 2 2 2 2 2 2 2 2 2 2 = 1024 (1K)212 = 2*2*2*2*2*2*2*2*2*2*2*2 = 4096
September 20th, 2010 9
International System of Units (SI) TableInternational System of Units (SI) Table
File System in Shorthand Longhand Nth Bytesypowers of 2Device characteristics in
KiB Kibibyte 210 1024
MiB Mebibyte 220 1024 KiBcharacteristics in power of 10 GiB Gibibyte 230 1024
MiBTiB Tebibyte 240 1024 GiBTiB Tebibyte 2 1024 GiB
PiB Pebibyte 250 1024 TiB
EiB Exbibyte 260 1024 PiBy
ZiB Zebibyte 270 1024 EiB
YiB Yobibyte 280 1024 ZiB
September 20th, 2010 10
Features of exFAT 1 00Features of exFAT 1.00
Sector sizes from 512 to 4096 bytesSector sizes from 512 to 4096 bytesClusters sizes to 32MiBRoot Directory UnlimitedRoot Directory UnlimitedSubdirectories to 256MiBBuilt for speed less overhead than NTFS butBuilt for speed, less overhead than NTFS but has some of the NTFS featuresUTC Timestamp SupportUTC Timestamp Support
Vista/Server 2008 SP2+, XP with KB
September 20th, 2010 11
Features of exFAT 1 00 (cont’d)Features of exFAT 1.00 (cont d)
OEM Parameters Sector for deviceOEM Parameters Sector for device dependent parameters12 sector VBR, support of larger boot , pp gprogramPotential capacity to 64ZiBp y
Current support ≈ 128 PiBUp to 2,796,202 files per subdirectoryp , , p yFile Names max to 255 CharactersUnicode File Names and Volume LabelsUnicode File Names and Volume Labels
September 20th, 2010 12
Future Features of exFATFuture Features of exFAT
TexFAT (To be released later)TexFAT (To be released later)Exists in Windows CETransaction Safe exFATTransaction Safe exFAT
ACL (To be released later)Exists in Windows CEExists in Windows CE
Encryption Support?Not announced, but mentioned how easy toNot announced, but mentioned how easy to add
September 20th, 2010 13
MBR Partition LimitationsMBR Partition Limitations
Microsoft File Systems are limited whenMicrosoft File Systems are limited when stored in a MBR partitionA partition is defined by a Master Boot p yRecordA MBR uses a 4 byte value for number of ysectorsTo get the maximum volume size, exFAT cannot be created within a partition
September 20th, 2010 14
Advantages of exFATAdvantages of exFAT
Handle growing capacities in media,Handle growing capacities in media, increasing capacity to >32 GB.> 1000 files in a single directory.Speeds up storage allocation processes.Breaks file size 4 GB barrier.S t i t bilit ith f t d ktSupports interoperability with future desktop OSs.Provides an extensible formatProvides an extensible format.Large cluster sizes
September 20th, 2010 15
Disadvantages of exFATDisadvantages of exFAT
Not all Windows CE features implementedNot all Windows CE features implementedNo direct conversion to or from other FSCannot use CONVERT command to NTFSCannot use CONVERT command to NTFSNo Floppy SupportMostly a Microsoft Desktop and Server WorldMostly a Microsoft Desktop and Server World
No Support for Older MS systemsNo Support for Non MS systemsNo Support for Non-MS systemsNo XBOX, PS3 or other special devices
September 20th, 2010 16
Key Dates for exFATKey Dates for exFATSeptember 2006 – Windows CE 6.0 M h 2008 Wi d Vi S i P k 1March 2008 – Windows Vista Service Pack 1January 2009 – Announcement at CES of SDXC specificationJanuary 2009 – Windows XP Drivers AvailableMay 2009 Windows Vista Service Pack 2May 2009 – Windows Vista Service Pack 2August 2009 – Tuxera Signs File System IP Agreement with MicrosoftMarch 2009 – Pretec Releases first SDXC Cards December 2009 – Microsoft (re)announces exFAT license program for third-partiesDecember 2009 – SDXC laptops due soon D b 2009 Di ki t l l FAT tilitDecember 2009 – Diskinternals releases exFAT recovery utilityDecember 2009 – Encase support
September 20th, 2010 17
More Key Dates for exFATMore Key Dates for exFAT
December 2009 Sony, Canon & SanyoDecember 2009 Sony, Canon & Sanyo LicenseJanuary 2010 Funai License (LCD TV)y ( )February 2010 Panasonic LicenseFebruary 2010 Panasonic 64/48GB SDXCFebruary 2010 Panasonic 64/48GB SDXCFebruary 2010 Sony Memory Stick XCFebruary 2010 Sandisk Ultra XC 64GB CardFebruary 2010 Sandisk Ultra XC 64GB Card 3.0 Spec $350
September 20th, 2010 18
More Key DatesMore Key Dates
June 1st 2010 Tuxera Releases Linux &June 1 2010 Tuxera Releases Linux & Android exFAT driversJune 3rd 2010 Kingston Releases Class 10 gSDXC 64GB Card 60 MB/s read, 35 MB/s write.
