WEBVTT

0:00:02.920000 --> 0:00:07.700000
 In this video, we will create a FAT32
 file system and add some files and

0:00:07.700000 --> 0:00:10.760000
 directories to understand
 exactly how it works.

0:00:10.760000 --> 0:00:14.500000
 Let's start off by creating
 a simple FAT32 file system.

0:00:14.500000 --> 0:00:18.680000
 This here is the virtual disk that we
 created for our testing environment.

0:00:18.680000 --> 0:00:23.640000
 Let's right-click it, select New Simple
 Volume, and click the Next button.

0:00:23.640000 --> 0:00:26.700000
 We'll leave the settings here
 as is and click Next again.

0:00:26.700000 --> 0:00:32.240000
 In the drop-down here, let's change
 it to Drive Letter A and click Next.

0:00:32.240000 --> 0:00:36.600000
 Now on this screen, let's change
 the file system to FAT32.

0:00:36.600000 --> 0:00:40.240000
 Leave the allocation unit size as default
 and update the text field for

0:00:40.240000 --> 0:00:42.680000
 volume lab to testing FAT.

0:00:42.680000 --> 0:00:49.020000
 We'll uncheck the box here so it does
 not perform a quick format and make

0:00:49.020000 --> 0:00:50.800000
 zero out of everything.

0:00:50.800000 --> 0:00:57.820000
 Now click Next and let's finish.

0:00:57.820000 --> 0:00:59.980000
 Our file system is now ready.

0:00:59.980000 --> 0:01:02.460000
 Let's start off by adding
 a couple of files.

0:01:02.460000 --> 0:01:06.400000
 Let's name this directory A.

0:01:06.400000 --> 0:01:12.400000
 Let's create another directory and
 we'll call it D-I-R-B, or directory

0:01:12.400000 --> 0:01:15.780000
 B. There's a reason why I made the
 first directory with the uppercase

0:01:15.780000 --> 0:01:17.780000
 letters and the second
 and lowercase.

0:01:17.780000 --> 0:01:20.800000
 You'll see why in a few minutes.

0:01:20.800000 --> 0:01:27.000000
 Next, let's create a simple
 file and name it file 1.

0:01:27.000000 --> 0:01:29.640000
 In the document, let's
 type some text.

0:01:29.640000 --> 0:01:31.580000
 This is just a dummy file.

0:01:31.580000 --> 0:01:33.640000
 And now we can close it.

0:01:33.640000 --> 0:01:37.020000
 Let's create another file.

0:01:37.020000 --> 0:01:40.800000
 This one we'll call, This is
 a file with a long file name.

0:01:40.800000 --> 0:01:48.480000
 Let's also add some text.

0:01:48.480000 --> 0:01:55.400000
 This is a file with a long file
 name and close the file.

0:01:55.400000 --> 0:01:57.580000
 So now we have two files.

0:01:57.580000 --> 0:02:01.200000
 The reason why I have directory B and
 a file on lowercase is that they

0:02:01.200000 --> 0:02:04.040000
 will only hold a single
 fat directory entry.

0:02:04.040000 --> 0:02:07.720000
 While these two directory A and the long
 file name will have two directory

0:02:07.720000 --> 0:02:12.300000
 entries. Let's create another one just
 to show that even though the name

0:02:12.300000 --> 0:02:15.820000
 length is using the 8.3 scheme, or in
 other words, the file name has less

0:02:15.820000 --> 0:02:19.460000
 than or equal to eight characters, like
 we mentioned in the course, and

0:02:19.460000 --> 0:02:20.960000
 it has at least a
 single uppercase.

0:02:20.960000 --> 0:02:22.780000
 If we have a file with an uppercase
 character, then it will use a long

0:02:22.780000 --> 0:02:27.980000
 file name. Also, as we saw in the slides,
 if we have a file with an uppercase

0:02:27.980000 --> 0:02:31.300000
 character, it will be holding
 two directory entries.

0:02:31.300000 --> 0:02:34.980000
 Now that it's created, we can
 go ahead and start analyzing.

0:02:34.980000 --> 0:02:39.280000
 Before we do that though, let's take
 a forensic image of this file system.

0:02:39.280000 --> 0:02:46.020000
 Let's go ahead and click Yes and then
 go to File, create disk image, select

0:02:46.020000 --> 0:02:48.680000
 logical file, and
 click Next again.

