CFOR 101

Computer Forensics I

Lab Package # 3

Understanding File Systems - FAT

Part I

CFOR 101 1 Fall 2010

Objective:

1. To examine physical and logical format of the disk structure.

2. To analyze how and what information is stored in the boot record, file
allocation tables (FAT), directory and file structures.

Materials Needed:

Student Hard drive

Floppy Disk – Loaded in VM Ware

Introduction:

A good understanding of disk technology is important in order to effectively

function in the world of computer forensics. Consequently, computer disks and
hard drives can be viewed from two perspectives as having either a physical
structure or having a logical structure.

In the lab, we will examine the physical and logical structure of the disk in detail.
The physical structure deals with the geometry of the disk. The logical structure
deals with how data is stored, where the data is stored, and how to retrieve the
data.

It is very important for a computer forensic analyst to examine boot record, file
allocation tables, directory structures and data area for evidence.

There are various file systems such as FAT 12, FAT 16, FAT 32, NTFS, and
EXT 3.

The File Allocation Table (FAT) file system is one of the most simple file systems
found in common operating systems. FAT is the primary file system of the
Microsoft DOS and Windows 9x operating systems. FAT is frequently found in
compact flash cards for digital cameras and USB “thumb drives”.

This lab focuses on the FAT12 file system, which is predominately found in
floppy diskettes. You will be using the Norton Diskedit (DOS) program to
examine the physical and logical disk structure.

Procedures:

Part I Examining Floppy Disk Physical Structure

1, Turn on your PC. Open “VMWare Server console” icon on the desktop.
When VMware Server console opens up, select “Local Host” and
choose OK.

CFOR 101 2 Fall 2010

2. Start the “Virtual Machine”. Guest operating system, DOS will boot up
and display the C: prompt.

3. Go to the Norton Diskedit Program:

. C:\> cd Norton Press “Enter”

C:\norton> diskedit Press “Enter”

4. Select alt and “O” (Object) and select “Drive” and press “enter”.
Select drive “___” and press “enter” again.

CFOR 101 3 Fall 2010

6. Select alt and “O” (Object) and select "Boot Record" from the pull
down menu and press “enter”.

7. The “Boot Record” displays the physical structure or geometry of the

disk. Examine the information and answer the following questions.

How many bytes per sector? 512

How many sectors per track? 63
What is the volume label? MS-
Dos_6
What is the file system ID? Fat16
In which sector is the boot record information 0
stored?
How many disk sides? 255

Table 1

8. The “system area” of the disk area is divided and it is divided into boot
record, file allocation tables, and directory structure.

The layout of the File Allocation Table (FAT) file system has three
physical sections to it, which can be seen in the table below. The first
section is the “reserved area”, and it includes data in the “file system”
category. In FAT 12 and FAT 16 the reserved area is typically only 1
sector in size, but the size is defined in the boot sector. The second
section is the FAT area, and it contains the primary (Fat 1) and
backup (Fat 2) FAT tables.
CFOR 101 4 Fall 2010
 The File Allocation Table (FAT) starts in the sector following the
reserved area. The size of the FAT table is displayed in the boot
record. The third section is the “data area”, and it contains the clusters
that will be allocated to store file and directory content.

Table 2

One of the first things you need to know when analyzing a FAT file system
is the location of the three physical layout areas. The “reserved area”
starts in sector “0” of the file system and its size is given in the boot
sector. For “FAT 12” (typically floppy disk) the reserved area is typically
only “1” sector, but in “FAT 16/32” the reserved area will typically reserve
many sectors.

The FAT file system contains two File Allocation Tables (Fat 1 and Fat 2),
and the first File Allocation Table (FAT1) begins in the sector after the
reserved area.

Answer the following questions by viewing the boot record information in

Norton Diskedit.

How many sectors are reserved for boot record? 1

How many sectors are reserved for FAT? 256
How many sectors per cluster? 64

Table 3

9. Locating the “Data Area”:

The basic concept of FAT file system is that each file and directory is
allocated a “data structure”, called a “directory entry”, that contains the
file name, size, starting address of the file content, and other metadata.

File and directory content is stored in data units called “clusters”. If a

file or directory has been allocated more than one cluster, the other
clusters are found on the disk by using the File Allocation Table (FAT).
The File Allocation Table (FAT) is used to identify the next cluster of a
file where data is stored on a disk.

