This was a presentation on the exFAT file system given back in September 2010 at the HTCIA conference in Atlanta Ga. This presentation is effectively superseded by a new presentation deck that was uploaded to slideshare on June 6, 2014.
61. File Directory Entry September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 85 04 D4 92 20 00 00 00 44 62 86 3B F1 62 BA 3A 0010 44 62 86 3B A8 00 EC EC EC 00 00 00 00 00 00 00 Type # Secondary Entries Set Checksum (0x92D4) Attributes (0x0020 = Archive) Create Modified TZ Offset CMA EC = GMT-5 Accessed Create 10ms Modified 10ms
62. Formatted File Directory Entry September 20th, 2010 Root Entry Type Read is: 85 Directory Entry Record Checksum: 92D4 Calculated Checksum is: 92D4 Size Directory Set (bytes): 160 Secondary Count 004 File Attributes: 0020 Archive Create Timestamp: 3B866244 12/06/2009 12:18:08 Last Modified Timestamp: 3ABA62F1 05/26/2009 12:23:34 Last Accessed Timestamp: 3B866244 12/06/2009 12:18:08 10 ms Offset Create A8 168 10 ms Offset Modified 00 0 Time Zone Create EC 236 Value of tz is: GMT -05:00 Time Zone Modified EC 236 Value of tz is: GMT -05:00 Time Zone Last Accessed EC 236 Value of tz is: GMT -05:00
63.
64. Stream Extension Directory Entry September 20th, 2010 Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 C0 03 00 28 AD 3C 00 00 1F 46 1D 01 00 00 00 00 0010 00 00 00 00 05 00 00 00 1F 46 1D 01 00 00 00 00 Entry Flags (Alloc Possible/Fat Invalid) Length of File Name (0x28= 40) Name Hash (0x3CAD) Cluster (5) Data Length 0x011d461f = 18,695,711
65. Parameters for Samples September 20th, 2010 Bytes Per Sector: 2 to the 09 power is: 512 Sectors Per Cluster: 2 to the 08 power is: 256 Bytes per Cluster: 131072 (128K)
66. Formatted Stream Extension September 20th, 2010 Root Entry Type Read is: C0 Directory Entry Record, Stream Extension Secondary Flags: 03 Flag Bit 0: Allocation Possible Flag Bit 1: FAT Chain Invalid Length of UniCode Filename is: 40 Name Hash Value is: AD3C Stream Extension First Cluster 5 Cluster 5 is Allocated Stream Extension Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143 Stream Extension Valid Data Length 18695711 Bytes Slack: 83487 Clusters Used: 143
exFAT is specifically designed for Removable media, but can be used for fixed media as well. NTFS is not recommended for removable media, especially because of the lazy write problem. Faster I/O through less file system overhead
You need to be able to locate the evidence, just in general You also need to know the hiding places where it can be hidden You need to validate what you found is correct, in order, and complete.
If the OS can’t recognize the file system, then it thinks the media is not formatted.
Little to nothing available in these areas Exception: Tuxera is the first independent software vendor to sign an exFAT development agreement with Microsoft. Linux and Open Source is used a lot Commercial tools are lacking Encase 6.14.3 in Dec 2009 started logical support, some issues reported FTK 3.2 – Maybe? Little documentation or publications on exFAT internals.
Microsoft published a patent that included the exFAT 1.00 specification. This presentation and the paper attempt to stick to the terminology used in the patent/specification as close as possible. Links to the patent and my paper will be on a later slide, and references to the paper will also be on my blog.
In some cases you might see ZB or ZIB, technically they are really different, but are close.
You never really see another sector size other than 512 bytes, but everyone just assumes that it is only 512 The 4096 size is special to support a device that is used for paging and supports 4K pages. But with the standard format, you can’t adjust sector size Clusters (or blocks) are 32K max in FAT32 Potential capacity, but the FAT can’t support 64Zib in its current configuration The volume label and file names are all 16 bit unicode Filenames to a maximum of 255 characters
Microsoft in the KB for Windows XP support indicated a capacity to 64ZiB and a file size maximum to 64ZiB. In reality, the file system can only support up to 128PiB, and the file size up to 16EiB. The volume size is limited by a 32-bit FAT and a 25-bit cluster size giving a 57-bit addressable volume size The file size is limited by the 8-byte (64-bit) number that holds the filesize.