September 20th, 2010 19
SD Card AssociationSD Card Association
New Memory CardyConsumer AppliancesFollows SDHCSpecification for 2TB Capacity
September 20th, 2010 20
September 20th, 2010 21
SDXC Storage CapabilitiesSDXC Storage Capabilities
From 32GB to 2TB on a cardFrom 32GB to 2TB on a cardExclusively exFAT File System300 MB/s I/O Transfer300 MB/s I/O TransferStorage
4 000 RAW images4,000 RAW images100 HD moviesor 60 hours of HD recordingor 60 hours of HD recording17,000 fine-grade photosin a single directory
September 20th, 2010 22
in a single directory
Support for exFATSupport for exFAT
Windows XP & Server 2003Windows XP & Server 2003KB955704 (requires SP2 or SP3)
Vista & Server 2008 SP1Vista & Server 2008 SP1Vista & Server 2008 SP2
(Adds UTC timestamp support)(Adds UTC timestamp support)Windows 7
September 20th, 2010 23
Reference StandardsReference Standards
Bits are numbered right to leftBits are numbered right to left76543210
Decimal Offsets (zero based)Decimal Offsets (zero based)Little-Endian numbersUnsigned numbersUnsigned numbersSectors vs. ClustersStrings are 16 bit UnicodeStrings are 16 bit UnicodeStrings not Terminated
September 20th, 2010 24
EndianEndian
Numbering order may vary based onNumbering order may vary based on processor type, is determined by the order the data bytes are read from the register.A 32 bit number is read as 4 8 bit bytesIf I have the number 0x01 02 03 04Big-Endian will store it as:
0x 01 02 03 04Little-Endian will store it as:
0x 04 03 02 01
September 20th, 2010 25
File System IntegrityFile System Integrity
Version VerifiedVersion Verified3 Checksums
VBRVBRUP-Case TableFile SetFile Set
Critical Directory EntriesOther Checks and BalancesOther Checks and BalancesFile System should NOT mount if failures
September 20th, 2010 26
exFAT LimitsexFAT LimitsVolume size 128PiB
MS said 64ZiBMS now says 256TiB
File Size 16 EiB (64 bit number)File Size 16 EiB (64 bit number)Bigger than volume size
Subdirectory 256MiBSector 512-4096 bytes (29-212)Cluster 32MiB (225)No floppy supportNo floppy supportNo FAT32 minimum cluster (65,525) restrictionNo 8.3 file name support
September 20th, 2010 27
pp
Data Hide Alert!Data Hide Alert!
