1 / 66

Demystifying the Microsoft Extended File System (exFAT)

Learn about the features, advantages, and limitations of the Microsoft Extended File System (exFAT) and its relevance in digital investigations. Discover the tools and support available for exFAT formatted media and understand the challenges in forensic analysis. Explore future features and the potential of exFAT in CP investigations.

ahintz
Download Presentation

Demystifying the Microsoft Extended File System (exFAT)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Techno Securityand Digital InvestigationsConferenceJune 6-9, 2010Myrtle Beach, SC Demystifying the Microsoft Extended File System (exFAT) Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, GSEC, GCFA

  2. Agenda • Why a new file system • Forensics Relevance • Features • Advantages • Timelines • Support • Limits • Internals

  3. Why do we need a new file system? • Current Limits Exhausted • Larger volumes (>2TB) • Larger files sizes (>4GB) • Faster I/O • (UHS-1: 104 MB/2 - UHS-2: 300MB/s) • Removable Media • Flexibility • Extensibility • NTFS Features without the overhead

  4. Relevance to Forensics Study • Digital Evidence Extraction • Finding the evidence • Including the hiding places • Validation • Daubert Expert Testimony • Need to know and understand file org • New Media (SD Cards) will drive exFAT adoption, and the potential for CP investigations.

  5. What happens when you have exFAT formatted media and no exFAT support?

  6. Forensics Challenges • Linux OS Support • Tuxera drivers may help • Mac OS Support • Open Source Tools • Commercial Tools • Encase • FTK • Documentation

  7. Disclaimer • The released specification and implementation is Release 1.00 of exFAT • The specification mentions additional features that were not implemented yet, but may at a future time/ Some of these are Windows CE holdovers • Both may be presented today • Some directory entries will be skipped

  8. International System of Units (SI) Table • File System in powers of 2 • Device characteristics in power of 10

  9. Features of exFAT 1.00 • Sector sizes from 512 to 4096 bytes • Clusters sizes to 32MiB • Subdirectories to 256MiB • Built for speed, less overhead than NTFS but has some of the NTFS features • UTC Timestamp Support • Vista/Server 2008 SP2+, XP with KB

  10. Features of exFAT 1.00 (cont’d) • OEM Parameters Sector for device dependent parameters • 12 sector VBR, support of larger boot program • Potential capacity to 64ZiB • Current support ≈ 128 PiB • Up to 2,796,202 files per subdirectory • File Names max to 255 Characters • Unicode File Names and Volume Labels

  11. Future Features of exFAT • TexFAT (To be released later) • Exists in Windows CE • Transaction Safe exFAT • ACL (To be released later) • Exists in Windows CE • Encryption Support? • Not announced, but mentioned how easy to add

  12. MBR Partition Limitations • Microsoft File Systems are limited when stored in a MBR partition • A partition is defined by a Master Boot Record • A MBR uses a 4 byte value for number of sectors • To get the maximum volume size, exFAT cannot be created within a partition

  13. Advantages of exFAT • Handle growing capacities in media, increasing capacity to >32 GB. • > 1000 files in a single directory. • Speeds up storage allocation processes. • Breaks file size 4 GB barrier. • Supports interoperability with future desktop OSs. • Provides an extensible format.

  14. Key Dates for exFAT • September 2006 – Windows CE 6.0 • March 2008 – Windows Vista Service Pack 1 • January 2009 – Announcement at CES of SDXC specification • January 2009 – Windows XP Drivers Available • May 2009 – Windows Vista Service Pack 2 • August 2009 – Tuxera Signs File System IP Agreement with Microsoft • March 2009 – Pretec Releases first SDXC Cards • December 2009 – Microsoft (re)announces exFAT license program for third-parties • December 2009 – SDXC laptops due soon • December 2009 – Diskinternals releases exFAT recovery utility • December 2009 – Encase support

  15. More Key Dates for exFAT • December 2009 Sony, Canon & Sanyo License • January 2010 Funai License (LCD TV) • February 2010 Panasonic License • February 2010 Panasonic 64/48GB SDXC • February 2010 Sony Memory Stick XC • February 2010 Sandisk Ultra XC 64GB Card 3.0 Spec $350

  16. More Key Dates • June 1st 2010 Tuxera Releases Linux & Android exFAT drivers • June 3rd 2010 Kingston Releases Class 10 SDXC 64GB Card 60 MB/s read, 35 MB/s write.

