1 / 64

The Computer Forensics Show Conference April 19-20, 2010 New York, NY

This conference will explore the features, advantages, and limits of the Microsoft exFAT file system, as well as its relevance and challenges in digital forensics. Learn about future features, advantages, and support for exFAT.

awendt
Download Presentation

The Computer Forensics Show Conference April 19-20, 2010 New York, NY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Computer Forensics ShowConferenceApril 19-20, 2010New York, NY Demystifying the Microsoft Extended File System (exFAT) Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, GSEC, GCFA The Computer Forensics Show This information is provided for your review only and is not for any distribution. Any reproduction, modification, distribution, transmission, display or republication of the content is strictly prohibited

  2. Agenda • Why a new file system • Forensics Relevance • Features • Advantages • Timelines • Support • Limits • Internals The Computer Forensics Show

  3. Why do we need a new file system? • Current Limits Exhausted • Larger volumes (>2TB) • Larger files sizes (>4GB) • Faster I/O (300MB/s) • Removable Media • Flexibility • Extensibility • NTFS Features without the overhead The Computer Forensics Show

  4. Relevance to Forensics Study • Digital Evidence Extraction • Finding the evidence • Including the hiding places • Validation • Daubert Expert Testimony • Need to know and understand file org • New Media (SD Cards) will drive exFAT adoption, and the potential for CP investigations. The Computer Forensics Show

  5. What happens when you have exFAT formatted media and no exFAT support? The Computer Forensics Show

  6. Forensics Challenges • Linux OS Support • Open Source Tools • Commercial Tools • Encase • FTK • Documentation The Computer Forensics Show

  7. Disclaimer • The released specification and implementation is Release 1.00 of exFAT • The specification mentions additional features that were not implemented yet, but may at a future time/ Some of these are Windows CE holdovers • Both may be presented today • Some directory entries will be skipped The Computer Forensics Show

  8. International System of Units (SI) Table • File System in powers of 2 • Device characteristics in power of 10 The Computer Forensics Show

  9. Features of exFAT 1.00 • Sector sizes from 512 to 4096 bytes • Clusters sizes to 32MiB • Subdirectories to 256MiB • Built for speed, less overhead than NTFS but has some of the NTFS features • UTC Timestamp Support • OEM Parameters Sector for device dependent parameters • 12 sector VBR, support of larger boot program • Potential capacity to 64ZiB • Up to 2,796,202 files per subdirectory The Computer Forensics Show

  10. Future Features of exFAT • TexFAT (To be released later) • Exists in Windows CE • Transaction Safe exFAT • ACL (To be released later) • Exists in Windows CE • Encryption Support? • Not announced, but mentioned how easy to add The Computer Forensics Show

  11. MBR Partition Limitations • Microsoft File Systems are limited when stored in a MBR partition • A partition is defined by a Master Boot Record • A MBR uses a 4 byte value for number of sectors • To get the maximum volume size, exFAT cannot be created within a partition The Computer Forensics Show

  12. Advantages of exFAT • Handle growing capacities in media, increasing capacity to >32 GB. • > 1000 files in a single directory. • Speeds up storage allocation processes. • Breaks file size 4 GB barrier. • Supports interoperability with future desktop OSs. • Provides an extensible format. The Computer Forensics Show

  13. Key Dates for exFAT • September 2006 – Windows CE 6.0 • March 2008 – Windows Vista Service Pack 1 • January 2009 – Announcement at CES of SDXC specification • January 2009 – Windows XP Drivers Available • May 2009 – Windows Vista Service Pack 2 • August 2009 – Tuxera Signs File System IP Agreement with Microsoft • March 2009 – Pretec Releases first SDXC Cards • December 2009 – Microsoft (re)announces exFAT license program for third-parties • December 2009 – SDXC laptops due soon • December 2009 – Diskinternals releases exFAT recovery utility • December 2009 – Encase support The Computer Forensics Show

  14. More Key Dates for exFAT • December 2009 Sony, Canon & Sanyo License • January 2010 Funai License (LCD TV) • February 2010 Panasonic License • February 2010 Panasonic 64/48GB SDXC • February 2010 Sony Memory Stick XC • February 2010 Sandisk Ultra XC 64GB Card 3.0 Spec $350 The Computer Forensics Show

  15. SD Card Association • New Memory Card • Consumer Appliances • Follows SDHC • Specification for 2TB Capacity The Computer Forensics Show

  16. SDXC Storage Capabilities • From 32GB to 2TB on a card • Exclusively exFAT File System • 300 MB/s I/O Transfer • Storage • 4,000 RAW images • 100 HD movies • or 60 hours of HD recording • 17,000 fine-grade photos • in a single directory The Computer Forensics Show

