Demonstrate your understanding of the FAT file system and how to recover a file

Question

Demonstrate your understanding of the FAT file system and how to recover a file manually.

Tools:

Using any Linux or Windows

xxd, dd, and 4860.2.2015.dd (sha1 = 315fc97827005d4d34d27891388a7c295b2ea2b5)

Use the associated image 4860.2.2015.dd and answer the questions below:

https://www.dropbox.com/s/15n5qsmz4s1h7up/4860.2.2015.dd?dl=0

1. What type of file system is on the image?

2. What is the EXACT image size?

3. At what hex offset does the first FAT start?

4. At what hex offset does the second FAT start?

5. Why are there two FATs?

6. At what offset does the root directory start?

7. How many bytes does each root directory entry comprise per file?

8. According to the root directory, how many files are in allocated space? List their names here:

9. According to the root directory, how many files are in unallocated space? List their names here:

10. Why are there 0s from x200 to x390?

11. What’s the difference between line x2600 and line x2620 (that is, explain what they represent)?

12. Why are some entries represented as “FILE ….” and others “f.i.l.e. ….”?

IF YOU'RE ABLE TO DO THIS PART BELOW (Not Required, but it will help me)... YOU'RE THE BOMB & CHEGG YOU'LL BE AMAZING!!!

Manually Recovering Files

Complete the table below for ALL files. I’ve provided info for one of the files.

Next, use the information in the table to recover ALL files in unallocated space. You’ll can copy and paste the commands you used below the second table.

Note: Not all rows will be used. Use the root directory to identify the number of files.

File name

Deleted? (Y/N)

File Size (hex)

File Size

(decimal)

Start sector (hex) as displayed in root d.

Byte swapped start sector (hex)

Start sector (decimal)

Start BYTE (dec)

File2.png

N

2538F

152463

1301

113

306

156672

File name

Type of file

Sha1 hash

File2.png

Portable Network Graphics (png)

74fde2180dfb04b16c31e9e85dd0dd41f38b97fe

Below show the commands you used to recover each file (you may copy and paste from your VM).

1.

2.

3.

4.

5.

6.

Hints:

- Examples of how to calculate values for file5.txt:

- In the root directory the file starting cluster is given as 6902.

- We must byte swap to get actual (hex) starting cluster: x6902 -> x269

- Change that to decimal: x269->617. Use your programmer’s calculator to do this.

- Now we need to add 31 as the indicated starting cluster doesn’t count the 31 reserved sectors, so 617+31 = 648. That’s the actual number of 512 byte clusters.

- Each cluster is 512 bytes, so multiply 648 by 512: 548x512= 331776. That’s you ‘skip’ number.

- Now convert that to hex: 331776 -> x51000 (only need this if you’d like to find the start of the file in xxd)

- The file size is given as x1700 000. Byte swapping that only gives us x17.

- Convert x17 to decimal: x17->23. That’s your count.

File name

Deleted? (Y/N)

File Size (hex)

File Size

(decimal)

Start sector (hex) as displayed in root d.

Byte swapped start sector (hex)

Start sector (decimal)

Start BYTE (dec)

File2.png

N

2538F

152463

1301

113

306

156672

Explanation / Answer

1. ext4

2. 1.5MB

3.0x000

4.0x0000

5.In order to provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system. FAT2 is a typically a duplicate of FAT1. However, FAT mirroring can be disabled on a FAT32 drive, thus enabling any of the FATs to become the Primary FAT.

6. 0xF6

7. 32 bytes

Related Questions

Navigate

• Browse (All)
• Browse D
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.