  17. SD Card Association • New Memory Card • Consumer Appliances • Follows SDHC • Specification for 2TB Capacity

  18. SDXC Storage Capabilities • From 32GB to 2TB on a card • Exclusively exFAT File System • 300 MB/s I/O Transfer • Storage • 4,000 RAW images • 100 HD movies • or 60 hours of HD recording • 17,000 fine-grade photos • in a single directory

  19. Support for exFAT • Windows XP & Server 2003 • KB955704 • Vista & Server 2008 SP1 • Vista & Server 2008 SP2 • (Adds UTC timestamp support) • Windows 7

  20. Reference Standards • Bits are numbered right to left • 76543210 • Decimal Offsets • Little-Endian numbers • Unsigned numbers • Sectors vs. Clusters • Strings are 16 bit Unicode • Strings not Terminated

  21. File System Integrity • Version Verified • 3 Checksums • VBR • UP-Case Table • File Set • Critical Directory Entries • Other Checks and Balances • File System should NOT mount if failures

  22. exFAT Limits • Volume size 128PiB • MS said 64ZiB • MS now says 256TiB • File Size 16 EiB (64 bit number) • Bigger than volume size • Subdirectory 256MiB • Sector 512-4096 bytes (29-212) • Cluster 32MiB (225) • No floppy support • No FAT32 minimum cluster (65,525) restriction • No 8.3 file name support

  23. Data Hide Alert! • FAT32 max cluster 32KiB • exFAT max cluster 32MiB • Potential for massive slack space

  24. Volume Space Layout • The Main Boot Region • Contains main VBR • The Backup Boot Region • Contains backup VBR • The FAT Region • Contains FAT Table(s) • The Data Region (Cluster Heap) • This is where data resides

  25. VBR – Volume Boot Record • Contains 12 sectors • 1 sector main boot sector • Jump Code (3 bytes) • BPB (BIOS Parameter Block) • Boot Strap Code • 8 sectors main extended boot sectors • 1 sector OEM parms • 1 sector reserved • 1 sector VBR Checksum

  26. Boot Parameter Block (BPB) • OEM Label “EXFAT ” • Volume Length (64-bit) [sector] • FAT Location & Size [sector] • Heap Location & Size [sector, cluster] • Volume Serial Number • Location of Root Directory [cluster] • Volume Flags • Sector and Cluster Sizes [2-shift] • Percent in use • File System Revision (0x0010=1.00)

  27. Sectors & Clusters • A 2-Shift is a power of 2 • Sector size and sectors per cluster • Each stored in 1 byte • Theoretical maximum is 2255 • Sector Size Maximum 212 • Sectors per cluster is derived • Cluster Size Maximum is 225

  28. Executable Boot Code • First 3 bytes of Main Boot Sector • Jump Code • 0xEB7690 • Offset 120 size 390 • Remainder of boot code • Offset 510 • End signature marker • 0xAA55 = “55AA” • Offset 512 • Unused if defined

  29. More Bootable Code • Up to 8 Main Extended Boot Sectors • FAT32 had 3 sector VBR with 1 MEBS • Entire sector can be used for boot code • Last 8 bytes of sector is marker • 0xAA550000 = “000055AA” • Larger capacity for boot virus!

  30. VBR Checksum Sector • The 12th sector of the VBR • Repeating 4 byte checksum • Checksum of previous 11 sectors • Flags and Percent excluded • These are volatile and change often • Boot Sector Virus & Checksum

  31. VBR Checksum Sector • Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F • 00000000 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000010 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000030 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000040 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • Lines 00000050 through 01BF repeated • 000001C0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001D0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001E0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹

  32. FAT – File Allocation Table • When it is used, same as legacy FAT • Not used when file contiguous • Never used for cluster allocation • FAT 32 has 32 bit cells, uses 28 bits • exFAT has 32 bit cells, uses 32 bits • There is no 64 bit FAT • Maximum clusters is 232-11 • With TexFAT – 2 FAT Tables (2 Bitmaps) • Addressed by pointer in VBR • Size stored in VBR