FAT32 max cluster 32KiBFAT32 max cluster 32KiBexFAT max cluster 32MiB
This is an increase of 1024 foldThis is an increase of 1024 foldPotential for massive slack space
September 20th, 2010 28
Volume Space LayoutVolume Space Layout
The Main Boot RegionThe Main Boot RegionContains main VBR
The Backup Boot RegionThe Backup Boot RegionContains backup VBR
The FAT RegionThe FAT RegionContains FAT Table(s)
The Data Region (Cluster Heap)The Data Region (Cluster Heap)This is where data resides
September 20th, 2010 29
September 20th, 2010 30
VBR – Volume Boot RecordVBR Volume Boot Record
Contains 12 sectorsContains 12 sectors1 sector main boot sector
Jump Code (3 bytes)p ( y )BPB (BIOS Parameter Block)Boot Strap Code
8 sectors main extended boot sectors1 sector OEM parms1 sector reserved1 sector VBR Checksum
September 20th, 2010 31
Boot Parameter Block (BPB)Boot Parameter Block (BPB)
OEM Label “EXFAT ”Volume Length (64-bit) [sector]FAT Location & Size [sector]Heap Location & Size [sector, cluster]Volume Serial Number
fLocation of Root Directory [cluster]Volume FlagsSector and Cluster Sizes [2 shift]Sector and Cluster Sizes [2-shift]Percent in useFile System Revision (0x0010=1.00)
September 20th, 2010 32
File System Revision (0x0010 1.00)
Sectors & ClustersSectors & Clusters
A 2-Shift is a power of 2A 2 Shift is a power of 2Another name for exponent
Sector size and sectors per clusterSector size and sectors per clusterEach stored in 1 byteTheoretical maximum is 2255Theoretical maximum is 2Sector Size Maximum 212
Sectors per cluster is derivedpCluster Size Maximum is 225
September 20th, 2010 33
Executable Boot CodeExecutable Boot Code
First 3 bytes of Main Boot SectoryJump Code0xEB7690
Offset 120 size 390Remainder of boot code
Offset 510End signature marker0 AA55 “55AA”0xAA55 = “55AA”
Offset 512Unused if defined
September 20th, 2010 34
Unused if defined
More Bootable CodeMore Bootable Code
Up to 8 Main Extended Boot SectorsUp to 8 Main Extended Boot SectorsFAT32 had 3 sector VBR with 1 MEBSEntire sector can be used for boot codeEntire sector can be used for boot codeLast 8 bytes of sector is marker0xAA550000 = “000055AA”
Larger capacity for boot virus!
September 20th, 2010 35
VBR Checksum SectorVBR Checksum Sector
The 12th sector of the VBRThe 12 sector of the VBRRepeating 4 byte checksumChecksum of previous 11 sectorsChecksum of previous 11 sectorsFlags and Percent excluded
These are volatile and change oftenThese are volatile and change oftenBoot Sector Virus & Checksum
September 20th, 2010 36
VBR Checksum SectorVBR Checksum Sector
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹00000010 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ ÉÐ ÉÐ ÉÐ00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹00000030 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹00000040 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
Lines 00000050 through 01BF repeatedg p
000001C0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹000001D0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹000001E0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ ‹ÉÐ ‹ÉÐ ‹ÉÐ ‹000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
September 20th, 2010 37
FAT – File Allocation TableFAT File Allocation Table
When it is used, same as legacy FAT, g yNot used when file contiguousNever used for cluster allocationFAT 32 has 32 bit cells, uses 28 bitsexFAT has 32 bit cells, uses 32 bits
Th i 64 bit FATThere is no 64 bit FATMaximum clusters is 232-11With TexFAT – 2 FAT Tables (2 Bitmaps)With TexFAT – 2 FAT Tables (2 Bitmaps)Addressed by pointer in VBRSize stored in VBR
September 20th, 2010 38
Cell Values in FAT TableCell Values in FAT Table
0x00000000 – No significant meaning0x00000000 No significant meaning0x00000001 – Not a valid cell value0xFFFFFFF6 – Largest Value0xFFFFFFF6 Largest Value0xFFFFFFF7 – Bad Block0xFFFFFFF8 Media Descriptor0xFFFFFFF8 – Media Descriptor
Fixed Disk0xFFFFFFF9 0xFFFFFFFE Not Defined0xFFFFFFF9-0xFFFFFFFE – Not Defined0xFFFFFFFF – End of File (EOF)
September 20th, 2010 39
September 20th, 2010 40
FAT Table ExampleFAT Table Example
Media R dUP-Case TableAllocation Bit Map
Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Media Reserved Allocation Bit Map
Root Directory
0000 F8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0010 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
September 20th, 2010 41
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Allocation BitmapAllocation Bitmap
Keeps track of cluster allocation statusKeeps track of cluster allocation statusZero – Free ClusterOne – Allocated ClusterOne Allocated Cluster
1 Byte = Tracking of 8 ClustersBit Zero – Byte Zero = Cluster 2Bit Zero Byte Zero Cluster 2
Cluster 0 & Cluster 1 are not definedAddressed by Directory EntryAddressed by Directory EntryWith TexFAT – 2 of these (FAT Pairing)
September 20th, 2010 42
Data Hide Alert!Data Hide Alert!