CFOR 101 5 Fall 2010

 Examine the “root directory” structure on the disk, by selecting alt + “O”
and choose “directory”. Select the “___:” drive and press “enter”. The
information displayed will reveal all the information that you may need for
analyzing the disk. Enter the following information found on the Diskedit
display screen:

Root Directory Content

What is the starting sector number of the root directory? 513

Name Size Date Time Starting Attributes

Volume/dir/file Cluster
IO.SYS 40774 5-31-94 6:22pm 3 R/O,SYS,Hid
MSDOS.SYS 38138 5-31-94 6:22pm 5 R/O,SYS,Hid
MS-DOS_6 0 1-16-08 12:39pm 0 Arc,Vol
DOS 0 1-16-08 12:39pm 2 Dir

Table 4
10. Finding the Metadata of directories and files:

Finding the location of the first cluster, which is “Cluster 2”, is harder than
it sounds because it is not at the beginning of the file system; it is in the
“data area”. You can be certain of this because the “reserved” and “FAT”
areas, which occur before the data area, do not use cluster addresses.

With a FAT12 and FAT16 file system, the first sectors of the “data area”
are for the “root directory” (created during the “format” command), which
is allocated when the file system is created and has a fixed size. After the
root directory entry, “Cluster 2” starts in the next sector.

Next, you will examine the disk’s “directory structure” and “data area”.

Highlight “Lab3” directory and press “enter”.

When a new directory is created, a cluster is allocated to it and filled with

zeros (0). The size field in the directory entry is not used, and should
always be “0”. The only way to determine the size of the directory is to use
the starting clusters from the directory entry and follow the “cluster chain”
in the FAT structure until the end of file marker (EOF) is found.

The first two directory entries in a directory are for the dot “.” and double
dots “..” directories. The dot, “.” name is used to address the current
directory in which you are working (i.e. “you are here”)and the double dots,
“..” is used to address the parent directory (i.e. “this is where you came
from”- in most instances the root directory).

CFOR 101 6 Fall 2010

 “Lab3” Directory Content

Dir/File Name Ext Size Date Time Starting Attributes

Cluster

Table 5

In the “Lab3” directory what do dot “.” and double dot “..” indicate?

11. Examining the File Allocation Table (FAT) Structure:

The directory entry contains the “starting cluster” of each file, and the File
Allocation Table (FAT) structure is the process used by the computer
operating system to find the remaining clusters for each file.
The “non-zero” entries in the File Allocation Table (FAT) contain:

a. the address of the “next” cluster in the file containing data related to
the selected file “contents”;

b. an “end of file” marker (EOF) which tells the computer that it is not
required to search for any more data to complete the file;

c. or a value to show that the cluster has bad sectors.

To find the next cluster in a file, you will need to look at the cluster’s entry
in the FAT and determine if it is the last cluster in the file (EOF), or if
another cluster exists in the file in which data related to the file is located.

For example, consider a file “file1.txt” that is located in clusters 50,51, 52

and 53:

CFOR 101 7 Fall 2010

 Table 6
Source: Brian Carrier

12. Examine and analyze the File Allocation Table (FAT) structure and
“cluster chains” by viewing different files in the disk directory.

Examine the “hello.txt” file and analyze the file information: Use Table 5
to get data.

What is the size of the file?

What is the starting cluster
number?
How many clusters does this
file occupy?

Table 7

Select alt + “O” and select “1st FAT” and press “enter”. The program
displays the content of the “1st FAT”. The bottom right side of the
program shows the cluster number and bottom left side of the program
display shows the drive and “file” name. Move the cursor to the right ( use
the Tab key) so that starting cluster number of the file is displayed at the
bottom right side of the program. Note: Your display values may be
different from the diagram below.

CFOR 101 8 Fall 2010

 Table 8

In the “1st FAT” view of the File Allocation Table (FAT), what value or data
is stored at the “starting” cluster of hello.txt? Explain.

13. Press alt + “O” and select “directory” and press “enter”. Select “___:\”
drive, then highlight “lab 3” and press “enter”. Highlight “hello.txt” and
press “enter”. The program displays the contents of the “hello.txt” file in

both the “hexadecimal” format and the “ASCII” (alphanumeric) character

format.

