Difference between revisions of "ExFAT Implementation Notes"

From SleuthKitWiki
Jump to: navigation, search
(Adding fsstat)
(Adding timestamp and mmls sections)
Line 10: Line 10:
  
 
Again, exFAT shares the same problems discussed in [[FAT_Implementation_Notes#Metadata_Addressing]], and the same solution is used. Note that normal exFAT files have at least three directory entry structures (more the longer the filename is), so the metadata addresses will increase by three or more for files in the same directory.
 
Again, exFAT shares the same problems discussed in [[FAT_Implementation_Notes#Metadata_Addressing]], and the same solution is used. Note that normal exFAT files have at least three directory entry structures (more the longer the filename is), so the metadata addresses will increase by three or more for files in the same directory.
 +
 +
= mmls and Partition Codes =
 +
 +
ExFAT shares the same partition code as NTFS<ref>http://www.win.tue.nl/~aeb/partitions/partition_types-1.html</ref>, so the string displayed by [[mmls]] for type 0x07 is now "NTFS / exFAT (0x07)".
  
 
= fsstat and FAT Chains =
 
= fsstat and FAT Chains =
  
 
Like FAT, exFAT does have FAT chains. However, they are only used to keep track of clusters for fragmented files. Printing a list of FAT Chains in fsstat could give the incorrect impression that those were the only allocated sectors, so it was decided that this part of the output should be hidden for exFAT.
 
Like FAT, exFAT does have FAT chains. However, they are only used to keep track of clusters for fragmented files. Printing a list of FAT Chains in fsstat could give the incorrect impression that those were the only allocated sectors, so it was decided that this part of the output should be hidden for exFAT.
 +
 +
= Time Information =
 +
 +
ExFAT stores the local time in its timestamp fields, so the notes in [[FAT_Implementation_Notes#Notes_on_Timezones]] also apply here. However, exFAT does add some additional issues.
 +
 +
== Timezones ==
 +
 +
See <ref>http://www.sans.org/reading-room/whitepapers/forensics/reverse-engineering-microsoft-exfat-file-system-33274</ref>
 +
 +
== Mac OS differences ==
 +
 +
Through analysis, it was found that exFAT images created on Mac OS store time information differently than the Windows versions.
 +
 +
<references/>

Revision as of 06:03, 2 January 2014

Note: Need to add links to this, and probably some exFAT stuff in general to the wiki when this page is done.

Introduction

Disk Unit Addressing

Like FAT, exFAT saves file content in clusters, which are groupings of consecutive sectors (512-bytes each). It has the same problems as FAT in using these clusters as the addressable units, so like FAT the solution is to use sectors as the addressable unit instead. See FAT_Implementation_Notes#Disk_Unit_Addressing for more information.

Metadata Addressing

Again, exFAT shares the same problems discussed in FAT_Implementation_Notes#Metadata_Addressing, and the same solution is used. Note that normal exFAT files have at least three directory entry structures (more the longer the filename is), so the metadata addresses will increase by three or more for files in the same directory.

mmls and Partition Codes

ExFAT shares the same partition code as NTFS<ref>http://www.win.tue.nl/~aeb/partitions/partition_types-1.html</ref>, so the string displayed by mmls for type 0x07 is now "NTFS / exFAT (0x07)".

fsstat and FAT Chains

Like FAT, exFAT does have FAT chains. However, they are only used to keep track of clusters for fragmented files. Printing a list of FAT Chains in fsstat could give the incorrect impression that those were the only allocated sectors, so it was decided that this part of the output should be hidden for exFAT.

Time Information

ExFAT stores the local time in its timestamp fields, so the notes in FAT_Implementation_Notes#Notes_on_Timezones also apply here. However, exFAT does add some additional issues.

Timezones

See <ref>http://www.sans.org/reading-room/whitepapers/forensics/reverse-engineering-microsoft-exfat-file-system-33274</ref>

Mac OS differences

Through analysis, it was found that exFAT images created on Mac OS store time information differently than the Windows versions.

<references/>