  33. Cell Values in FAT Table • 0x00000000 – No significant meaning • 0x00000001 – Not a valid cell value • 0xFFFFFFF6 – Largest Value • 0xFFFFFFF7 – Bad Block • 0xFFFFFFF8 – Media Descriptor • Fixed Disk • 0xFFFFFFF9-0xFFFFFFFE – Not Defined • 0xFFFFFFFF – End of File (EOF)

  34. FAT Table Example UP-Case Table Allocation Bit Map Media Reserved Root Directory Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0000 F8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0010 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  35. Allocation Bitmap • Keeps track of cluster allocation status • Zero – Free Cluster • One – Allocated Cluster • 1 Byte = Tracking of 8 Clusters • Bit Zero – Byte Zero = Cluster 2 • Cluster 0 & Cluster 1 are not defined • Addressed by Directory Entry • With TexFAT – 2 of these (FAT Pairing)

  36. Data Hide Alert! • The Allocation Bitmap and the UP-Case Table are stored as files, and provide hiding space in the metadata • These files are static, typically won’t move, and have slack space. • Nothing prevents someone from moving these files elsewhere in the cluster heap, and actually making them larger

  37. Directories in exFAT • Root (VBR Pointer) • Contains certain critical entries • Almost unlimited in size • Subdirectory (by File Entry) • Contains file sets • 256MiB Max size • No physical “.” or “..” entries • Uses 16 Bit Unicode for strings • Every Entry 32 bytes in size • Entry 0x00 is end of directory • Has capabilities for user entries

  38. Data Hide Alert! • Manipulation of the Allocation Bitmap, and creation of user directory entries provides the capability of hiding a file system within the file system • It may also be possible to hide data within the directory metadata itself

  39. Entry Type

  40. Entry Type • In Use: 0 – Not in Use, 1- In Use • Category: 0 – Primary, 1 – Secondary • Importance: 0 – Critical, 1 – Benign • Code: Identifies the entry

  41. Volume Label Directory Entry • 0x83 or 0x03 Entry • Primary Entry • Only resident in Root Directory • Contains the Volume Label • 16 bit Unicode • 0x03 means no volume label

  42. Volume Label Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 83 0A 65 00 78 00 46 00 41 00 54 00 2D 00 31 00 ƒ.e.x.F.A.T.-.1. 00000010 32 00 38 00 4B 00 00 00 00 00 00 00 00 00 00 00 2.8.K........... Type Volume Name Length (10) Volume Label (exFAT-128K)

  43. Allocation Bitmap Directory Entry • 0x81 Entry • Primary Entry • Only resident in Root Directory • Points to the Allocation Bitmap • If TexFAT, then 2 of these • Flag bits says which FAT/Bitmap • Cluster Address of Bitmap • Size of Bitmap

  44. Allocation Bitmap Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0010 00 00 00 00 02 00 00 00 3F 00 00 00 00 00 00 00 Type Size (63 bytes) Cluster Address (Cluster 2)

  45. UP-Case Table Directory Entry • 0x82 Entry • Primary Entry • Only resident in Root Directory • File names are case insensitive • Used to fold file name • Table has a checksum (32 bits)

  46. UP-Case Table Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 82 00 00 00 0D D3 19 E6 00 00 00 00 00 00 00 00 0010 00 00 00 00 03 00 00 00 CC 16 00 00 00 00 00 00 Type Cluster Address (3) Length (0x16CC = 5,836) Table Checksum

  47. File Directory Entry Set • Used to define a file • May have 3 to 19 entries, or more • 1 Primary, many Secondary • Is considered an array • Must be in order • Must be contiguous (no gaps) • Entire Set has Checksum

  48. File Directory Entry • 0x85 or 0x05 Entry • Primary Entry • Set Checksum (16 bits) • Not modified on file delete • Secondary Count • # Secondary entries that follow • File Attributes • Timestamps

  49. Timestamps & Time Zones • 3 Timestamps (MAC) • 32 bit DOS Date/Time • Local Machine Time • 10ms Offset (MC) • TZ Offset (MAC) • 15 minute increments • 7 bit signed number • ±16 hours • Present with UTC support

More Related