With TexFAT there will be 2 FATS and 2 BITMAPS, with exFAT 1.0 – which does not have TexFAT (Transactional FAT) support, there is ony 1 FAT and 1 BITMAP, where previous FAT versions had 2 FATs.
Any FS is limited, even FAT32 and NTFS. This is Windows only, we are not talking GUID Partition Table (GPT) Although a MBR uses a 4 byte sector count, remember that the FS can be larger is you make the sectors larger (512 vs. 4096) and this causes a lot of confusion on how big a FS fits.
Windows would not format FAT32 beyond 32GB, it required using a FAT32 format on a different OS Some Windows utilities did not work properly with volume spaces GT 32GB, but you can mount a device that was GT 32GB Limitations of FAT32 File System: http://support.microsoft.com/kb/184006 SDXC predecessor (SDHC) had a max spec of 32GB. SDXC picks up from 32GB. SD 4.0 Specification – 300MB/s I/O speeds http://www.flashmemorysummit.com/English/Collaterals/Proceedings/2009/20090813_S204_Lin_Yee.pdf Starting at 104 mega bytes per second, and later to 300 mega bytes per second http://www.letsgodigital.org/en/20985/sdxc-cards/
The SDXC media will not be backward compatible Cameras and other devices have been announced, but I haven’t actually seen any devices yet, so it sounds like media is being announced and shipped with nothing that can read them.
New Devices may accept SDHC, but older devices will not.
With Sony adopting the XC memory stick to exFAT, plus the SD market, is almost 90% of the market today.
There are discussions of creation of exFAT on a Vista or Windows 7 machine that can’t be seen on Vista. This is usually a case of creating the media on a machine with exFAT support and then trying to read the media on a different machine without exFAT support. The common mistake is creation of the file system on removable media with a Vista SP1 (or higher machine) and trying to read it on a machine with Vista RTM.
exFAT uses 16 bit Unicode strings
It is important to note that Pentium processers use the little-endian format, so numbers stored in the file system are stored in little-endian. This can be significant because you need to change the order of the bytes in order to read the values from a hex dump.
Currently use exFAT 1.00, but if a later version of exFAT is in use, it will check the version # and not mount the FS unless it can suppoort it Checksums protect against corruption and viruses If there is a problem with critical directory entries, the FS should not mount.
FAT32 required a minimum of 65,525 clusters. exFAT does not have this restriction.
4 Regions defined on the volume The FAT tables reside outside the cluster heap
Details follow in the next slides
If there was no restriction, then the size of a cluster could be 4 255
If the sector size is > 512 bytes, all space on the first sector of the VBR )Main Boot Sector) is not used.
Unlike the first sector, the other 8 bot sectors can use the entire sector and the signature marker is moved to the last 8 bytes of the sector
Repeats over and over again, 4 bytes = 32 bit checksum Can be used to determine if the VBR was modified 3 bytes in the VBR are not calculated in the checksum This sector does not have a signture
The BITMAP is used to track cluster allocation, and the FAT is only required for re-assembling the original file. If the original file is contiguous, then the FAT isn’t needed for THAT file. We will see later that a flag in the directory record is used to tell the FS whether the FAT should be used or ignored.
Because there is no floppy support, there is only one possible media descriptor value Cluster 0 and 1 are not defined, so 0 & 1 are not significant(Same as legacy FAT) Since the FAT is no longer used for cluster allocation, 0 (zero) is no longer significant (used to be unused)
The 3 main critical records: Allocation Bitmap, UP-Case Table, and Root Directory will use FAT chains. The Root Directory can grow and since it is dynamic in its growth, most likely will fragment. The UP-CASE Table and Allocation bitmap should be static and not grow or change, although theoretically they could probably be relocated and moved somewhere else on the volume. The locations (cluster addresses) of the 3 special metadata files may change, this is based on one formatting and in reality these files could eventually end up in any cluster.
If there are 2 FATs in a TexFAT Transactional Safe exFAT environment, then each FAT is paired with a allocation bitmap The allocation BITMAP is pointed to by a 0x81 entry.