  17. Support for exFAT • Windows XP & Server 2003 • KB955704 • Vista & Server 2008 SP1 • Vista & Server 2008 SP2 • (Adds UTC timestamp support) • Windows 7 The Computer Forensics Show

  18. Reference Standards • Bits are numbered right to left • 76543210 • Decimal Offsets • Little-Endian numbers • Unsigned numbers • Sectors vs. Clusters • Strings not Terminated The Computer Forensics Show

  19. File System Integrity • Version Verified • 3 Checksums • VBR • UP-Case Table • File Set • Critical Directory Entries • Other Checks and Balances • File System should NOT mount if failures The Computer Forensics Show

  20. exFAT Limits • Volume size 128PiB • MS said 64ZiB • MS now says 256TiB • File Size 16 EiB (64 bit number) • Bigger than volume size • Subdirectory 256MiB • Sector 512-4096 bytes (29-212) • Cluster 32MiB (225) • No floppy support • No FAT32 minimum cluster restriction • No 8.3 file name support The Computer Forensics Show

  21. Data Hide Alert! • FAT32 max cluster 32KiB • exFAT max cluster 32MiB • Potential for massive slack space The Computer Forensics Show

  22. Volume Space Layout • The Main Boot Region • Contains main VBR • The Backup Boot Region • Contains backup VBR • The FAT Region • Contains FAT Table(s) • The Data Region (Cluster Heap) • This is where data resides The Computer Forensics Show

  23. VBR – Volume Boot Record • Contains 12 sectors • 1 sector main boot sector • Jump Code (3 bytes) • BPB (BIOS Parameter Block) • Boot Strap Code • 8 sectors main extended boot sectors • 1 sector OEM parms • 1 sector reserved • 1 sector VBR Checksum The Computer Forensics Show

  24. Boot Parameter Block (BPB) • OEM Label “EXFAT ” • Volume Length (64-bit) [sector] • FAT Location & Size [sector] • Heap Location & Size [sector, cluster] • Volume Serial Number • Location of Root Directory [cluster] • Volume Flags • Sector and Cluster Sizes [2-shift] • Percent in use • File System Revision (0x0010=1.00) The Computer Forensics Show

  25. Sectors & Clusters • A 2-Shift is a power of 2 • Sector size and sectors per cluster • Each stored in 1 byte • Theoretical maximum is 2255 • Sector Size Maximum 212 • Sectors per cluster is derived • Cluster Size Maximum is 225 The Computer Forensics Show

  26. Executable Boot Code • First 3 bytes of Main Boot Sector • Jump Code • 0xEB7690 • Offset 120 size 390 • Remainder of boot code • Offset 510 • End signature marker • 0xAA55 = “55AA” • Offset 512 • Unused if defined The Computer Forensics Show

  27. More Bootable Code • Up to 8 Main Extended Boot Sectors • FAT32 had 3 sector VBR with 1 MEBS • Entire sector can be used for boot code • Last 8 bytes of sector is marker • 0xAA550000 = “000055AA” • Larger capacity for boot virus! The Computer Forensics Show

  28. VBR Checksum Sector • The 12th sector of the VBR • Repeating 4 byte checksum • Checksum of previous 11 sectors • Flags and Percent excluded • These are volatile and change often • Boot Sector Virus & Checksum The Computer Forensics Show

  29. VBR Checksum Sector • Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F • 00000000 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000010 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000030 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000040 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • Lines 00000050 through 01BF repeated • 000001C0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001D0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001E0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ The Computer Forensics Show

  30. FAT – File Allocation Table • When it is used, same as legacy FAT • Not used when file contiguous • Never used for cluster allocation • FAT 32 has 32 bit cells, uses 28 bits • exFAT has 32 bit cells, uses 32 bits • There is no 64 bit FAT • Maximum clusters is 232-11 • With TexFAT – 2 FAT Tables (2 Bitmaps) • Addressed by pointer in VBR • Size stored in VBR The Computer Forensics Show

  31. Cell Values in FAT Table • 0x00000000 – No significant meaning • 0x00000001 – Not a valid cell value • 0xFFFFFFF6 – Largest Value • 0xFFFFFFF7 – Bad Block • 0xFFFFFFF8 – Media Descriptor • Fixed Disk • 0xFFFFFFF9-0xFFFFFFFE – Not Defined • 0xFFFFFFFF – End of File (EOF) The Computer Forensics Show

  32. FAT Table Example UP-Case Table Allocation Bit Map Media Reserved Root Directory Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0000 F8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0010 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 The Computer Forensics Show

