You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please add the ability for the Sleuth Kit to find orphaned FAT directories, even if there is no boot sector.
Currently, The Sleuth Kit can only find orphaned files on a FAT file system if there is a boot sector. However, orphaned FAT directories don't require a boot sector to be found. FAT directories can be identified by their "." and ".." entries at the beginning.
If the FAT boot sector was overwritten, the cluster size is unknown. It's a vicious cycle: The Sleuth Kit needs a boot sector to be able to look for orphaned directories, but one needs to find orphaned directories to get an estimate of the cluster size.
One way to break this vicious cycle is by identifying orphaned FAT directories by searching a disk or disk image for "." and ".." entries, and then find at least one file using both file carving (using sigfind or photorec) and orphaned FAT directories.
Orphaned FAT directories contain metadata such as file name, at which cluster (not byte) the beginning of the file is located, and date and time information.
File carving can only locate the beginning of the file and the byte offset of the file by searching for the file signature, such as FFD8 for JPEG. The lowest common denominator here is the beginning of the file.
For the sake of simplicity, let's call this imaginary file example.jpg.
If we then divide the byte offset (found using file carving) of example.jpg by the cluster count in the orphaned directory, we get a rough estimate of the cluster size in bytes.
Cluster sizes are powers of two starting at the sector size of 512 (meaning 512, 1024, 2048, etc.), so all that needs to be done to know the cluster size is then finding the closest power of two below the result.
For example, if example.jpg starts at byte 205824 (found using file carving) and cluster 100 (found using orphaned directories), the cluster size is very likely 2048 bytes, since that is the highest power of two below 2058.24.
And we even get a nice bonus! We can also find out the offset of the original beinning of the entire FAT file system, in other words the original location of the boot sector of the file system, using a simple modulu operation! Using (starting byte of example.jpg) mod (presumed cluster size), we can locate where the FAT boot sector must have been before it was overwritten.
In this example, 205824 mod 2048 = 1024. So this FAT file system must have started at 1024 bytes, meaning sector 2. To get the sector count (or "block address"), just divide the result by 512. This presumes that there was only one partition and it starts near the beginning, which is almost always the case since that is storage manufacturers' default.
Therefore, please add the ability to find orphaned FAT directories to sleuth kit.
IsoBuster already has the ability to find orphaned FAT directories.
The same should later also be implemented for exFAT, but I realize that orphaned exFAT directories will be more difficult to detect due to the lack of the . and .. entries.
The text was updated successfully, but these errors were encountered:
Please add the ability for the Sleuth Kit to find orphaned FAT directories, even if there is no boot sector.
Currently, The Sleuth Kit can only find orphaned files on a FAT file system if there is a boot sector. However, orphaned FAT directories don't require a boot sector to be found. FAT directories can be identified by their "." and ".." entries at the beginning.
If the FAT boot sector was overwritten, the cluster size is unknown. It's a vicious cycle: The Sleuth Kit needs a boot sector to be able to look for orphaned directories, but one needs to find orphaned directories to get an estimate of the cluster size.
One way to break this vicious cycle is by identifying orphaned FAT directories by searching a disk or disk image for "." and ".." entries, and then find at least one file using both file carving (using
sigfindorphotorec) and orphaned FAT directories.Orphaned FAT directories contain metadata such as file name, at which cluster (not byte) the beginning of the file is located, and date and time information.
File carving can only locate the beginning of the file and the byte offset of the file by searching for the file signature, such as
FFD8for JPEG. The lowest common denominator here is the beginning of the file.For the sake of simplicity, let's call this imaginary file
example.jpg.If we then divide the byte offset (found using file carving) of
example.jpgby the cluster count in the orphaned directory, we get a rough estimate of the cluster size in bytes.Cluster sizes are powers of two starting at the sector size of 512 (meaning 512, 1024, 2048, etc.), so all that needs to be done to know the cluster size is then finding the closest power of two below the result.
For example, if
example.jpgstarts at byte205824(found using file carving) and cluster100(found using orphaned directories), the cluster size is very likely 2048 bytes, since that is the highest power of two below2058.24.And we even get a nice bonus! We can also find out the offset of the original beinning of the entire FAT file system, in other words the original location of the boot sector of the file system, using a simple modulu operation! Using
(starting byte of example.jpg) mod (presumed cluster size), we can locate where the FAT boot sector must have been before it was overwritten.In this example,
205824 mod 2048=1024. So this FAT file system must have started at 1024 bytes, meaning sector 2. To get the sector count (or "block address"), just divide the result by 512. This presumes that there was only one partition and it starts near the beginning, which is almost always the case since that is storage manufacturers' default.Therefore, please add the ability to find orphaned FAT directories to sleuth kit.
IsoBuster already has the ability to find orphaned FAT directories.
The same should later also be implemented for exFAT, but I realize that orphaned exFAT directories will be more difficult to detect due to the lack of the
.and..entries.The text was updated successfully, but these errors were encountered: