In my class we are discussing the FAT partition table and the BIOS Perimeter Block (BPB). For our introduction to it we had to manually process the BPB/MBR and determine a few things, such as the number of bytes per sector, how many sectors per cluster, and determining if the FAT is FAT12, FAT16, or FAT32.
While not a difficult thing to do using forensics tools, there may instances where portions of the FAT may be corrupted and a manual decode would be necessary. For our purposes, we were given the data structure which provided the bytes, length, and what it represents. However, in practice counting each byte group and trying to keep track of your position can be quite bothersome. To alleviate this problem I turned the position in bytes into its hex offset (0x0D for example). I did this because the hex editor we are using is gHex for Linux and it displays the offset of the byte(s) you’ve selected. I wanted to share this with you, and hope it helps.
The following table information was obtained from “File System Forensic Analysis, Brian Carrier, Addison-Wesley” chapter 10. My contribution to this data is the hex offset, the rest belongs to the author.
| Byte Range | Hex Offset | Description | Essential (Y/N) |
|---|---|---|---|
| 0 – 2 | 0x00 – 0x02 | Assembly instruction to jump to boot code. | No (unless it is a bootable file system) |
| 3 – 10 | 0x03 – 0x0A | OEM Name in ASCII. | No |
| 11 – 12 | 0x0B – 0x0C | Bytes per sector. Allowed values include 512, 1024, 2048, and 4096. | Yes |
| 13 | 0x0D | Sectors per cluster (data unit). Allowed values are powers of 2, but the cluster size must be 32KB or smaller. | Yes |
| 14 – 15 | 0x0E – 0x0F | Size in sectors of the reserved area. | Yes |
| 16 | 0x10 | Number of FATs. Typically two for redundancy, but according to Microsoft it can be one for some small storage devices. | Yes |
| 17 – 18 | 0x11 – 0x12 | Maximum number of files in the root directory for FAT12 and FAT16. This is 0 for FAT32 and typically 512 for FAT16. | Yes |
| 19 – 20 | 0x13 – 0x14 | 16-bit value of number of sectors in file system. If the number of sectors is larger than can be represented in this 2-byte value, a 4-byte value exists later in the data structure and this should be 0. | Yes |
| 21 | 0x15 | Media type. According to the Microsoft documentation, 0xf8 should be used for fixed disks and 0xf0 for removable. | No |
| 22 – 23 | 0x16 – 0x17 | 16-bit size in sectors of each FAT for FAT12 and FAT16. For FAT32, this field is 0. | Yes |
| 24 – 25 | 0x18 – 0x19 | Sectors per track of storage device. | No |
| 26 – 27 | 0x1A – 0x1B | Number of heads in storage device. | No |
| 28 – 31 | 0x1C – 0x1F | Number of sectors before the start of partition.[1] | No |
| 32 – 35 | 0x20 – 0x23 | 32-bit value of number of sectors in file system. Either this value or the 16-bit value above must be 0. | Yes |
Book author’s note:
[1] My testing has shown that for file systems in an extended partition, Windows sets this value based on the beginning of the extended partition, not the beginning of the disk.
Leave a Reply