  33. Allocation Bitmap • Keeps track of cluster allocation status • Zero – Free Cluster • One – Allocated Cluster • 1 Byte = Tracking of 8 Clusters • Bit Zero – Byte Zero = Cluster 2 • Cluster 0 & Cluster 1 are not defined • Addressed by Directory Entry • With TexFAT – 2 of these (FAT Pairing) The Computer Forensics Show

  34. Data Hide Alert! • The Allocation Bitmap and the UP-Case Table are stored as files, and provide hiding space in the metadata • These files are static, typically won’t move, and have slack space. • Nothing prevents someone from moving these files elsewhere in the cluster heap, and actually making them larger The Computer Forensics Show

  35. The Computer Forensics Show

  36. Directories in exFAT • Root (VBR Pointer) • Contains certain critical entries • Almost unlimited in size • Subdirectory (by File Entry) • Contains file sets • 256MiB Max size • No physical “.” or “..” entries • Uses 16 Bit Unicode for strings • Every Entry 32 bytes in size • Entry 0x00 is end of directory • Has capabilities for user entries The Computer Forensics Show

  37. Data Hide Alert! • Manipulation of the Allocation Bitmap, and creation of user directory entries provides the capability of hiding a file system within the file system • It may also be possible to hide data within the directory metadata itself The Computer Forensics Show

  38. Entry Type The Computer Forensics Show

  39. Entry Type • In Use: 0 – Not in Use, 1- In Use • Category: 0 – Primary, 1 – Secondary • Importance: 0 – Critical, 1 – Benign • Code: Identifies the entry The Computer Forensics Show

  40. Volume Label Directory Entry • 0x83 or 0x03 Entry • Primary Entry • Only resident in Root Directory • Contains the Volume Label • 16 bit Unicode • 0x03 means no volume label The Computer Forensics Show

  41. Volume Label Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 83 0A 65 00 78 00 46 00 41 00 54 00 2D 00 31 00 ƒ.e.x.F.A.T.-.1. 00000010 32 00 38 00 4B 00 00 00 00 00 00 00 00 00 00 00 2.8.K........... Type Volume Name Length (10) Volume Label (exFAT-128K) The Computer Forensics Show

  42. Allocation Bitmap Directory Entry • 0x81 Entry • Primary Entry • Only resident in Root Directory • Points to the Allocation Bitmap • If TexFAT, then 2 of these • Flag bits says which FAT/Bitmap • Cluster Address of Bitmap • Size of Bitmap The Computer Forensics Show

  43. Allocation Bitmap Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0010 00 00 00 00 02 00 00 00 3F 00 00 00 00 00 00 00 Type Size (63 bytes) Cluster Address (Cluster 2) The Computer Forensics Show

  44. UP-Case Table Directory Entry • 0x82 Entry • Primary Entry • Only resident in Root Directory • File names are case insensitive • Used to fold file name • Table has a checksum (32 bits) The Computer Forensics Show

  45. UP-Case Table Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 82 00 00 00 0D D3 19 E6 00 00 00 00 00 00 00 00 0010 00 00 00 00 03 00 00 00 CC 16 00 00 00 00 00 00 Type Cluster Address (3) Length (0x16CC = 5,836) Table Checksum The Computer Forensics Show

  46. File Directory Entry Set • Used to define a file • May have 3 to 19 entries, or more • 1 Primary, many Secondary • Is considered an array • Must be in order • Must be contiguous (no gaps) • Entire Set has Checksum The Computer Forensics Show

  47. File Directory Entry • 0x85 or 0x05 Entry • Primary Entry • Set Checksum (16 bits) • Not modified on file delete • Secondary Count • # Secondary entries that follow • File Attributes • Timestamps The Computer Forensics Show

  48. Timestamps & Time Zones • 3 Timestamps (MAC) • 32 bit DOS Date/Time • Local Machine Time • 10ms Offset (MC) • TZ Offset (MAC) • 15 minute increments • 7 bit signed number • ±16 hours • Present with UTC support The Computer Forensics Show

  49. Timestamp Accuracy • FAT32 – Last Access – Date only • exFAT – Last Access – Date/Time • All DOS DATE/TIME Double Seconds • 10ms adds 0-1990 ms to time • 10ms only for Create/Modify The Computer Forensics Show

  50. Timestamp Reliability • Timestamps appear to be updated when the file is created or modified. • Last Accessed Timestamp appear to be updated when file is created or modified. • Last Accessed Timestamp appear NOT modified on file read. • Forensics Implication on MAC time analysis The Computer Forensics Show

More Related