1
00:00:00,650 --> 00:00:02,420
Understanding the file systems.

2
00:00:02,660 --> 00:00:09,360
A hard drive can have multiple partitions on it, and in each partition there will be a file system.

3
00:00:09,380 --> 00:00:14,600
There might be hundreds of thousands of to millions of files contained within a partitions.

4
00:00:14,750 --> 00:00:22,160
So the file system tracks where every file is and how much space is available within the partition boundaries.

5
00:00:22,430 --> 00:00:29,570
We discuss sectors earlier in the hard drive and solid state drive section of this course, and they

6
00:00:29,570 --> 00:00:32,720
are the smallest units that are available to store data.

7
00:00:32,750 --> 00:00:35,960
The file system stores data based on clusters.

8
00:00:35,990 --> 00:00:44,570
Clusters are one or more sectors, so a cluster is the smallest allocation unit that file system can

9
00:00:44,570 --> 00:00:45,800
write to.

10
00:00:45,830 --> 00:00:52,010
So now there are many file systems available and some are restricted to specific operating systems.

11
00:00:52,040 --> 00:00:57,890
Unless the user enables drivers that will allow the operating system to read the file system.

12
00:00:58,340 --> 00:01:04,890
So we will look now at some of the common file system you may encounter.

13
00:01:04,910 --> 00:01:09,550
So the fat file system file allocation table.

14
00:01:09,560 --> 00:01:16,760
So the file allocation table file system has been run since the early days of home computing.

15
00:01:16,760 --> 00:01:22,880
And it's one of the five file system that nearly all operating system can read.

16
00:01:22,970 --> 00:01:27,140
So it's a de facto standard file system for removable devices.

17
00:01:27,830 --> 00:01:30,410
At the time has gone by.

18
00:01:30,440 --> 00:01:33,860
The fat file system has gone through numerous changes.

19
00:01:33,860 --> 00:01:37,250
So the first fat file system is the fat 12.

20
00:01:37,280 --> 00:01:49,100
So this is the created in 77 and used 12 bits, hence the Fat 30 designation to address available clusters.

21
00:01:49,100 --> 00:01:52,310
So it is 12 bits to address available clusters.

22
00:01:52,310 --> 00:01:54,770
So but this is limited.

23
00:01:55,160 --> 00:02:02,840
It used only storage devices that could contain 4069 clusters.

24
00:02:02,840 --> 00:02:08,690
So it's rarely seen nowadays, but you might find it on a floppy disk.

25
00:02:08,690 --> 00:02:13,130
So then we have fat 16.

26
00:02:13,850 --> 00:02:24,500
This is created in 84 and the fat 16 used 16 bit to address available clusters.

27
00:02:24,500 --> 00:02:32,430
So it had the same uses as the fat 12 as it could not be scaled to be used with larger capacity device.

28
00:02:32,430 --> 00:02:40,680
So it's incompatible with fat 60 and fat 12, it's not compatible with large capacity devices.

29
00:02:40,680 --> 00:02:42,470
And then we have vfat.

30
00:02:42,480 --> 00:02:51,480
So this is the this is introduced with the Windows 95 and add the virtual file allocation table.

31
00:02:51,480 --> 00:02:59,610
So it added the long file name LFN and additional timestamps here.

32
00:02:59,610 --> 00:03:15,360
So then lastly, we have fat 32, so the fat 32 uses the 28 bits to address available clusters, theoretically

33
00:03:15,360 --> 00:03:21,390
allowing for maximum volume size a 2.2TB.

34
00:03:22,030 --> 00:03:31,690
So Microsoft implemented restrictions that limited the file system size to 32GB with a maximum file

35
00:03:31,690 --> 00:03:34,710
size of four gigabyte.

36
00:03:35,860 --> 00:03:36,760
So.

37
00:03:38,010 --> 00:03:44,250
It's it is still in use today and can be found on most removable devices.

38
00:03:44,760 --> 00:03:51,270
We will discuss Fat32 file system for remainder of this lecture and the fat file system.

39
00:03:51,270 --> 00:03:53,970
So the fat file system here.

40
00:03:54,750 --> 00:03:58,680
Um, actually, let's make it a little right here.

41
00:03:58,680 --> 00:04:00,540
So the fat file system.

