660 likes | 673 Views
Learn about the features, advantages, and limitations of the Microsoft Extended File System (exFAT) and its relevance in digital investigations. Discover the tools and support available for exFAT formatted media and understand the challenges in forensic analysis. Explore future features and the potential of exFAT in CP investigations.
E N D
Techno Securityand Digital InvestigationsConferenceJune 6-9, 2010Myrtle Beach, SC Demystifying the Microsoft Extended File System (exFAT) Robert Shullich CPP, CISSP, CISM, CISA, CGEIT, GSEC, GCFA
Agenda • Why a new file system • Forensics Relevance • Features • Advantages • Timelines • Support • Limits • Internals
Why do we need a new file system? • Current Limits Exhausted • Larger volumes (>2TB) • Larger files sizes (>4GB) • Faster I/O • (UHS-1: 104 MB/2 - UHS-2: 300MB/s) • Removable Media • Flexibility • Extensibility • NTFS Features without the overhead
Relevance to Forensics Study • Digital Evidence Extraction • Finding the evidence • Including the hiding places • Validation • Daubert Expert Testimony • Need to know and understand file org • New Media (SD Cards) will drive exFAT adoption, and the potential for CP investigations.
What happens when you have exFAT formatted media and no exFAT support?
Forensics Challenges • Linux OS Support • Tuxera drivers may help • Mac OS Support • Open Source Tools • Commercial Tools • Encase • FTK • Documentation
Disclaimer • The released specification and implementation is Release 1.00 of exFAT • The specification mentions additional features that were not implemented yet, but may at a future time/ Some of these are Windows CE holdovers • Both may be presented today • Some directory entries will be skipped
International System of Units (SI) Table • File System in powers of 2 • Device characteristics in power of 10
Features of exFAT 1.00 • Sector sizes from 512 to 4096 bytes • Clusters sizes to 32MiB • Subdirectories to 256MiB • Built for speed, less overhead than NTFS but has some of the NTFS features • UTC Timestamp Support • Vista/Server 2008 SP2+, XP with KB
Features of exFAT 1.00 (cont’d) • OEM Parameters Sector for device dependent parameters • 12 sector VBR, support of larger boot program • Potential capacity to 64ZiB • Current support ≈ 128 PiB • Up to 2,796,202 files per subdirectory • File Names max to 255 Characters • Unicode File Names and Volume Labels
Future Features of exFAT • TexFAT (To be released later) • Exists in Windows CE • Transaction Safe exFAT • ACL (To be released later) • Exists in Windows CE • Encryption Support? • Not announced, but mentioned how easy to add
MBR Partition Limitations • Microsoft File Systems are limited when stored in a MBR partition • A partition is defined by a Master Boot Record • A MBR uses a 4 byte value for number of sectors • To get the maximum volume size, exFAT cannot be created within a partition
Advantages of exFAT • Handle growing capacities in media, increasing capacity to >32 GB. • > 1000 files in a single directory. • Speeds up storage allocation processes. • Breaks file size 4 GB barrier. • Supports interoperability with future desktop OSs. • Provides an extensible format.
Key Dates for exFAT • September 2006 – Windows CE 6.0 • March 2008 – Windows Vista Service Pack 1 • January 2009 – Announcement at CES of SDXC specification • January 2009 – Windows XP Drivers Available • May 2009 – Windows Vista Service Pack 2 • August 2009 – Tuxera Signs File System IP Agreement with Microsoft • March 2009 – Pretec Releases first SDXC Cards • December 2009 – Microsoft (re)announces exFAT license program for third-parties • December 2009 – SDXC laptops due soon • December 2009 – Diskinternals releases exFAT recovery utility • December 2009 – Encase support
More Key Dates for exFAT • December 2009 Sony, Canon & Sanyo License • January 2010 Funai License (LCD TV) • February 2010 Panasonic License • February 2010 Panasonic 64/48GB SDXC • February 2010 Sony Memory Stick XC • February 2010 Sandisk Ultra XC 64GB Card 3.0 Spec $350
More Key Dates • June 1st 2010 Tuxera Releases Linux & Android exFAT drivers • June 3rd 2010 Kingston Releases Class 10 SDXC 64GB Card 60 MB/s read, 35 MB/s write.