0:02:48.680000 --> 0:02:52.560000
 We'll leave the source drive selection
 as it is and click Finish.

0:02:52.560000 --> 0:02:56.180000
 Next, click Add, we'll leave
 it as raw and click Next.

0:02:56.180000 --> 0:02:58.260000
 We won't be adding anything here.

0:02:58.260000 --> 0:03:01.520000
 Now, let's select where
 we want to store this.

0:03:01.520000 --> 0:03:03.680000
 Let's select Desktop.

0:03:03.680000 --> 0:03:07.060000
 Let's name the file, Fat32Test.

0:03:07.060000 --> 0:03:12.360000
 Let's also change the image fragment
 size to zero, as we don't want to

0:03:12.360000 --> 0:03:16.020000
 split the file. Now
 let's click Finish.

0:03:16.020000 --> 0:03:19.160000
 We can now start the process.

0:03:19.160000 --> 0:03:28.540000
 The FTK image has finished creating
 the forensic image.

0:03:28.540000 --> 0:03:33.420000
 Let's take the image and copy it to
 my host system because I don't have

0:03:33.420000 --> 0:03:35.940000
 WinHacks running on
 my virtual machine.

0:03:35.940000 --> 0:03:46.020000
 But you don't have to do that if
 your system is running WinHacks.

0:03:46.020000 --> 0:03:52.240000
 So now, using WinHacks, let's open
 our file system, Fat32Test.

0:03:52.240000 --> 0:03:59.040000
 Here, we see that it starts with
 these characters and then MS.5.0.

0:03:59.040000 --> 0:04:02.840000
 This is a good indicator that
 it's for a Fat32 file system.

0:04:02.840000 --> 0:04:06.460000
 This here also indicates that
 we have a Fat32 file system.

0:04:06.460000 --> 0:04:15.540000
 Let's now go to Specialist and select
 Interpret Image File as disk.

0:04:15.540000 --> 0:04:18.540000
 Let's go ahead and analyze the boot
 sector by selecting the boot sector

0:04:18.540000 --> 0:04:21.860000
 and then go to View and
 select Template Manager.

0:04:21.860000 --> 0:04:24.740000
 Here we can apply the
 boot sector, Fat32.

0:04:24.740000 --> 0:04:32.360000
 Here we can see the byte codes for
 the jumping instruction, EB58.

0:04:32.360000 --> 0:04:37.760000
 Just a short jump, and 90 is just a
 NOP or no operation in byte codes.

0:04:37.760000 --> 0:04:42.780000
 For OEM, we have MS.5.0.

0:04:42.780000 --> 0:04:48.500000
 Just below, we have Bites per sector,
 which are 512, 4 sectors per cluster,

0:04:48.500000 --> 0:04:52.400000
 which means we have a
 cluster size of 2048.

0:04:52.400000 --> 0:04:54.640000
 Reserve sectors are next.

0:04:54.640000 --> 0:05:00.000000
 We have 6246 reserved sectors, which
 means our first Fat will be at this

0:05:00.000000 --> 0:05:06.400000
 location. Next is number of Fats, which
 are 2, meaning that we have Fat1

0:05:06.400000 --> 0:05:12.140000
 and Fat2. The root entry is unused to
 0, meaning there are currently no

0:05:12.140000 --> 0:05:13.860000
 root entries used.

0:05:13.860000 --> 0:05:18.140000
 Next, we have sectors on small disk,
 and then below that media descriptor,

0:05:18.140000 --> 0:05:22.100000
 which is F8, and means
 that it is for a disk.

0:05:22.100000 --> 0:05:27.760000
 We have 63 sectors per track, heads
 we have 16, and 128 hidden sectors,

0:05:27.760000 --> 0:05:33.780000
 and then on the volume,
 we have 505,856 sectors.

0:05:33.780000 --> 0:05:38.760000
 Further down, we have sectors per Fat,
 which are 973, meaning that both

0:05:38.760000 --> 0:05:41.880000
 Fat1 and Fat2 are 973.

0:05:41.880000 --> 0:05:47.560000
 Mirroring is not disabled.

0:05:47.560000 --> 0:05:51.200000
 The root directory first cluster is at
 cluster number 2, as you may recall

0:05:51.200000 --> 0:05:55.680000
 from earlier. Microsoft
 reserves 0 and 1.

0:05:55.680000 --> 0:05:58.860000
 The file system information sector is
 found in sector number 1, and the

0:05:58.860000 --> 0:06:02.380000
 backup boot sector is
 in sector number 6.

