!
© 2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Key!fingerprint!=!AF19!FA27!2F94!998D!FDB5!DE3D!F8B5!06E4!A169!4E46!
Reverse Engineering the Microsoft Extended FAT File System (exFAT)
2
Ǥ
1 Introduction
In the US DOJ Special Report released in April 2004, Forensic Examination of
Digital Evidence: A Guide for Law Enforcement (US Department Of Justice (2004)) one
of the steps for evidence examination under Application and File Analysis is:
“Examining the users’ default storage location(s) for applications and the file
structure of the drive to determine if files have been stored in their default or an
alternate location(s)”
How does the forensics examiner accomplish such a feat when the file system is
unknown or not documented? This task becomes a real challenge when having to do an
analysis on proprietary systems such as embedded systems. But now, with the drive
towards storage media with larger capacities, the limits on many of the existing file
systems will be reached during the newest wave of storage technology.
To accommodate these advances, a new file system has been developed by Microsoft
a few years ago, and it is called the Extended FAT File System, abbreviated as exFAT,
and what some are nicknaming as FAT64. Microsoft is licensing this technology, so in
order to implement an exFAT file system a license will be required from Microsoft. In
January 2009 a new Secure Digital Extended Capacity (SDXC) specification was
announced (Hissink, 2009), with capacities that could reach up to 2 TB, and will use this
new exFAT file system. This new file system may actually fly and gain momentum in
2010 when device support reaches the market.
But today, there is no real Linux support, very few tools support this new file system,
and even the commercial forensics tools are behind in support. There are very few, if any,
open source tools that understand the file organization, and just recently the
specifications of the exFAT file system got released with one of Microsoft’s patent
applications (Microsoft Patent 0164440 (June 25, 2009)).
How does the forensic examiner “examine the file structure of the drive” when the
tools don’t know, and there is no how-to book to help him? This paper is intended to
provide basic insight to the file system structure to allow the forensics examiner to make
sense of the structure beyond just a blob of bytes.
