Reconstructing FAT File System Structures

Question 1

Photographic documentation must be used to…

Answer 1

Place material and to avoid claims of mistaken identity or mis-configuration

Question 2

Storage comes in arbitrary forms:

Answer 2

• Tiny USB mass storage devices
• Gaming consoles
• Smart watches
• Phones
• Digital photo frames
• Local surveillance camera storage
• Photo frames
• Backup media

Question 3

Forensic Duplication:

Answer 3

The ability to produce an identical byte stream from the duplicate as from the original

Question 4

A forensic duplicate as a file (or artefact) containing…

Answer 4

Every bit of information from the source, typically in a raw format

Question 5

A qualified duplicate provides…

Answer 5

The same information as a forensic duplicate, but contains further embedded meta-data or employs certain kinds of compression

Question 6

A restored image is a…

Answer 6

Forensic or qualified forensic duplicate restored to another storage medium

Question 7

A mirror image provides a…

Answer 7

Bit-wise copy from one medium to another

Question 8

Device must ensure that no write occurs on the original device but…

Answer 8

Recall that even during the read-only operation, the device may alter its internal state

Question 9

Imaging device must…

Answer 9

Perform sector-by-sector copying

Question 10

Error conditions must be…

Answer 10

Identified clearly, detailed logging

Question 11

Integrity of duplicated data must be…

Answer 11

Traceable, typically using cryptographic hash information

Question 12

Creating Forensic Duplicates - Addition information which should be recorded:

Answer 12

• Time and location of duplication session

* Diagnostic information from device

Question 13

Any mechanism providing imaging or write blocking must provide assurance of maintaining the objectives:

Answer 13

• Manufacturers may need to provide expert testimony when challenged
• Forensic laboratories may provide test results
• The NIST CFTT provides detailed test plans for imaging and write blocking devices
• Hardware-based systems are simple to implement and particularly to validate

Question 14

Volume systems may be used to…

Answer 14

Combine multiple sub-volumes into a single volume

Question 15

All components required for duplication must be…

Answer 15

Identified and recorded clearly

Question 16

In the case of files, disks and partitions may contain un-allocated as well as slack space, can be used by…

Answer 16

Arbitrary file systems and must be analysed separately

Question 17

Reconstruction of on-disk data depends on a number of factors including:

Answer 17

• Has the medium been used in some way after the incident
• Has any deletion occurred
• Is the use of wiping tools suspected
• Is the presence of anti-forensic or malware components suspected
• Is the file system complete
• Is knowledge of file content or file format available
• Is sought-after information replicated

Question 18

Establishing that a volume holds a FAT file system:

Answer 18

• Finding the 0x55AA boot sector signature or in the reserved area is quickest approach
• Even for file systems, the structure of FAT can often be hypothesised

Question 19

Identify the first cluster:

Answer 19

Easy only if the exact FAT type and cluster size is known

Question 20

Knowledge of the OS version which created or used the file system is important which means…

Answer 20

Cluster allocation strategy may vary

Question 21

Once a directory entry has been located, the base entry must be identified:

Answer 21

• For long file names, multiple entries may exist
• Recall that the allocation status is set by the first byte of the base entry
• The base directory entry will also hold the starting cluster of the file
• On creating a new directory, the OS will generally zero/wipe the cluster, the first two entries are for “.” and “..” entries

Question 22

The FAT structure will contain a chained list of entries for all data clusters and the last block will contain…

Answer 22

An End-of-File (EOF) marker

Question 23

Deleted/De-allocated files will result in…

Answer 23

Deletion of first byte of directory entry

Question 24

Deletion of first byte of directory entry can cause…

Answer 24

Ambiguity in file names

Question 25

Long file name entries can be used to…

Answer 25

Reconstruct original file name

Question 26

If a directory entry is zeroed out…

Answer 26

Files are now orphaned

Question 27

Recovery requires use of heuristics for file or directory structures:

Answer 27

• This may sometimes find files of earlier generations

* Time values in entries are not always reliable, but can provide circumstantial evidence

Question 28

Processes for reconstructing files are similar as for directories:

Answer 28

• Where cluster information is available, simply following the chain is straightforward
• Otherwise content-specific heuristics may be needed

Question 29

As data is allocated on a cluster basis, on average half of the last cluster will be un-used, but for re-sed clusters…

Answer 29

This means that data in this slack space may remain for some time until its overwritten