The Allocation Bitmap and the UP-CaseThe Allocation Bitmap and the UP Case Table are stored as files, and provide hiding space in the metadataThese files are static, typically won’t move, and have slack space.Nothing prevents someone from moving these files elsewhere in the cluster heap, and
ll ki h lactually making them larger
September 20th, 2010 43
September 20th, 2010 44
Directories in exFATDirectories in exFATRoot (VBR Pointer)( )
Contains certain critical entriesAlmost unlimited in size
Subdirectory (by File Entry)Subdirectory (by File Entry)Contains file sets256MiB Max sizeNo physical “.” or “..” entries
Uses 16 Bit Unicode for stringsEvery Entry 32 bytes in sizeEvery Entry 32 bytes in sizeEntry 0x00 is end of directoryHas capabilities for user entries
September 20th, 2010 45
Data Hide Alert!Data Hide Alert!
Manipulation of the Allocation Bitmap, andManipulation of the Allocation Bitmap, and creation of user directory entries provides the capability of hiding a file system within the file systemIt may also be possible to hide data within the directory metadata itself
September 20th, 2010 46
Entry TypeEntry Type
Type Field Offset (Bits) Size (Bits)
In Use 7 1C t 6 1Category 6 1
Importance 5 1Importance 5 1
Code 0 5September 20th, 2010 47
Code 0 5
Entry TypeEntry Type
In Use:In Use:0 – Not in Use, 1- In Use
Category:Category:0 – Primary, 1 – Secondary
Importance:Importance:0 – Critical, 1 – Benign
Code: Identifies the entryCode: Identifies the entry
September 20th, 2010 48
Volume Label Directory EntryVolume Label Directory Entry
0x83 or 0x03 Entry0x83 or 0x03 EntryPrimary EntryOnly resident in Root DirectoryOnly resident in Root DirectoryContains the Volume Label16 bit Unicode16 bit Unicode0x03 means no volume label
September 20th, 2010 49
Volume Label Directory EntryVolume Label Directory Entry
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 83 0A 65 00 78 00 46 00 41 00 54 00 2D 00 31 00 ƒ.e.x.F.A.T.-.1.00000010 32 00 38 00 4B 00 00 00 00 00 00 00 00 00 00 00 2.8.K...........
TypeType
Volume Name Length (10)
Volume Label (exFAT-128K)
September 20th, 2010 50
Allocation Bitmap Directory EntryAllocation Bitmap Directory Entry
0x81 Entry0x81 EntryPrimary EntryOnly resident in Root DirectoryOnly resident in Root DirectoryPoints to the Allocation Bitmap
If TexFAT then 2 of theseIf TexFAT, then 2 of theseFlag bits says which FAT/Bitmap
Cluster Address of BitmapCluster Address of BitmapSize of Bitmap
September 20th, 2010 51
Allocation Bitmap Directory EntryAllocation Bitmap Directory Entry
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0010 00 00 00 00 02 00 00 00 3F 00 00 00 00 00 00 00
Type Cluster Address (Cluster 2) Size (63 bytes)
September 20th, 2010 52
UP-Case Table Directory EntryUP Case Table Directory Entry
0x82 Entry0x82 EntryPrimary EntryOnly resident in Root DirectoryOnly resident in Root DirectoryFile names are case insensitiveUsed to fold file nameUsed to fold file nameTable has a checksum (32 bits)
September 20th, 2010 53
UP-Case Table Directory EntryUP Case Table Directory Entry
Off t 0 1 2 3 4 5 6 7 8 9 A B C D E FOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 82 00 00 00 0D D3 19 E6 00 00 00 00 00 00 00 00 0010 00 00 00 00 03 00 00 00 CC 16 00 00 00 00 00 00
Type Cluster Address (3)
Length (0x16CC = 5,836)Table Checksum
September 20th, 2010 54
