±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 134

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

ExFAT version 2

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

mcman
Senior Member
 

ExFAT version 2

Post Posted: Jan 21, 14 21:16

Has anyone run into the ExFAT ver. 2 filesystem? EnCase and FTK can parse version 1 no problem but won't handle version 2 as far as I've tested. Looking at the raw data in the VBR, all the information seems to be there and there is a file structure but it doesn't look like any of my tools can successfully parse it out properly.

I also cannot find any documentation online about it. This came from a Windows Phone 7 image that I did not acquire. Formatting a USB stick in Windows 8.1 still gives version 1.0 so I'm not sure where I can get additional data to compare. Apparently X-Ways can successfully analyze it but I don't have it here in the office.

Any help would be appreciated.

Jamie  
 
  

jhup
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 22, 14 01:32

How did you conclude that this is "ver. 2"?  
 
  

mcman
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 22, 14 01:41

- jhup
How did you conclude that this is "ver. 2"?


The revision number at 0x68 of the VBR has the value 00 02. Every other ExFAT image I can get my hands on has 00 01.  
 
  

twjolson
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 22, 14 20:50

Offset 0x68 has both major and minor version numbers in the form of MM.mm. Is the version 2 in the major or minor version number?

To my knowledge, version 2 doesn't exist. However, version 1.02 is the same as version 1, with the exception that it adds journaling (TexFAT). I THINK the only major difference is that TexFAT contains two File Allocation Tables.

I did the research for Lock and Code's Reference Guide. However, at the time I couldn't generate a version 1.02 file system. So, I am not making promises on the above.

Hope this helps.

Terry  
 
  

sam305754
Member
 

Re: ExFAT version 2

Post Posted: Jan 22, 14 22:25

try Autopsy/ TSK  
 
  

mcman
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 22, 14 22:34

Thanks Terry,

It definitely sounds similar to what I'm seeing. Definitely looks to be transactional and after reading up on TexFAT, it's looking more and more likely. I'll take a look for a second FAT to confirm but it's also worth noting that the directory records appear to be padded with a header of A1 followed by a block of zeros. Not sure if that is for future use or what but that seems to be the reason why my tools are having a hard time parsing it because the rest of the filesystem seems to be straight forward.

Here's an exert from the VBR to give you a better idea (note the 00 02 value for the revision number, as far as I see it, this looks like a major value in little endian, hence why I thought it was revision 2)

Code:
EB769045584641542020200000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
0000000000000000803FC90000000000
20000000A00C00006019000031490600
020000004300C7070002100009050280
FF000000000000000000000000000000
00000000000000000000000000000000
...
00000000000000000000000000000000
000000000000000000000000000055AA
 
 
  

jaclaz
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 23, 14 00:14

- mcman
I'll take a look for a second FAT to confirm but it's also worth noting that the directory records appear to be padded with a header of A1 followed by a block of zeros.

Then it is very likely a TexFAT:
www.ntfs.com/exfat-tex...adding.htm

Still the version seems like a "Major" 2.0, is it possible that Windows Phone 7 (on some specific device or "generally") has introduced a new version (and noone or very few noticed)?

For further confirmation:
www.active-undelete.co...volume.htm
(the 02 at 0x6E is TexFAT only)

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 3
Page 1, 2, 3  Next