SD Card Association • New Memory Card • Consumer Appliances • Follows SDHC • Specification for 2TB Capacity
SDXC Storage Capabilities • From 32GB to 2TB on a card • Exclusively exFAT File System • 300 MB/s I/O Transfer • Storage • 4,000 RAW images • 100 HD movies • or 60 hours of HD recording • 17,000 fine-grade photos • in a single directory
Support for exFAT • Windows XP & Server 2003 • KB955704 • Vista & Server 2008 SP1 • Vista & Server 2008 SP2 • (Adds UTC timestamp support) • Windows 7
Reference Standards • Bits are numbered right to left • 76543210 • Decimal Offsets • Little-Endian numbers • Unsigned numbers • Sectors vs. Clusters • Strings are 16 bit Unicode • Strings not Terminated
File System Integrity • Version Verified • 3 Checksums • VBR • UP-Case Table • File Set • Critical Directory Entries • Other Checks and Balances • File System should NOT mount if failures
exFAT Limits • Volume size 128PiB • MS said 64ZiB • MS now says 256TiB • File Size 16 EiB (64 bit number) • Bigger than volume size • Subdirectory 256MiB • Sector 512-4096 bytes (29-212) • Cluster 32MiB (225) • No floppy support • No FAT32 minimum cluster (65,525) restriction • No 8.3 file name support
Data Hide Alert! • FAT32 max cluster 32KiB • exFAT max cluster 32MiB • Potential for massive slack space
Volume Space Layout • The Main Boot Region • Contains main VBR • The Backup Boot Region • Contains backup VBR • The FAT Region • Contains FAT Table(s) • The Data Region (Cluster Heap) • This is where data resides
VBR – Volume Boot Record • Contains 12 sectors • 1 sector main boot sector • Jump Code (3 bytes) • BPB (BIOS Parameter Block) • Boot Strap Code • 8 sectors main extended boot sectors • 1 sector OEM parms • 1 sector reserved • 1 sector VBR Checksum
Boot Parameter Block (BPB) • OEM Label “EXFAT ” • Volume Length (64-bit) [sector] • FAT Location & Size [sector] • Heap Location & Size [sector, cluster] • Volume Serial Number • Location of Root Directory [cluster] • Volume Flags • Sector and Cluster Sizes [2-shift] • Percent in use • File System Revision (0x0010=1.00)
Sectors & Clusters • A 2-Shift is a power of 2 • Sector size and sectors per cluster • Each stored in 1 byte • Theoretical maximum is 2255 • Sector Size Maximum 212 • Sectors per cluster is derived • Cluster Size Maximum is 225
Executable Boot Code • First 3 bytes of Main Boot Sector • Jump Code • 0xEB7690 • Offset 120 size 390 • Remainder of boot code • Offset 510 • End signature marker • 0xAA55 = “55AA” • Offset 512 • Unused if defined
More Bootable Code • Up to 8 Main Extended Boot Sectors • FAT32 had 3 sector VBR with 1 MEBS • Entire sector can be used for boot code • Last 8 bytes of sector is marker • 0xAA550000 = “000055AA” • Larger capacity for boot virus!