File Directory Entry SetFile Directory Entry Set
Used to define a fileUsed to define a fileMay have 3 to 19 entries, or more1 Primary many Secondary1 Primary, many SecondaryIs considered an array
Must be in orderMust be in orderMust be contiguous (no gaps)
Entire Set has ChecksumEntire Set has Checksum
September 20th, 2010 55
File Directory EntryFile Directory Entry
0x85 or 0x05 Entry0x85 or 0x05 EntryPrimary EntrySet Checksum (16 bits)Set Checksum (16 bits)
Not modified on file deleteSecondary CountSecondary Count
# Secondary entries that followFile AttributesFile AttributesTimestamps
September 20th, 2010 56
Timestamps & Time ZonesTimestamps & Time Zones
3 Timestamps (MAC)3 Timestamps (MAC)32 bit DOS Date/Time
Local Machine TimeLocal Machine Time10ms Offset (MC)TZ Offset (MAC)TZ Offset (MAC)
15 minute increments7 bit signed number7 bit signed number±16 hoursPresent with UTC support
September 20th, 2010 57
Present with UTC support
Timestamp AccuracyTimestamp Accuracy
FAT32 – Last Access – Date onlyFAT32 Last Access Date onlyexFAT – Last Access – Date/TimeAll DOS DATE/TIME Double SecondsAll DOS DATE/TIME Double Seconds10ms adds 0-1990 ms to time10ms only for Create/Modify10ms only for Create/Modify
September 20th, 2010 58
Timestamp ReliabilityTimestamp Reliability
Timestamps appear to be updated when theTimestamps appear to be updated when the file is created or modified.Last Accessed Timestamp appear to be p ppupdated when file is created or modified.Last Accessed Timestamp appear NOT p ppmodified on file read.Forensics Implication on MAC time analysis
September 20th, 2010 59
File Attributes
Attribute Offset Size MaskReserved2 6 10Archive 5 1 0x20Directory 4 1 0x10Reserved1 3 1Reserved1 3 1
System 2 1 0x04yHidden 1 1 0x02Read Only 0 1 0x01September 20th, 2010 60
Read-Only 0 1 0x01
File Directory EntryFile Directory Entry
Type # Secondary Entries
Set Checksum (0x92D4)
Off t 0 1 2 3 4 5 6 7 8 9 A B C D E F
Set Checksum (0x92D4)
Attributes (0x0020 = Archive)
CreateOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 85 04 D4 92 20 00 00 00 44 62 86 3B F1 62 BA 3A 0010 44 62 86 3B A8 00 EC EC EC 00 00 00 00 00 00 00
ModifiedAccessed
C t 10
Modified 10ms
September 20th, 2010 61TZ Offset CMA EC = GMT-5
Create 10ms
Formatted File Directory EntryFormatted File Directory Entry
Root Entry Type Read is: 85 Directory Entry RecordRoot Entry Type Read is: 85 Directory Entry RecordChecksum: 92D4Calculated Checksum is: 92D4 Size Directory Set (bytes): 160Secondary Count 004File Attributes: 0020 Archive C t Ti t 3B866244 12/06/2009 12 18 08Create Timestamp: 3B866244 12/06/2009 12:18:08Last Modified Timestamp: 3ABA62F1 05/26/2009 12:23:34Last Accessed Timestamp: 3B866244 12/06/2009 12:18:0810 ms Offset Create A8 16810 ms Offset Modified 00 0Time Zone Create EC 236 Value of tz is: GMT -05:00Time Zone Modified EC 236 Value of tz is: GMT -05:00Time Zone Last Accessed EC 236 Value of tz is: GMT -05:00
September 20th, 2010 62
Stream Extension Directory EntryStream Extension Directory Entry
0xC0 or 0x40 EntryySecondary EntryLength of NamegLength of File (2 of them)Cluster address of first data blockName Search Hash valueSecondary Flag
FAT InvalidAllocation Possible
September 20th, 2010 63
Stream Extension Directory EntryStream Extension Directory Entry
Entry Flags (Alloc Possible/Fat Invalid)