0:06:02.380000 --> 0:06:06.880000
 Down here, we have volume label and
 the file system, and lastly, we have

0:06:06.880000 --> 0:06:13.880000
 the signature. Now, let's go
 to sector 1 and sector 6.

0:06:13.880000 --> 0:06:19.540000
 Let's go to these two.

0:06:19.540000 --> 0:06:24.520000
 Let's go to the offset icon, and
 let's turn 1 in new position.

0:06:24.520000 --> 0:06:28.620000
 Then select beginning,
 and click OK.

0:06:28.620000 --> 0:06:32.160000
 This is where the 512 bytes start.


0:06:32.160000 --> 0:06:36.780000
 The RRAA small is the file section
 for the file system and formation.

0:06:36.780000 --> 0:06:41.960000
 Now, if we go to sector 6, this will
 take us to the backup of the boot

0:06:41.960000 --> 0:06:46.340000
 sector. Let's copy this.

0:06:46.340000 --> 0:06:52.160000
 Now let's edit, select copy
 block, and then hex values.

0:06:52.160000 --> 0:06:56.900000
 Let's go back to edit, select clipboard
 data, and then paste into new

0:06:56.900000 --> 0:07:02.100000
 file. Now, let's go to view and, then
 template manager, select boot sector

0:07:02.100000 --> 0:07:04.460000
 FAT32 and apply.

0:07:04.460000 --> 0:07:07.340000
 This is alright, go
 ahead and click OK.

0:07:07.340000 --> 0:07:11.080000
 This will give us the exact
 data we saw before.

0:07:11.080000 --> 0:07:13.860000
 This here is the backup
 for the boot sector.

0:07:13.860000 --> 0:07:18.880000
 We don't need this one so we can close
 it, and we also don't need to save

0:07:18.880000 --> 0:07:22.860000
 it. Here's the root directory.

0:07:22.860000 --> 0:07:27.220000
 What we need to do now is understand how
 these entries are actually interpreted.

0:07:27.220000 --> 0:07:32.940000
 If we check DIRB directory,
 it's found right here.

0:07:32.940000 --> 0:07:35.500000
 Here's the entry for directory B.

0:07:35.500000 --> 0:07:38.940000
 Since this is the only one using lowercase
 letters, it will have only

0:07:38.940000 --> 0:07:40.660000
 one single entry.

0:07:40.660000 --> 0:07:45.780000
 Let's put our cursor here, and then
 go to view, template manager, and

0:07:45.780000 --> 0:07:48.940000
 this time we'll select FAT directory
 entry normal and short entry format

0:07:48.940000 --> 0:07:50.760000
 because we have a simple entry.

0:07:50.760000 --> 0:07:52.760000
 Now click apply.

0:07:52.760000 --> 0:07:57.600000
 As you can see here, this
 is the name of the file.

0:07:57.600000 --> 0:08:01.380000
 We don't have an extension, so it's
 padded with zeros, and as you can

0:08:01.380000 --> 0:08:06.240000
 see from the bits, this bit is for
 the directory, which is found here.

0:08:06.240000 --> 0:08:09.980000
 Here's the creation date and the creation
 time, the access date and the

0:08:09.980000 --> 0:08:14.020000
 access time, and here's the
 update date and update time.

0:08:14.020000 --> 0:08:17.540000
 Just below, we can see the cluster
 number for this file.

0:08:17.540000 --> 0:08:21.840000
 And we can also see the size for it, which
 is zero because it is a directory

0:08:21.840000 --> 0:08:25.140000
 as we can see here.

0:08:25.140000 --> 0:08:30.560000
 The cluster number is at
 cluster number eight.

0:08:30.560000 --> 0:08:35.240000
 Let's go here to directory B, right
 click, and select navigation, and

0:08:35.240000 --> 0:08:36.760000
 then list clusters.

0:08:36.760000 --> 0:08:39.300000
 It also shows us we
 have eight clusters.

0:08:39.300000 --> 0:08:41.780000
 Okay, let's go back to
 the root directory.

0:08:41.780000 --> 0:08:44.360000
 Let me explain the first entry.

0:08:44.360000 --> 0:08:50.120000
 The first entry, testing FAT,
 is for the volume label.