Table 9

CFOR 101 9 Fall 2010

 What is the starting cluster number (displayed at the bottom right corner of
the program) and the sector number (displayed on the top of left side) of
the program?

14. Examine the “car.jpg” file and analyze the file information. Select alt and
“O” and choose “drive”. Select “____:” drive and press “enter”.
Choose the “Lab3” directory and press “enter”. Select “car.jpg”.

Write the following information: Use Table 5 information.

What is the size of the file?

What is the starting cluster
number?
How many clusters does this
file occupy?

Table 10

15. Select alt + “O” and select "1st FAT". Move the cursor to the starting
cluster number of the “car.jpg” file. As soon as, you move the cursor to
the starting cluster of the file, part of FAT table will turn “red”, showing
all of the clusters that are used by the “car.jpg” file.

View the diagram below. Verify that the highlighted clusters for the
“car.jpg” file are correct using Table 11 below.

Write down all the cluster numbers occupied by the “car.jpg” file
beginning with the “starting” cluster number.

CFOR 101 10 Fall 2010

 Table 11

16. By viewing the “1st FAT” table, explain whether the “car.jpg” file content
is stored on the disk “contiguously” or “non-contiguously”.

17. Press alt +”O”, select ”directory”, then highlight “___:” drive and
“Lab3” and press “enter”. Highlight the “car.jpg” file and press “enter”.
The Diskedit program displays the contents of the “car.jpg” file in
hexa-decimal and ASCII format beginning with the starting cluster number.

Press “PgDn” key to view the rest of the contents of the “car.jpg” file, its
related cluster numbers and location. Compare the cluster numbers for the
“car.jpg” file displayed in the “1st FAT” table shown in Part I. Procedure
15 above with the cluster numbers that you are now viewing using the
Diskedit program. Explain any differences or similarities:

Part II Analyzing the Forensic.txt, Solar.jpg and Galileo.txt

Files

1. Examine the “forensic.txt” file and analyze the file information. To

examine the “forensic.txt” file, select alt + “O”, then select “___:” drive,

CFOR 101 11 Fall 2010

 select “Lab3” and press “enter”. Select the “forensic.txt” file. Write the
following file information.

What is the size of the file?

What is the starting cluster
number?
How many clusters does this
file occupy?

Table 12

2. To examine the File Allocation Table (FAT) of the “forensic.txt” file,

select alt + “O” and select "1st FAT". Move the cursor (using the “Tab”
key) to the “starting” cluster number of the “forensic.txt” file. As soon
as you move the cursor to the “starting” cluster of the file, part of FAT
table contents will turn “red” showing all of the clusters that are being
used by the “forensic.txt” file as shown in the Table 13 diagram below.

Write down all of the cluster numbers occupied by the “forensic.txt” file
beginning with the “starting” cluster number.

Table 13

3. Using the “1st FAT” table view, explain whether the “forensic.txt” file
content is stored “contiguously” or “non-contiguously” on the disk?

CFOR 101 12 Fall 2010

4. Press alt+ “O”, select “directory”, select “____:” drive, highlight “Lab3’
and press “enter”. Highlight the “forensic.txt” file and press “enter”.
The Diskedit program displays the contents of the “forensic.txt” file in
hexa-decimal and ASCII format beginning with the “starting” cluster
number.

Press the “PgDn” key to view the rest of the “forensic.txt” file contents, its
related cluster numbers and location. Compare the cluster numbers for
the “car.jpg” file displayed in the “1st FAT” table shown in Part II.
Procedure 2 above with the cluster numbers that you are now viewing
using the Diskedit program. Explain any differences or similarities:

5. Examine the “solar.jpg” file and analyze the file information. To examine
the “solar.jpg” file, select alt + “O”, then select “___:” drive, select
“Lab3” and press “enter”. Select the “solar.jpg” file. Write the following
file information.

What is the size of the file?

What is the starting cluster
number?
How many clusters does this
file occupy?

Table 14

6. To examine the File Allocation Table (FAT) of the “solar.jpg” file, select
alt + “O” and select "1st FAT". Move the cursor (using the “Tab” key) to
the “starting” cluster number of the “solar.jpg” file. As soon as you
move the cursor to the “starting” cluster of the file, part of FAT table
contents will turn “red” showing all of the clusters that are being used by
the “solar.jpg” file.