Length of File Name (0x28= 40)
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
Name Hash (0x3CAD)
0000 C0 03 00 28 AD 3C 00 00 1F 46 1D 01 00 00 00 000010 00 00 00 00 05 00 00 00 1F 46 1D 01 00 00 00 00
Cluster (5)
Data Length 0x011d461f 18 695 711
September 20th, 2010 64
Data Length 0x011d461f = 18,695,711
Parameters for SamplesParameters for Samples
Bytes Per Sector: 2 to the 09 power is: 512Bytes Per Sector: 2 to the 09 power is: 512Sectors Per Cluster: 2 to the 08 power is: 256Bytes per Cluster: 131072 (128K)
September 20th, 2010 65
Formatted Stream ExtensionFormatted Stream Extension
Root Entry Type Read is: C0 Directory Entry Record, Stream ExtensionSecondary Flags: 03
Flag Bit 0: Allocation PossibleFlag Bit 1: FAT Chain Invalid
Length of UniCode Filename is: 40Length of UniCode Filename is: 40Name Hash Value is: AD3CStream Extension First Cluster 5Cluster 5 is AllocatedStream Extension Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143Stream Extension Valid Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143
September 20th, 2010 66
Slack: 83487 Clusters Used: 143
File Name Extension Directory EntryFile Name Extension Directory Entry
0xC1 or 0x41 EntryySecondary EntrySecondary Flagsy g
Allocation not possibleFAT Invalid
15 Characters (30 bytes) of NameName in 16 Bit UnicodeIn order (FAT32 LFN was reversed)Up to 17 max, total 255 character
September 20th, 2010 67
File Name Extension Directory EntryFile Name Extension Directory Entry
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 C1 00 62 00 75 00 73 00 69 00 6E 00 65 00 73 00 Á.b.u.s.i.n.e.s.0010 73 00 5F 00 6F 00 66 00 5F 00 73 00 65 00 63 00
fs._.o.f._.s.e.c.
0000 C1 00 75 00 72 00 69 00 74 00 79 00 5F 00 5F 00 Á.u.r.i.t.y._._.0010 62 00 75 00 73 00 2D 00 31 00 30 00 35 00 2D 000010 62 00 75 00 73 00 2D 00 31 00 30 00 35 00 2D 00 b.u.s.-.1.0.5.-.
0000 C1 00 33 00 32 00 6B 00 62 00 70 00 73 00 2E 00 Á 3 2 k bÁ.3.2.k.b.p.s...0010 6D 00 70 00 33 00 00 00 00 00 00 00 00 00 00 00 m.p.3...........
Fil N b i f it b 105 32kb 3
September 20th, 2010 68
File Name = business_of_security__bus-105-32kbps.mp3
Significance of “not in use” flagSignificance of not in use flag
0x05, 0x40 & 0x41 Entries0x05, 0x40 & 0x41 Entries“Not in use” may mean deleted filesMay also be reallocated renameMay also be reallocated rename
Set Checksum not changed when entries marked “not in use”
September 20th, 2010 69
SummarySummary
exFAT is a new generation of the FAT familyexFAT is a new generation of the FAT family of Microsoft File SystemsThe need for forensics tools will heat up in p2010We don’t have the right tools yetg yDocumentation and support for exFAT is scarce
September 20th, 2010 70
Q&AQ&A
September 20th, 2010 71
Contact InformationContact Information
E-mail: [email protected] mail: [email protected]: rshullic.wordpress.comBlog: shullich blogspot comBlog: shullich.blogspot.com
September 20th, 2010 72
ReferencesReferences
Sans Reading Room:ghttp://www.sans.org/reading_room/whitepapers/forensic
s/rss/reverse_engineering_the_microsoft_exfat_file_st 33274ystem_33274
Microsoft Patent:Microsoft Patent 0164440 (June 25 2009) QuickMicrosoft Patent 0164440 (June 25, 2009). Quick
Filename Lookup Using Name Hash.Pub No. US 2009/0164440 A1 Retrieved December 10,
2009 fromhttp://www.pat2pdf.org/patents/pat20090164440.pdf
September 20th, 2010 73