42
00:04:01,690 --> 00:04:04,510
Uh, is a laid out in two areas.

43
00:04:05,410 --> 00:04:06,700
As you can see here.

44
00:04:06,730 --> 00:04:09,640
System area and data area.

45
00:04:09,850 --> 00:04:14,560
So the system area actually, let me write that down.

46
00:04:18,640 --> 00:04:20,130
Actually don't feel it.

47
00:04:22,060 --> 00:04:22,690
So.

48
00:04:25,020 --> 00:04:25,890
Sister Maria.

49
00:04:26,040 --> 00:04:29,640
So Sister Maria is stores.

50
00:04:31,790 --> 00:04:32,750
Uh, the volume.

51
00:04:32,960 --> 00:04:33,470
Volume.

52
00:04:33,470 --> 00:04:34,400
Boot data.

53
00:04:34,430 --> 00:04:35,780
Boot record, actually.

54
00:04:35,810 --> 00:04:37,160
Boot record.

55
00:04:37,160 --> 00:04:39,380
And fat tables.

56
00:04:47,600 --> 00:04:48,200
Actually.

57
00:04:49,970 --> 00:04:50,720
So.

58
00:04:50,720 --> 00:04:52,640
But the data array here.

59
00:04:55,870 --> 00:05:00,730
Uh, this data area stores the root directory.

60
00:05:01,810 --> 00:05:03,490
Directory and files.

61
00:05:17,220 --> 00:05:18,060
So.

62
00:05:23,990 --> 00:05:31,300
As you can see here, we have boot record, Fat one and Fat two is engaged with system, area and root

63
00:05:31,310 --> 00:05:31,910
DA.

64
00:05:32,120 --> 00:05:35,780
The root directory and files is engaged with data area.

65
00:05:36,620 --> 00:05:42,850
So these are the volume records and these are the root directory and files.

66
00:05:42,860 --> 00:05:48,650
So now let's get into the next topic in this lecture.

67
00:05:48,650 --> 00:05:50,660
So this is the boot record.

68
00:05:50,660 --> 00:06:00,470
So in the system area we have the volume boot record VR, so we can find it in a logical sector.

69
00:06:00,500 --> 00:06:06,920
LZ zero, which is the first sector within the partition binaries.

70
00:06:10,970 --> 00:06:14,820
So the boot process here creates the vbr.

71
00:06:14,840 --> 00:06:22,250
When the partition is formatted and contains information about the volume and boot code to contain the

72
00:06:22,250 --> 00:06:24,230
boot process for the operating system.

73
00:06:24,470 --> 00:06:26,450
It is a primary partition.

74
00:06:26,450 --> 00:06:33,290
The CBR will consist of a several sectors, typically sector zero, sector one and sector two with the

75
00:06:33,290 --> 00:06:38,270
backup in backup in sector six and seven and eight.

76
00:06:38,450 --> 00:06:48,860
The vbr and backups are stored in a reverse area, so which is typically 32 factors before the first

77
00:06:48,860 --> 00:06:51,320
file allocation table begins.

78
00:06:52,040 --> 00:06:55,160
So this is the sector here.

79
00:07:12,300 --> 00:07:18,780
Now we will find these direct in these hex codes here.

80
00:07:18,780 --> 00:07:25,980
We can see a volume boot record which helps to decipher the information like.

81
00:07:26,940 --> 00:07:31,200
So actually, let me write that down here in the left side of this.

82
00:07:33,050 --> 00:07:34,280
Screenshot here.

83
00:07:41,030 --> 00:07:41,390
Here.

84
00:07:45,300 --> 00:07:46,110
Okay.

85
00:07:49,030 --> 00:07:49,360
So.

86
00:07:50,960 --> 00:07:53,360
We have X00.

87
00:07:53,360 --> 00:07:54,710
This is the Higgs part here.

88
00:07:54,740 --> 00:07:58,640
So in this X here.

89
00:08:01,350 --> 00:08:04,050
We will find the jump instructions.

90
00:08:06,250 --> 00:08:08,800
Uh, jump instructions.

91
00:08:12,080 --> 00:08:13,880
Um, for the system.

92
00:08:15,050 --> 00:08:16,550
Two contributing.

