没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
试读
86页
从微软发布exfat至今,没有公开的介绍exfat文件系统的文档,这个FS也是受微软专利保护的,目前Android领域就samsung在其Galaxy新机型中以Linux kernel Module形式支持了exfat,由于是kernel fs形式集成,比开源的FUSE方式效率高很多(https://code.google.com/p/exfat/),这个是网上对exfat v1.0进行逆向工程得到的文档,大概80多页,可以帮大家了解EXFAT文件系统结构及磁盘布局。
资源推荐
资源详情
资源评论
Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Reverse Engineering the Microsoft exFAT File
System
The Extended FAT File System (exFAT) is a new and not yet widely used file system. It has been out for a few
years and it will gain acceptance and momentum with the release of storage devices that will support the new
SDXC standard. Forensics investigators and the maker of forensics tools need to be ready and prepared for an
influx of acquired evidence that requires analysis of this new file structure.
Copyright SANS Institute
Author Retains Full Rights
AD
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Key!fingerprint!=!AF19!FA27!2F94!998D!FDB5!DE3D!F8B5!06E4!A169!4E46!
Reverse Engineering the Microsoft Extended FAT File
System (exFAT)
GIAC (GCFA) Gold Certification
Author: Robert Shullich, rshullic@earthlink.net
Advisor: Aman Hardikar
Accepted: 12/01/2009
ABSTRACT
As Technology pushes the limits of removable media - so drives the need for a new file
system in order to support the larger capacities and faster access speeds being designed.
Microsoft’s answer to this need is the new Extended FAT File System (exFAT) which
has been made available on its newer operating systems and which will be supported on
the new secure digital extended capacity (SDXC) storage media. This new file system is
proprietary and requires licensing from Microsoft and little has been published about
exFAT’s internals. Yet in order to perform a full and proper digital forensics examination
of the media, the file system layout and organization must be known. This paper takes a
look under the hood of exFAT and demystifies the file system structure in order to be an
aid in the performance of a digital investigation.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Key!fingerprint!=!AF19!FA27!2F94!998D!FDB5!DE3D!F8B5!06E4!A169!4E46!
Reverse Engineering the Microsoft Extended FAT File System (exFAT)
2
Ǥ
1 Introduction
In the US DOJ Special Report released in April 2004, Forensic Examination of
Digital Evidence: A Guide for Law Enforcement (US Department Of Justice (2004)) one
of the steps for evidence examination under Application and File Analysis is:
“Examining the users’ default storage location(s) for applications and the file
structure of the drive to determine if files have been stored in their default or an
alternate location(s)”
How does the forensics examiner accomplish such a feat when the file system is
unknown or not documented? This task becomes a real challenge when having to do an
analysis on proprietary systems such as embedded systems. But now, with the drive
towards storage media with larger capacities, the limits on many of the existing file
systems will be reached during the newest wave of storage technology.
To accommodate these advances, a new file system has been developed by Microsoft
a few years ago, and it is called the Extended FAT File System, abbreviated as exFAT,
and what some are nicknaming as FAT64. Microsoft is licensing this technology, so in
order to implement an exFAT file system a license will be required from Microsoft. In
January 2009 a new Secure Digital Extended Capacity (SDXC) specification was
announced (Hissink, 2009), with capacities that could reach up to 2 TB, and will use this
new exFAT file system. This new file system may actually fly and gain momentum in
2010 when device support reaches the market.
But today, there is no real Linux support, very few tools support this new file system,
and even the commercial forensics tools are behind in support. There are very few, if any,
open source tools that understand the file organization, and just recently the
specifications of the exFAT file system got released with one of Microsoft’s patent
applications (Microsoft Patent 0164440 (June 25, 2009)).
How does the forensic examiner “examine the file structure of the drive” when the
tools don’t know, and there is no how-to book to help him? This paper is intended to
provide basic insight to the file system structure to allow the forensics examiner to make
sense of the structure beyond just a blob of bytes.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Key!fingerprint!=!AF19!FA27!2F94!998D!FDB5!DE3D!F8B5!06E4!A169!4E46!