0:08:50.120000 --> 0:08:54.680000
 If we go to view, template manager, we'll
 leave it selected as FAT directory

0:08:54.680000 --> 0:08:59.340000
 entry for normal or short entry
 format and click apply.

0:08:59.340000 --> 0:09:04.120000
 This is set for the volume label.

0:09:04.120000 --> 0:09:09.980000
 Let's look at this
 entry, directory A.

0:09:09.980000 --> 0:09:13.300000
 Since this directory is using more than
 eight characters, it will be using

0:09:13.300000 --> 0:09:17.120000
 two or more entries, that
 is, a long file name used.

0:09:17.120000 --> 0:09:21.640000
 Let's first analyze this entry, which
 is direct one, two, three, four,

0:09:21.640000 --> 0:09:25.400000
 five, six, seven, and eight, which
 represents the short file name.

0:09:25.400000 --> 0:09:30.060000
 Let's go to view and template
 manager and apply.

0:09:30.060000 --> 0:09:38.820000
 Here we see the name, and there are
 no extensions, so it will be padded.

0:09:38.820000 --> 0:09:42.700000
 Here we have ten because
 it's a directory.

0:09:42.700000 --> 0:09:45.920000
 And here at the bottom
 is the cluster number.

0:09:45.920000 --> 0:09:49.000000
 Above, we can also
 see more details.

0:09:49.000000 --> 0:09:54.960000
 Since this is not eight characters long,
 it will have more than one entry.

0:09:54.960000 --> 0:09:59.020000
 The entry for this is found here.

0:09:59.020000 --> 0:10:02.620000
 Let's select this and go to view
 and select template manager.

0:10:02.620000 --> 0:10:06.400000
 Here, we'll select the FAT directory
 entry for a long entry format and

0:10:06.400000 --> 0:10:08.600000
 then click apply.

0:10:08.600000 --> 0:10:11.620000
 Here we can see that the sequence
 number is four-one.

0:10:11.620000 --> 0:10:15.560000
 Four means that it ends here, and one
 means that we only have one additional

0:10:15.560000 --> 0:10:20.860000
 entry. Here we have the first five characters,
 which are represented in

0:10:20.860000 --> 0:10:25.640000
 Unicode. Below that, we have
 the other six characters.

0:10:25.640000 --> 0:10:32.840000
 So here we have D-I-R-E-C, and
 again just below, T-O-R-Y-A.

0:10:32.840000 --> 0:10:37.180000
 And here are the final two characters, but
 since we don't have other characters,

0:10:37.180000 --> 0:10:39.240000
 it's padded with zeros.

0:10:39.240000 --> 0:10:43.700000
 Since this is a long file name entry,
 it will have zero F in it.

0:10:43.700000 --> 0:10:45.840000
 The check sum is six F.

0:10:45.840000 --> 0:10:48.920000
 This was calculated based
 on the actual file name.

0:10:48.920000 --> 0:10:52.800000
 Let's go ahead and close this
 and look at another file.

0:10:52.800000 --> 0:10:56.860000
 Let's look at this one, the one called
 this is a file with a long file

0:10:56.860000 --> 0:11:01.280000
 name. We can go through this list and
 try to figure out which entry it

0:11:01.280000 --> 0:11:05.700000
 corresponds with, or we can right click
 on it and select navigation, then

0:11:05.700000 --> 0:11:07.380000
 seek directory entry.

0:11:07.380000 --> 0:11:12.740000
 Here's the directory
 entry for this file.

0:11:12.740000 --> 0:11:16.500000
 If we go to view and template manager
 and apply the short entry format

0:11:16.500000 --> 0:11:20.500000
 here, we can see that these
 represent eight characters.

0:11:20.500000 --> 0:11:23.440000
 Just below, we have the extension.


0:11:23.440000 --> 0:11:27.780000
 Then we have the attributes
 for this file.

0:11:27.780000 --> 0:11:31.900000
 Below, we have the creation date and time,
 access date and time, and additional

0:11:31.900000 --> 0:11:38.540000
 details. We have the cluster, which
 is where the file is located, which

0:11:38.540000 --> 0:11:40.420000
 is cluster number 10.

0:11:40.420000 --> 0:11:43.100000
 We'll go back to this later.

0:11:43.100000 --> 0:11:46.620000
 And here's the file size, which
 is 36 bytes for this file.

0:11:46.620000 --> 0:11:53.880000
 Now let's analyze its other entries,
 which can be found starting here.

