WEBVTT

00:00.650 --> 00:02.420
Understanding the file systems.

00:02.660 --> 00:09.360
A hard drive can have multiple partitions on it, and in each partition there will be a file system.

00:09.380 --> 00:14.600
There might be hundreds of thousands of to millions of files contained within a partitions.

00:14.750 --> 00:22.160
So the file system tracks where every file is and how much space is available within the partition boundaries.

00:22.430 --> 00:29.570
We discuss sectors earlier in the hard drive and solid state drive section of this course, and they

00:29.570 --> 00:32.720
are the smallest units that are available to store data.

00:32.750 --> 00:35.960
The file system stores data based on clusters.

00:35.990 --> 00:44.570
Clusters are one or more sectors, so a cluster is the smallest allocation unit that file system can

00:44.570 --> 00:45.800
write to.

00:45.830 --> 00:52.010
So now there are many file systems available and some are restricted to specific operating systems.

00:52.040 --> 00:57.890
Unless the user enables drivers that will allow the operating system to read the file system.

00:58.340 --> 01:04.890
So we will look now at some of the common file system you may encounter.

01:04.910 --> 01:09.550
So the fat file system file allocation table.

01:09.560 --> 01:16.760
So the file allocation table file system has been run since the early days of home computing.

01:16.760 --> 01:22.880
And it's one of the five file system that nearly all operating system can read.

01:22.970 --> 01:27.140
So it's a de facto standard file system for removable devices.

01:27.830 --> 01:30.410
At the time has gone by.

01:30.440 --> 01:33.860
The fat file system has gone through numerous changes.

01:33.860 --> 01:37.250
So the first fat file system is the fat 12.

01:37.280 --> 01:49.100
So this is the created in 77 and used 12 bits, hence the Fat 30 designation to address available clusters.

01:49.100 --> 01:52.310
So it is 12 bits to address available clusters.

01:52.310 --> 01:54.770
So but this is limited.

01:55.160 --> 02:02.840
It used only storage devices that could contain 4069 clusters.

02:02.840 --> 02:08.690
So it's rarely seen nowadays, but you might find it on a floppy disk.

02:08.690 --> 02:13.130
So then we have fat 16.

02:13.850 --> 02:24.500
This is created in 84 and the fat 16 used 16 bit to address available clusters.

02:24.500 --> 02:32.430
So it had the same uses as the fat 12 as it could not be scaled to be used with larger capacity device.

02:32.430 --> 02:40.680
So it's incompatible with fat 60 and fat 12, it's not compatible with large capacity devices.

02:40.680 --> 02:42.470
And then we have vfat.

02:42.480 --> 02:51.480
So this is the this is introduced with the Windows 95 and add the virtual file allocation table.

02:51.480 --> 02:59.610
So it added the long file name LFN and additional timestamps here.

02:59.610 --> 03:15.360
So then lastly, we have fat 32, so the fat 32 uses the 28 bits to address available clusters, theoretically

03:15.360 --> 03:21.390
allowing for maximum volume size a 2.2TB.

03:22.030 --> 03:31.690
So Microsoft implemented restrictions that limited the file system size to 32GB with a maximum file

03:31.690 --> 03:34.710
size of four gigabyte.

03:35.860 --> 03:36.760
So.

03:38.010 --> 03:44.250
It's it is still in use today and can be found on most removable devices.

03:44.760 --> 03:51.270
We will discuss Fat32 file system for remainder of this lecture and the fat file system.

03:51.270 --> 03:53.970
So the fat file system here.

03:54.750 --> 03:58.680
Um, actually, let's make it a little right here.

03:58.680 --> 04:00.540
So the fat file system.

04:01.690 --> 04:04.510
Uh, is a laid out in two areas.

04:05.410 --> 04:06.700
As you can see here.

04:06.730 --> 04:09.640
System area and data area.

04:09.850 --> 04:14.560
So the system area actually, let me write that down.

04:18.640 --> 04:20.130
Actually don't feel it.

04:22.060 --> 04:22.690
So.

04:25.020 --> 04:25.890
Sister Maria.

04:26.040 --> 04:29.640
So Sister Maria is stores.

04:31.790 --> 04:32.750
Uh, the volume.

04:32.960 --> 04:33.470
Volume.

04:33.470 --> 04:34.400
Boot data.

04:34.430 --> 04:35.780
Boot record, actually.

04:35.810 --> 04:37.160
Boot record.

04:37.160 --> 04:39.380
And fat tables.

04:47.600 --> 04:48.200
Actually.

04:49.970 --> 04:50.720
So.

04:50.720 --> 04:52.640
But the data array here.

04:55.870 --> 05:00.730
Uh, this data area stores the root directory.

05:01.810 --> 05:03.490
Directory and files.

05:17.220 --> 05:18.060
So.

05:23.990 --> 05:31.300
As you can see here, we have boot record, Fat one and Fat two is engaged with system, area and root

05:31.310 --> 05:31.910
DA.

05:32.120 --> 05:35.780
The root directory and files is engaged with data area.

05:36.620 --> 05:42.850
So these are the volume records and these are the root directory and files.

05:42.860 --> 05:48.650
So now let's get into the next topic in this lecture.

05:48.650 --> 05:50.660
So this is the boot record.