VBR Checksum Sector • The 12th sector of the VBR • Repeating 4 byte checksum • Checksum of previous 11 sectors • Flags and Percent excluded • These are volatile and change often • Boot Sector Virus & Checksum
VBR Checksum Sector • Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F • 00000000 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000010 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000020 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000030 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 00000040 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • Lines 00000050 through 01BF repeated • 000001C0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001D0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001E0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹ • 000001F0 C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B C9 D0 18 8B ÉÐ.‹ÉÐ.‹ÉÐ.‹ÉÐ.‹
FAT – File Allocation Table • When it is used, same as legacy FAT • Not used when file contiguous • Never used for cluster allocation • FAT 32 has 32 bit cells, uses 28 bits • exFAT has 32 bit cells, uses 32 bits • There is no 64 bit FAT • Maximum clusters is 232-11 • With TexFAT – 2 FAT Tables (2 Bitmaps) • Addressed by pointer in VBR • Size stored in VBR
Cell Values in FAT Table • 0x00000000 – No significant meaning • 0x00000001 – Not a valid cell value • 0xFFFFFFF6 – Largest Value • 0xFFFFFFF7 – Bad Block • 0xFFFFFFF8 – Media Descriptor • Fixed Disk • 0xFFFFFFF9-0xFFFFFFFE – Not Defined • 0xFFFFFFFF – End of File (EOF)
FAT Table Example UP-Case Table Allocation Bit Map Media Reserved Root Directory Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0000 F8 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0010 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Allocation Bitmap • Keeps track of cluster allocation status • Zero – Free Cluster • One – Allocated Cluster • 1 Byte = Tracking of 8 Clusters • Bit Zero – Byte Zero = Cluster 2 • Cluster 0 & Cluster 1 are not defined • Addressed by Directory Entry • With TexFAT – 2 of these (FAT Pairing)
Data Hide Alert! • The Allocation Bitmap and the UP-Case Table are stored as files, and provide hiding space in the metadata • These files are static, typically won’t move, and have slack space. • Nothing prevents someone from moving these files elsewhere in the cluster heap, and actually making them larger
Directories in exFAT • Root (VBR Pointer) • Contains certain critical entries • Almost unlimited in size • Subdirectory (by File Entry) • Contains file sets • 256MiB Max size • No physical “.” or “..” entries • Uses 16 Bit Unicode for strings • Every Entry 32 bytes in size • Entry 0x00 is end of directory • Has capabilities for user entries
Data Hide Alert! • Manipulation of the Allocation Bitmap, and creation of user directory entries provides the capability of hiding a file system within the file system • It may also be possible to hide data within the directory metadata itself
Entry Type • In Use: 0 – Not in Use, 1- In Use • Category: 0 – Primary, 1 – Secondary • Importance: 0 – Critical, 1 – Benign • Code: Identifies the entry
Volume Label Directory Entry • 0x83 or 0x03 Entry • Primary Entry • Only resident in Root Directory • Contains the Volume Label • 16 bit Unicode • 0x03 means no volume label
Volume Label Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 83 0A 65 00 78 00 46 00 41 00 54 00 2D 00 31 00 ƒ.e.x.F.A.T.-.1. 00000010 32 00 38 00 4B 00 00 00 00 00 00 00 00 00 00 00 2.8.K........... Type Volume Name Length (10) Volume Label (exFAT-128K)
Allocation Bitmap Directory Entry • 0x81 Entry • Primary Entry • Only resident in Root Directory • Points to the Allocation Bitmap • If TexFAT, then 2 of these • Flag bits says which FAT/Bitmap • Cluster Address of Bitmap • Size of Bitmap
Allocation Bitmap Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0010 00 00 00 00 02 00 00 00 3F 00 00 00 00 00 00 00 Type Size (63 bytes) Cluster Address (Cluster 2)
UP-Case Table Directory Entry • 0x82 Entry • Primary Entry • Only resident in Root Directory • File names are case insensitive • Used to fold file name • Table has a checksum (32 bits)
UP-Case Table Directory Entry Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 82 00 00 00 0D D3 19 E6 00 00 00 00 00 00 00 00 0010 00 00 00 00 03 00 00 00 CC 16 00 00 00 00 00 00 Type Cluster Address (3) Length (0x16CC = 5,836) Table Checksum
File Directory Entry Set • Used to define a file • May have 3 to 19 entries, or more • 1 Primary, many Secondary • Is considered an array • Must be in order • Must be contiguous (no gaps) • Entire Set has Checksum
File Directory Entry • 0x85 or 0x05 Entry • Primary Entry • Set Checksum (16 bits) • Not modified on file delete • Secondary Count • # Secondary entries that follow • File Attributes • Timestamps
Timestamps & Time Zones • 3 Timestamps (MAC) • 32 bit DOS Date/Time • Local Machine Time • 10ms Offset (MC) • TZ Offset (MAC) • 15 minute increments • 7 bit signed number • ±16 hours • Present with UTC support