Demonstrate your understanding of the FAT file system and how to recover a file

Question

Demonstrate your understanding of the FAT file system and how to recover a file manually.

Tools:

Using any Linux or Windows

xxd, dd, and 4860.2.2015.dd (sha1 = 315fc97827005d4d34d27891388a7c295b2ea2b5)

Use the associated image 4860.2.2015.dd and answer the questions below:

https://www.dropbox.com/s/15n5qsmz4s1h7up/4860.2.2015.dd?dl=0

This link below is what's in the link above, the only difference is that I've extracted the .dd file just in case"

https://www.dropbox.com/s/zuh37kjcs8angq8/files.zip?dl=0

1. What type of file system is on the image?

2. What is the EXACT image size?

3. At what hex offset does the first FAT start?

4. At what hex offset does the second FAT start?

5. Why are there two FATs?

6. At what offset does the root directory start?

7. How many bytes does each root directory entry comprise per file?

8. According to the root directory, how many files are in allocated space? List their names here:

9. According to the root directory, how many files are in unallocated space? List their names here:

10. Why are there 0s from x200 to x390?

11. What’s the difference between line x2600 and line x2620 (that is, explain what they represent)?

12. Why are some entries represented as “FILE ….” and others “f.i.l.e. ….”?

Explanation / Answer

Hi,

Below is the solutions to your questions,Detailed explaination of how i obtained these values is underneath the solutions.Please refer it.

1.File system type of the image is fat32

2.File size=152463

use ls -ltr command on the file to get this value.

example:ls -ltr /home/Desktop/file2.img

output:-rw-r--r--r 1 bhojas bhojas 152463 .................

3.Hex off set for the first FAT:0*10

Explaination:use

Comamnd:hexedit <file name>

output:Will give the View files in hexadecimal or ASCII

we know that the number of FATs is stored at offset 0x10.

4.hex offset value of the second FAT:0*20

use the same procedure as above but note down the second hex value from the first line.

5.Why there are 2 FAT's:For redundancy in case of data corruption.

6.At what offset the root directory start:0xE201

Explaination:

root directory appears immediately after the last copy of the FAT. So what we need to find out is the size of the FAT, and how many copies there are. We also need to know the size of anything else that appears before the FAT(s); there is just the single block of the boot block. So, the number of blocks that appear before the root directory is given by:

All we need to do, then, is discover these values. First, we know that the number of FATs is stored at offset 0x10 ; this tells us that there is just one FAT.

Next, we need to know the size of a FAT; this is at offsets 0x16 and 0x17, where we find 0x00 and 0xE2 respectively. Remember that these two bytes together make up a 16 bit value, with the least significant byte stored first; in other words, the value is 0xE200. So, the total number of blocks that precede the root directory is given by:

7.How many bytes does each root directory entry comprise per file:32 bytes

Explainiation:

The root directory contains an entry for each file whose name appears at the root (the top level) of the file system. Other directories can appear within the root directory; they are called subdirectories. The main difference between the two is that space for the root directory is allocated statically, when the disk is formatted; there is thus a finite upper limit on the number of files that can appear in the root directory.

Subdirectories are just files with special data in them, so they can be as large or small as desired.

The format of all directories is the same. Each entry is 32 bytes (0x20) in size, so a single block can contain 16 of them. The following table shows a summary of a single directory entry; note that the offset is merely from the start of that particular entry, not from the start of the block.

File size in bytes

8.According to the root directory, how many files are in allocated space? List their names here:I couldn't figure this out.

9.I couldn't figure it out.

10.Why are there 0s from x200 to x390?

Explainiation:They are reserverd.

Follow these steps yourself in case you want to experiment with this question.

1.Download the file onto your linux os and then issue this command:

2.Once this is done you can go into /mnt directory to issue all your cd,ls command to list out file system type,size etc.

3.use

Hope that helps...HAPPY ANSWERING!!!!!!!!!

Offset Length Description 0x00 8 bytes Filename 0x08 3 bytes Filename extension 0x0b 1 byte File attributes 0x0c 10 bytes Reserved 0x16 2 bytes Time created or last updated 0x18 2 bytes Date created or last updated 0x1a 2 bytes Starting cluster number for file 0x1c 4 bytes

File size in bytes

Related Questions

Navigate

• Browse (All)
• Browse D
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.