05:50.660 --> 06:00.470
So in the system area we have the volume boot record VR, so we can find it in a logical sector.

06:00.500 --> 06:06.920
LZ zero, which is the first sector within the partition binaries.

06:10.970 --> 06:14.820
So the boot process here creates the vbr.

06:14.840 --> 06:22.250
When the partition is formatted and contains information about the volume and boot code to contain the

06:22.250 --> 06:24.230
boot process for the operating system.

06:24.470 --> 06:26.450
It is a primary partition.

06:26.450 --> 06:33.290
The CBR will consist of a several sectors, typically sector zero, sector one and sector two with the

06:33.290 --> 06:38.270
backup in backup in sector six and seven and eight.

06:38.450 --> 06:48.860
The vbr and backups are stored in a reverse area, so which is typically 32 factors before the first

06:48.860 --> 06:51.320
file allocation table begins.

06:52.040 --> 06:55.160
So this is the sector here.

07:12.300 --> 07:18.780
Now we will find these direct in these hex codes here.

07:18.780 --> 07:25.980
We can see a volume boot record which helps to decipher the information like.

07:26.940 --> 07:31.200
So actually, let me write that down here in the left side of this.

07:33.050 --> 07:34.280
Screenshot here.

07:41.030 --> 07:41.390
Here.

07:45.300 --> 07:46.110
Okay.

07:49.030 --> 07:49.360
So.

07:50.960 --> 07:53.360
We have X00.

07:53.360 --> 07:54.710
This is the Higgs part here.

07:54.740 --> 07:58.640
So in this X here.

08:01.350 --> 08:04.050
We will find the jump instructions.

08:06.250 --> 08:08.800
Uh, jump instructions.

08:12.080 --> 08:13.880
Um, for the system.

08:15.050 --> 08:16.550
Two contributing.

08:22.040 --> 08:24.380
And X03.

08:24.380 --> 08:34.310
Here we will the, um, id, uh, this is the ID which operating system was used to format the device.

08:36.870 --> 08:41.700
So this is the bytes per sector.

08:41.820 --> 08:44.160
Here, actually, let me open it.

08:44.820 --> 08:46.290
Bytes.

08:47.420 --> 08:48.680
The sector.

08:50.500 --> 08:54.490
We also have A0E here.

08:55.480 --> 08:57.670
This is the reserved sectors.

09:03.910 --> 09:07.440
So this is actually not the entire reserve sector.

09:07.450 --> 09:12.850
This is just a shows the number of reserve sectors in our.

09:15.440 --> 09:22.490
So in our here and we have here zero.

09:24.730 --> 09:27.370
It's actually x ten, right?

09:28.790 --> 09:29.570
Yes.

09:29.990 --> 09:30.920
This is the extent.

09:31.010 --> 09:34.340
This is the number of of fats.

09:35.810 --> 09:39.620
Uh, actually, in this case, it's usually.

09:40.870 --> 09:41.560
To.

09:42.800 --> 09:44.930
So we have x 11.

09:47.250 --> 09:50.730
So this is the unused route entries.

09:55.290 --> 09:58.170
So there is a trick for that.

09:58.170 --> 10:08.700
So if if you're using Fat32, this should be zero because the root directory is in the data area as

10:08.700 --> 10:11.130
we as we discussed earlier.

10:11.130 --> 10:18.960
So as you can see here, root directory in the data area, which in this if you are using Fat32, in

10:18.960 --> 10:21.420
your case it will be zero for you.

10:21.630 --> 10:24.450
So we have 13.

10:24.960 --> 10:27.870
So this is number of sectors.

10:31.490 --> 10:32.810
We have 15.

10:33.780 --> 10:36.480
This is the media descriptor.

10:44.450 --> 10:52.160
We have 16 here and then we will have 18.

10:52.550 --> 10:53.450
16.

10:55.300 --> 10:57.040
This is the number.

10:58.170 --> 11:01.800
Number of sectors per fat.

11:02.400 --> 11:12.990
If and now if you are using Fat32, this will be this should be zero in your case here.

11:15.510 --> 11:18.240
And this is the number of sectors per track.

11:20.270 --> 11:22.910
Sectors per track.

11:23.880 --> 11:24.390
Um.

11:27.210 --> 11:30.610
So this is the total sectors for the volume.

11:31.550 --> 11:32.730
You have X.

11:33.670 --> 11:35.560
20 here.

11:35.770 --> 11:37.390
This is the logic.

11:37.600 --> 11:39.070
Logical sectors.

11:40.440 --> 11:41.100
Perfect.

11:46.440 --> 11:49.590
And then we will have extended flags.

11:53.430 --> 11:59.310
So actually, these are the pretty advanced topics in digital forensics here.

12:00.210 --> 12:00.410
Um.

12:02.100 --> 12:07.500
We will contain these advanced topics in next lectures of our course.

12:07.680 --> 12:08.910
So.

12:12.050 --> 12:17.450
Next, we will look at the file allocation table in next lecture.

12:17.740 --> 12:21.890
Here, actually, end of this.

12:23.610 --> 12:29.690
Section of our course, there will be a practice test, which I'm sure you can do it.

12:29.700 --> 12:32.460
So I'm waiting you in the next lecture.