FOR421 - FAT12/16/32 and exFAT File Systems

This seminar presents the complete details of the FAT file systems. Learn how files are stored, and how to recover some deleted files.

Level: Intermediate
Audience:

Cyber forensics investigators
Topics:
  • What is FAT?
    • Features
    • Compromises
  • History of FAT
    • FAT12
    • FAT16
    • FAT32
    • exFAT
  • Disk layout: FAT12/16/32
    • Boot sector and the BIOS parameter block
    • Clusters
    • File Allocation Table
    • File names
    • File attributes
    • Additional FATs
    • Root directory
    • Data region
  • Disk layout: exFAT
    • exFAT features
    • Boot sector and the BIOS parameter block
    • File Allocation Table
    • Secondary FAT
    • Named streams
  • "Undeleting" files
    • Finding the FAT entry
    • Editing the FAT
Prerequisites:

FOR201: Windows Internals Overview, or FOR205: Windows Internals for Forensics, or equivalent Windows experience; and FOR220: Windows Storage Systems Overview
Operating systems supported: Windows NT through current Windows versions
Durations and formats: 1 day with labs