0:11:53.880000 --> 0:11:57.280000
 Now let's go to view again and template
 manager, and we'll apply the long

0:11:57.280000 --> 0:12:00.500000
 format this time and
 then click apply.

0:12:00.500000 --> 0:12:04.580000
 This here is the first in our
 sequence because it is 0-1.

0:12:04.580000 --> 0:12:10.320000
 We have the first this here as it is
 five characters including the space.

0:12:10.320000 --> 0:12:17.340000
 Below, we see the next six
 characters in the name.

0:12:17.340000 --> 0:12:20.900000
 And the next two characters
 are i and l.

0:12:20.900000 --> 0:12:24.200000
 We have 0f because this
 is a long file name.

0:12:24.200000 --> 0:12:27.080000
 At the bottom, the
 check sum is 43.

0:12:27.080000 --> 0:12:30.340000
 This must be seen in all other
 entries we go through.

0:12:30.340000 --> 0:12:32.020000
 Let's go backwards from here.

0:12:32.020000 --> 0:12:35.020000
 We can do that by clicking on
 this arrow button at the top.

0:12:35.020000 --> 0:12:38.800000
 Now, under the sequence
 number, 0-2 appears.

0:12:38.800000 --> 0:12:47.140000
 We can also see more of the
 file name appears too.

0:12:47.140000 --> 0:12:51.800000
 Again, we have 0f because it's a long
 file name entry and 43 as the check

0:12:51.800000 --> 0:12:55.660000
 sum. This was for sequence 0-2.

0:12:55.660000 --> 0:12:58.160000
 Let's go back again.

0:12:58.160000 --> 0:13:12.160000
 We now have sequence 0-3 and more
 of the file name appears.

0:13:12.160000 --> 0:13:17.220000
 Here again, 0f indicating that
 it's a long file name entry.

0:13:17.220000 --> 0:13:20.480000
 And here too is the check
 sum which is 43.

0:13:20.480000 --> 0:13:22.920000
 Let's go back one more time.

0:13:22.920000 --> 0:13:25.240000
 Here our sequence file is 44.

0:13:25.240000 --> 0:13:28.280000
 The first four indicates that it is the
 ending of our long file name entry

0:13:28.280000 --> 0:13:32.020000
 and the second four is the
 fourth entry for this file.

0:13:32.020000 --> 0:13:36.000000
 For file name, we have the last of the
 file name here, which is the last

0:13:36.000000 --> 0:13:39.060000
 T in the file name and
 is the extension.

0:13:39.060000 --> 0:13:42.180000
 We can see that here on the
 left under the name column.

0:13:42.180000 --> 0:13:46.060000
 For the remaining file name boxes,
 the rest are padded to 0.

0:13:46.060000 --> 0:13:49.980000
 Again, we see 0f because it's
 a long file name entry.

0:13:49.980000 --> 0:13:53.380000
 And as we saw before,
 43 for the check sum.

0:13:53.380000 --> 0:13:58.440000
 We were able to easily interpret and
 analyze a file on a FAT32 file system

0:13:58.440000 --> 0:14:00.620000
 using WinHEX and its entries.

0:14:00.620000 --> 0:14:03.880000
 We can right click the file name to check
 the cluster number and the cluster

0:14:03.880000 --> 0:14:08.260000
 is 10, holds 36 bytes and
 has only one fragment.

0:14:08.260000 --> 0:14:14.720000
 If we select all of this at the bottom
 right, we can see that it's 24

0:14:14.720000 --> 0:14:19.140000
 in HEX and if we right click, we can
 see that it's 36 decimal bytes, which

0:14:19.140000 --> 0:14:21.160000
 represents the file size.

0:14:21.160000 --> 0:14:27.620000
 In this video, we analyzed
 a FAT32 disk using WinHEX.

0:14:27.620000 --> 0:14:31.860000
 Discuss the difference between uppercase
 and lowercase file names as well

0:14:31.860000 --> 0:14:36.560000
 as what happens when you have a file with
 more than 8.3, which is 8 characters

0:14:36.560000 --> 0:14:40.500000
 for the name and 3 characters for the
 extension, and how that's represented

0:14:40.500000 --> 0:14:44.220000
 and stored in a FAT32 file system.


0:14:44.220000 --> 0:14:50.520000
 In this concludes our video lesson
 on how to analyze FAT file systems.

0:14:50.520000 --> 0:14:51.400000
 Thank you for joining us.