DetailsofFAT32Introduction Directory and File AttributesFile Operations-Read files- Write files-Deletefiles-Recoverdeletedfiles11
Details of FAT32 • Introduction • Directory and File Attributes • File Operations – Read files – Write files – Delete files – Recover deleted files 11
Directory Traversalc:>dirc:windowsStep(1)Readthedirectoryfileoftheroot....directorystartingfromCluster#206/13/20122,033,216explorer.exe08/04/2015169,120notepad.exe......"c:lwindows"startsfromCluster#123.c:1>How does this work?Cluster#2FilenameAttributesCluster#Checkthisoutbyyourself??WhetherthosetwoAdirectorydirectoryentriesexistorentrynot.123windowsBootRootFAT1FAT2FSINFOSectorDirectory12
Directory Traversal 12 Root Directory FAT1 FAT2 Boot Sector FSINFO Cluster #2 Filename Attributes Cluster # . . ? . . ? . . . windows . 123 A directory entry c:\> dir c:\windows . 06/13/2012 2,033,216 explorer.exe 08/04/2015 169,120 notepad.exe . c:\> _ How does this work? Check this out by yourself. Whether those two directory entries exist or not. Step (1) Read the directory file of the root directory starting from Cluster #2. “C:\windows” starts from Cluster #123
Directory Traversalc:>dirc:windowsStep(2)Readthedirectoryfileofthe"C:lwindows"startingfromCluster#12306/13/20122.033.216explorer.exe08/04/2015169,120notepad.exec:↓>How does this work?Cluster#123FilenameAttributesCluster#?But,wherearethe?information,e.g.,filesizemodificationtime.etc?456notepad.exeRootBootFAT1FAT2FSINFOSectorDirectory13
Directory Traversal 13 Root Directory FAT1 FAT2 Boot Sector FSINFO Cluster #123 Filename Attributes Cluster # . . ? . . ? . . . notepad.exe . 456 c:\> dir c:\windows . 06/13/2012 2,033,216 explorer.exe 08/04/2015 169,120 notepad.exe . c:\> _ How does this work? Step (2) Read the directory file of the “C:\windows” starting from Cluster #123. But, where are the information, e.g., file size, modification time, etc?
Directoryentry. Directory entry is just a structure.FilenameCluster#Attributeswhat?BytesDescription32explorer.exe1st character of the filenameHow?0-0(Ox00orOxe5meansunallocated)1-107+3 charactersoffilename + extension.70epoXe11-11File attributes (e.g.,read only,hidden)815eeX........16230000..........12-12Reserved.2431200000C4OF0013-19CreationandaccesstimeinformationHigh2bytes of thefirstclusteraddress20-21Note.This isthe8+3namingconvention(OforFAT16andFAT12).22-25Writtentimeinformation8 charactersfor name+3characters forfileextension26-27Low2bvtesoffirstclusteraddress28-31File size14
Directory entry 14 Bytes Description 0-0 1 st character of the filename (0x00 or 0xe5 means unallocated) 1-10 7+3 characters of filename + extension. 11-11 File attributes (e.g., read only, hidden) 12-12 Reserved. 13-19 Creation and access time information. 20-21 High 2 bytes of the first cluster address (0 for FAT16 and FAT12). 22-25 Written time information. 26-27 Low 2 bytes of first cluster address. 28-31 File size. How? what? e x p l o r e r e x e . . . . . . . . . 00 00 . . . . 20 00 00 C4 0F 00 0 7 8 15 16 23 24 31 Note. This is the 8+3 naming convention. 8 characters for name + 3 characters for file extension Filename Attributes Cluster # explorer.exe . 32 • Directory entry is just a structure
Directoryentry Directory entry is just a structure.FilenameCluster#Attributeswhat?BytesDescription32explorer.exe1st character of the filenameHow?0-0(Ox00orOxe5meansunallocated)1-107+3charactersoffilename+extension.70工xepOne11-11File attributes (e.g.,read only,hidden)815eXe1.16002300...S212-12Reserved.2431200000C4OF0013-19CreationandaccesstimeinformationHigh2bytesofthefirstclusteraddress20-21(OforFAT16andFAT12)Howtocalculatethefirst22-25Writtentimeinformationclusteraddress?26-27Low2bvtesoffirstclusteraddress28-31File size15
Directory entry 15 • Directory entry is just a structure. Bytes Description 0-0 1 st character of the filename (0x00 or 0xe5 means unallocated) 1-10 7+3 characters of filename + extension. 11-11 File attributes (e.g., read only, hidden) 12-12 Reserved. 13-19 Creation and access time information. 20-21 High 2 bytes of the first cluster address (0 for FAT16 and FAT12). 22-25 Written time information. 26-27 Low 2 bytes of first cluster address. 28-31 File size. Filename Attributes Cluster # explorer.exe . 32 How? e x p l o r e r e x e . . . . . . . . . 00 00 . . . . 20 00 00 C4 0F 00 0 7 8 15 16 23 24 31 what? How to calculate the first cluster address?