Notifications
Clear all

ExFAT version 2

18 Posts
10 Users
0 Likes
2,244 Views
(@mcman)
Posts: 189
Estimable Member
Topic starter
 

Has anyone run into the ExFAT ver. 2 filesystem? EnCase and FTK can parse version 1 no problem but won't handle version 2 as far as I've tested. Looking at the raw data in the VBR, all the information seems to be there and there is a file structure but it doesn't look like any of my tools can successfully parse it out properly.

I also cannot find any documentation online about it. This came from a Windows Phone 7 image that I did not acquire. Formatting a USB stick in Windows 8.1 still gives version 1.0 so I'm not sure where I can get additional data to compare. Apparently X-Ways can successfully analyze it but I don't have it here in the office.

Any help would be appreciated.

Jamie

 
Posted : 21/01/2014 8:16 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

How did you conclude that this is "ver. 2"?

 
Posted : 22/01/2014 12:32 am
(@mcman)
Posts: 189
Estimable Member
Topic starter
 

How did you conclude that this is "ver. 2"?

The revision number at 0x68 of the VBR has the value 00 02. Every other ExFAT image I can get my hands on has 00 01.

 
Posted : 22/01/2014 12:41 am
(@twjolson)
Posts: 417
Honorable Member
 

Offset 0x68 has both major and minor version numbers in the form of MM.mm. Is the version 2 in the major or minor version number?

To my knowledge, version 2 doesn't exist. However, version 1.02 is the same as version 1, with the exception that it adds journaling (TexFAT). I THINK the only major difference is that TexFAT contains two File Allocation Tables.

I did the research for Lock and Code's Reference Guide. However, at the time I couldn't generate a version 1.02 file system. So, I am not making promises on the above.

Hope this helps.

Terry

 
Posted : 22/01/2014 7:50 pm
(@sam305754)
Posts: 44
Eminent Member
 

try Autopsy/ TSK

 
Posted : 22/01/2014 9:25 pm
(@mcman)
Posts: 189
Estimable Member
Topic starter
 

Thanks Terry,

It definitely sounds similar to what I'm seeing. Definitely looks to be transactional and after reading up on TexFAT, it's looking more and more likely. I'll take a look for a second FAT to confirm but it's also worth noting that the directory records appear to be padded with a header of A1 followed by a block of zeros. Not sure if that is for future use or what but that seems to be the reason why my tools are having a hard time parsing it because the rest of the filesystem seems to be straight forward.

Here's an exert from the VBR to give you a better idea (note the 00 02 value for the revision number, as far as I see it, this looks like a major value in little endian, hence why I thought it was revision 2)


EB769045584641542020200000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
0000000000000000803FC90000000000
20000000A00C00006019000031490600
020000004300C7070002100009050280
FF000000000000000000000000000000
00000000000000000000000000000000
...
00000000000000000000000000000000
000000000000000000000000000055AA

 
Posted : 22/01/2014 9:34 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'll take a look for a second FAT to confirm but it's also worth noting that the directory records appear to be padded with a header of A1 followed by a block of zeros.

Then it is very likely a TexFAT
http//www.ntfs.com/exfat-textFAT-padding.htm

Still the version seems like a "Major" 2.0, is it possible that Windows Phone 7 (on some specific device or "generally") has introduced a new version (and noone or very few noticed)?

For further confirmation
http//www.active-undelete.com/xfat_volume.htm
(the 02 at 0x6E is TexFAT only)

jaclaz

 
Posted : 22/01/2014 11:14 pm
(@mcman)
Posts: 189
Estimable Member
Topic starter
 

I'd agree, the first link outlines exactly what we're seeing and the second one confirms it. The revision number is the only thing that was throwing me off.

Thanks Terry, jaclaz and everyone for the help, it's appreciated.

Jamie

 
Posted : 22/01/2014 11:36 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

mcman,

Would there be any chance of getting a copy of the image file to check if our tools work on it (or fix them up so that they do work if they don't)?

 
Posted : 23/01/2014 3:20 am
(@twjolson)
Posts: 417
Honorable Member
 

mcman,

Would there be any chance of getting a copy of the image file to check if our tools work on it (or fix them up so that they do work if they don't)?

I would be interested in that as well. If version 2 did come out, I'd like to update the Reference Guide.

The 0xA1 directory entry is throwing me off. For GUID directory entries, that starts with 0xA0. And typically if a entry is deleted, it gets a 0xX1. So, a regular directory entry goes from 0x80 to 0x81. I haven't heard of a deleted GUID entry though.

 
Posted : 23/01/2014 7:41 pm
Page 1 / 2
Share: