by Brian Carrier
reproduced with permission from The Sleuth Kit Informer, Issue 18

Overview

The output of many TSK tools is relatively easy to understand because each tool has a specific focus. For example, the outut of fls is a list of file names and corresponding inode addresses. There are two tools, fsstat and istat, which contain a lot of information and the type of information varies by file system. These tools provide the details of a metadata structure or file system, respectively.

This article covers the output of the fsstat command when run on a FAT file system. The fsstat command gives the general information about a file system. This information is typically located in the boot sector or superblock of a file system and does not apply to any specific file or directory. Examples of the information in these data structures are the size of the data units, the number of data units in the file system, and the number of metadata structures. When using Autopsy, this information is shown under the Image Details tab. The fsstat output is broken up into sections and each file system type has a different number of sections. The FAT output has four sections and the first three are based on the file system, content, and metadata categories of the basic file system model that I use. The last section of the output contains a graphical representation of the file allocation table.

FAT Basics

Before we look at the fsstat output, we will briefly cover some of the basics of the FAT file system. This is not an extensive description of FAT and is intended only as a review. For more details, refer to the FAT specification [1] (or wait until File System Forensic Analysis [2] is released in March :) ).

The first sector of a FAT file system contains the boot sector data structure, where the basic administrative information can be found. This data structure describes the layout of the file system. Following the boot sector is the first file allocation table structure (FAT). The FAT is used to determine the next cluster in a file and is used to determine which clusters are not being used. In FAT12/16 the FAT immediately follows the boot sector, but in FAT32 there are reserved sectors in between. A backup FAT typically follows the first FAT.

After the last FAT, is the start of the Data Area, which is where the directory and file contents are stored. The layout of the Data Area is different for FAT12/16 and FAT32. With FAT12/16 the sector after the last FAT is the beginning of the root directory, which has a fixed size. After the root directory is the first cluster, which is given an address of 2 (there are no clusters 0 and 1). With FAT32, cluster 2 starts in the sector following the last FAT. The FAT32 root directory can start anywhere in the Data Area. The Data Area extends until the end of the file system.

File and directory content are stored in clusters, which are groups of consecutive sectors. As I previously stated, the first cluster is located dozens or hundreds of sectors into the file system after the boot sector and FATs. TSK does not use cluster addresses in its output because it is too confusing. If TSK were to use clusters, then it would need two different addressing schemes. If you wanted to examine the data in the FAT, you would need to use its sector address. if you wanted to examine the data in a file's contents, you would need to use a cluster address. TSK simplifies this by showing and using only the sector addresses (even if the file system stored the address as a cluster address).