Write down all of the cluster numbers occupied by the “solar.jpg” file
beginning with the “starting” cluster number.

7. Using the “1st FAT” table view, explain whether the “solar.jpg” file
content is stored “contiguously” or “non-contiguously” on the disk?

8. Press alt+ “O”, select “directory”, select “ ___:” drive, highlight “Lab3’
and press “enter”. Highlight the “solar.jpg” file and press “enter”. The
Diskedit program displays the contents of the “solar.jpg” file in hexa-
decimal and ASCII format beginning with the “starting” cluster number.
CFOR 101 13 Fall 2010
 Press the “PgDn” key to view the rest of the “solar.jpg” file contents, its
related cluster numbers and location. Compare the cluster numbers for
the “solar.jpg” file displayed in the “1st FAT” table shown and recorded
in Part II. Procedure 6 above with the cluster numbers that you are now
viewing using the Diskedit program. Explain any differences or
similarities:

9. Examine the “Galileo.txt” file and analyze the file information. To examine

the “Galileo.txt” file, select alt + “O”, then select “__:” drive, select
“Lab3” and press “enter”. Select the “Galileo.txt” file.
Write the following file information.

What is the size of the file?

What is the starting cluster
number?
How many clusters does this
file occupy?

Table 15

10. To examine the File Allocation Table (FAT) of the “Galileo.txt” file, select
alt + “O” and select "1st FAT". Move the cursor (using the “Tab” key) to
the “starting” cluster number of the“Galileo.txt” file. As soon as you
move the cursor to the “starting” cluster of the file, part of FAT table
contents will turn “red” showing all of the clusters that are being used by
the “Galileo.txt” file.

Write down all of the cluster numbers occupied by the “Galileo.txt” file
beginning with the “starting” cluster number.

11. Using the “1st FAT” table view, explain whether the “Galileo.txt” file
content is stored “contiguously” or “non-contiguously” on the disk?

12. Press alt+ “O”, select “directory”, select “___:” drive, highlight “Lab3’
and press “enter”. Highlight the ““Galileo.txt” file and press “enter”.
The Diskedit program displays the contents of the “Galileo.txt” file in
hexa-decimal and ASCII format beginning with the “starting” cluster
number.

CFOR 101 14 Fall 2010

 Press the “PgDn” key to view the rest of the “Galileo.txt” file contents, its
related cluster numbers and location. Compare the cluster numbers for
the “Galileo.txt” file displayed in the “1st FAT” table and recorded in
Part II, Procedure 10 above with the cluster numbers that you are now
viewing using the Diskedit program. Explain any differences or
similarities:

13. Use the “___:” drive to complete the following information.

Hint: Select alt + “O”, select "sector" to

get the “sector” information for the floppy disk:

Sectors/Clusters System area &/Data area content

S0
S1-S9
S10-18
S19-32
S33/Cluster
2879

Table 16

14. Press alt + “O”, then select “x” for “exit”

15. Remove the floppy disk and give it to your instructor.

16. Shut down the guest operating system (OS) and exit from VMWare Server
Console.

PART III Clean up

1. Power down the system.

2. Ensure your area is returned to normal conditions for the next class.

3. Return any materials to the instructor.

  Obtain your instructor’s signature: ____________________

CFOR 101 15 Fall 2010

 Lab 3
Vocabulary Terms

Write a brief explanation of the following Terms:

1. File System

2. File Allocation Table (FAT)

FAT1-

FAT2-

3. Meta-data of a file

4. Sector(s)

5. Root Directory

6. Tracks

7. Cluster(s)

8, FAT 12 - File System

9. End of File (EOF) marker

CFOR 101 16 Fall 2010

 Explain it to the Jury Questions

Explain the following computer forensics terms and concepts in simple everyday
language, using helpful analogies when necessary.

1. What is a cluster?

2. How does a cluster differ from a “sector”.

3. What are the differences between the FAT1 and FAT2?

4. What is a track and what significance does a “track” have with regard to sectors
on a disk?

5. What is “meta data” and what is it’s significance in a computer forensics

examination?

6. Explain what is meant by the term “file system” when referring to computer
forensics?

CFOR 101 17 Fall 2010