This is an eye chart, but the idea is to show how to get to the bitmap. You start at the VBR (BPB), go to the root directory, look up the 0x81 entry to get the cluster address, and then go into the BITMAP table.
We will see details of the directory entry construction later, including what we mean by an entry type.
The first byte of every directory entry is the “entry type” and describes the directory entry.
When a file set is not in use, it is usually (but not always) a deleted file When a volume label is not in use, it means no volume label Only files have secondary entries so far Missing Benign entries usually won’t prevent the file system from being mounted. 0x80 is not defined.
Primary and Critical
Since we use 16 bit unicode without string termination, we need the length of the volume label – in unicode characters.
Primary and Critical. If the FS can’t find the BITMAP table, it can’t mount the FS
This was a small volume. 63 bytes can support maximum of 63x8 = 504 clusters.
Filenames are stored case insensitive, so when a search is done, the filenames are converted to upper case (folded). The UP-CASE table is used to convert the filename to all uppercase.
The UP-Case table is less than 6K – imagine if it was in a 32K cluster, now imagine if it was in a 32MB cluster, the amount of available slack space.
File Entry Set would have a File, Stream Extensions, and up to 17 File Name Extension for a total of 19. Later, when a new exFAT version comes out, the ACL will be another secondary entry bringing this up to 20. As more file secondary entries are added, let’s say one for encryption, this increases to a max of 255 secondaries.
Attributes and Timestamps in later slides Checksum is across the Primary and all secondaries in the set.
Modified, Access, and Create. Timestamps are NOT stored in this order, but MAC is a common acronym in the literature. Timestamps are not one single field like NTFS which uses a 64 bit value. exFAT combines pieces to make a UTC value. TZ offset is absent in Vista SP1, and does not appear in the exFAT 1.00 spec.
The standard DOS Date/Time, also used in the previous FAT versions, does not count to the second, but double seconds. To get seconds, a 33 bit number would have been needed.
FAT and exFAT timestamp behavior varies, but is just not reliable as far as last accessed.
These are pretty much the same as previous FAT versions. Since we have a separate volume label entry, there is no attribute for it, and since we don’t have 8.3 support, there is no LFN (Long File Name) attribute either.
The update behavior on the 10ms Modified is also not predictable, sometimes it is just set to zero. Note that the create time is really 3B866244 (reversed because of little-endian)
In order to validate the analysis in reverse engineering the FS, I had to write a C program to format the directory entries. This is an example of the output. All the timestamps are even because of the double seconds. But since the create is 168, this means that the create time was really 12:18:09.68 Secondary count is 4, meaning that this file set is 5 entries, 1 File, 1 Stream, and 3 filename.
There is 2 file lengths, one is supposed to be te file length and the other the amount of data actually written into the file so far. Length of name is needed because there is no string termination, but the file name (max 255) may require multiple directory entries (we will see later). This is where the FS indicates whether the FAT is used, if the FAT Invalid flag is set, then the FAT is ignored.
Since these values can vary based on the format parameters, for reference this is what the samples in this presentation is using.
Another output from the C program. Allocation possible indicates that the directory entry specifies a cluster address field FAT invalid indicates that this file does not use the FAT This file is 18MB and required 143 clusters to store the file. As we said before, there are 3 filename entries (each holds 15 characters of the filename), and as we see above, the filename is 40 characters in length.
Allocation not possible indicates that there is no cluster address in the entry. FAT Invalid has no meaning
Filename is 40 characters (80 bytes) and takes 3 entries to store it.
When the entries are not in use, some may be overwritten, and some ma not. This means that a complete set may not exist.
I need followers
My paper on exFAT and the Microsoft Patent that exposes the specification
![HTCIA International Conference September 20-22, 2010 Atlanta, GA ,[object Object],September 20th, 2010 Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, CRISC, GSEC, GCFA](https://image.slidesharecdn.com/htcia-demystifyingthemicrosoftextendedfilesystemexfatv1-00-100924191858-phpapp01/85/Demystifying-the-Microsoft-Extended-FAT-File-System-exFAT-1-320.jpg)
![Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],September 20th, 2010](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)