Reverse Engineering the Microsoft Extended FAT File System (exFAT)
3
Ǥ
2 Definitions
Steps in Processing Digital Evidence – Assessment, Acquisition, Examination,
Analysis, Documenting and Reporting. (US Department Of Justice, 2004)
Digital Evidence – Any data stored or transmitted using a computer that support or
refute a theory of how an offense occurred or that address critical elements of the offense
such as intent or alibi. (Casey, 2004)
Digital Forensics – Digital forensics involves the identification, collection,
preservation, examination, and analysis of digital evidence. It is a technical, computer-
related field involved in the collection and examination of evidence from computers,
including audio, video, and graphical images. (http://www.ncfs.org/digital_evd.html)
Forensic Examiner – Conducts the examination process to extract and analyze digital
evidence. Extraction refers to the recovery of data from its media. (US Department Of
Justice, 2004)
File Fragmentation – for the purposes of this paper, a file is considered fragmented if
the clusters that the file is stored in either are not in order or there are gaps in the physical
cluster layout, or both. A file is considered not fragmented when the file is physically
stored in order within contiguous clusters.
Removable Media – is storage media that can be removed from its reader and stored
or transported to another location, possibly to be used on a different machine. Examples
of removable storage media are floppy disks, magnetic and paper tape, flash drives, flash
cards, CD/DVD, and ZIP/JAZ. This paper will address removable media that is random
access, which eliminates purely sequential devices such as magnetic and paper tape.
Superfloppy – a configuration where the entire storage media is a single file system
and there is no partitioning. There is no MBR record and when the media is booted the
VBR is loaded by the BIOS. Not all BIOS firmware will support a superfloppy. The
concept of the superfloppy was introduced when media such as 3M’s LS-120 and
Iomega’s Zip disks surpassed the conventional 1.44MB capacities.
!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Key!fingerprint!=!AF19!FA27!2F94!998D!FDB5!DE3D!F8B5!06E4!A169!4E46!
Reverse Engineering the Microsoft Extended FAT File System (exFAT)
4
Ǥ
3 Prior Work
There does not appear to be much research released at this time. The exFAT file
system has been in the market since 2006 with its introduction in Windows CE 6.0, but
exFAT didn’t hit the desktop/server market until the release of Vista SP 1 in March 2008.
The support has effectively existed on the desktop for almost 2 years.
At the Techno Forensics Conference that was held at NIST in Oct 2009
(http://www.thetrainingco.com/html/TechnoForensics2009.html) Jeff Hamm from
Paradigm Solutions gave a presentation on the internals of the exFAT file system. He
provided a presentation and paper on the topic, which provided a good foundation for the
work being presented here. His work is based on a forensic class he teaches that includes
exFAT internals.
4 Setting a Foundation
4.1 Purpose, Disclaimer and Scope
4.1.1 Purpose
The purpose of this paper is to describe the format and layout of the Microsoft
exFAT file system as currently released in the Microsoft desktop and server platforms.
The intent is to aid in the forensic examination of storage media that is formatted with the
exFAT file system. This document can be used as a guide for the forensics examiner in
order to provide a starting point in the search for electronic digital evidence that may be
stored or hidden within this file system.
4.1.2 Disclaimer
The exFAT file system is proprietary property of Microsoft, and an
implementation of the exFAT file system requires a Microsoft license to the
specifications. Licensing may be found at the Microsoft Intellectual Property Licensing
for exFAT page. The research in this paper provides an analysis of the exFAT file system
including its structure and organization. It is not meant to implement the exFAT file
system or any part of it. A static examination is performed of the contents of storage
media, and does not attempt to perform any dynamic analysis by direct non-standard
剩余85页未读,继续阅读
资源评论
皮鲁
- 粉丝: 44
- 资源: 23
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功