93
00:08:22,040 --> 00:08:24,380
And X03.

94
00:08:24,380 --> 00:08:34,310
Here we will the, um, id, uh, this is the ID which operating system was used to format the device.

95
00:08:36,870 --> 00:08:41,700
So this is the bytes per sector.

96
00:08:41,820 --> 00:08:44,160
Here, actually, let me open it.

97
00:08:44,820 --> 00:08:46,290
Bytes.

98
00:08:47,420 --> 00:08:48,680
The sector.

99
00:08:50,500 --> 00:08:54,490
We also have A0E here.

100
00:08:55,480 --> 00:08:57,670
This is the reserved sectors.

101
00:09:03,910 --> 00:09:07,440
So this is actually not the entire reserve sector.

102
00:09:07,450 --> 00:09:12,850
This is just a shows the number of reserve sectors in our.

103
00:09:15,440 --> 00:09:22,490
So in our here and we have here zero.

104
00:09:24,730 --> 00:09:27,370
It's actually x ten, right?

105
00:09:28,790 --> 00:09:29,570
Yes.

106
00:09:29,990 --> 00:09:30,920
This is the extent.

107
00:09:31,010 --> 00:09:34,340
This is the number of of fats.

108
00:09:35,810 --> 00:09:39,620
Uh, actually, in this case, it's usually.

109
00:09:40,870 --> 00:09:41,560
To.

110
00:09:42,800 --> 00:09:44,930
So we have x 11.

111
00:09:47,250 --> 00:09:50,730
So this is the unused route entries.

112
00:09:55,290 --> 00:09:58,170
So there is a trick for that.

113
00:09:58,170 --> 00:10:08,700
So if if you're using Fat32, this should be zero because the root directory is in the data area as

114
00:10:08,700 --> 00:10:11,130
we as we discussed earlier.

115
00:10:11,130 --> 00:10:18,960
So as you can see here, root directory in the data area, which in this if you are using Fat32, in

116
00:10:18,960 --> 00:10:21,420
your case it will be zero for you.

117
00:10:21,630 --> 00:10:24,450
So we have 13.

118
00:10:24,960 --> 00:10:27,870
So this is number of sectors.

119
00:10:31,490 --> 00:10:32,810
We have 15.

120
00:10:33,780 --> 00:10:36,480
This is the media descriptor.

121
00:10:44,450 --> 00:10:52,160
We have 16 here and then we will have 18.

122
00:10:52,550 --> 00:10:53,450
16.

123
00:10:55,300 --> 00:10:57,040
This is the number.

124
00:10:58,170 --> 00:11:01,800
Number of sectors per fat.

125
00:11:02,400 --> 00:11:12,990
If and now if you are using Fat32, this will be this should be zero in your case here.

126
00:11:15,510 --> 00:11:18,240
And this is the number of sectors per track.

127
00:11:20,270 --> 00:11:22,910
Sectors per track.

128
00:11:23,880 --> 00:11:24,390
Um.

129
00:11:27,210 --> 00:11:30,610
So this is the total sectors for the volume.

130
00:11:31,550 --> 00:11:32,730
You have X.

131
00:11:33,670 --> 00:11:35,560
20 here.

132
00:11:35,770 --> 00:11:37,390
This is the logic.

133
00:11:37,600 --> 00:11:39,070
Logical sectors.

134
00:11:40,440 --> 00:11:41,100
Perfect.

135
00:11:46,440 --> 00:11:49,590
And then we will have extended flags.

136
00:11:53,430 --> 00:11:59,310
So actually, these are the pretty advanced topics in digital forensics here.

137
00:12:00,210 --> 00:12:00,410
Um.

138
00:12:02,100 --> 00:12:07,500
We will contain these advanced topics in next lectures of our course.

139
00:12:07,680 --> 00:12:08,910
So.

140
00:12:12,050 --> 00:12:17,450
Next, we will look at the file allocation table in next lecture.

141
00:12:17,740 --> 00:12:21,890
Here, actually, end of this.

142
00:12:23,610 --> 00:12:29,690
Section of our course, there will be a practice test, which I'm sure you can do it.

143
00:12:29,700 --> 00:12:32,460
So I'm waiting you in the next lecture.