±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 95

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

ExFAT version 2

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

mcman
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 23, 14 00:36

I'd agree, the first link outlines exactly what we're seeing and the second one confirms it. The revision number is the only thing that was throwing me off.

Thanks Terry, jaclaz and everyone for the help, it's appreciated.

Jamie  
 
  

Passmark
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 23, 14 04:20

mcman,

Would there be any chance of getting a copy of the image file to check if our tools work on it (or fix them up so that they do work if they don't)?  
 
  

twjolson
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 23, 14 20:41

- Passmark
mcman,

Would there be any chance of getting a copy of the image file to check if our tools work on it (or fix them up so that they do work if they don't)?


I would be interested in that as well. If version 2 did come out, I'd like to update the Reference Guide.

The 0xA1 directory entry is throwing me off. For GUID directory entries, that starts with 0xA0. And typically if a entry is deleted, it gets a 0xX1. So, a regular directory entry goes from 0x80 to 0x81. I haven't heard of a deleted GUID entry though.  
 
  

carrier
Member
 

Re: ExFAT version 2

Post Posted: Jan 23, 14 21:22

I'd also be interested in seeing the image or at least the results of if The Sleuth Kit works on it. We just incorporated ExFAT support, but it is not officially released (the source is up on github though). I can send you a compiled version though.  
 
  

jaclaz
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 24, 14 01:43

Also, we would need to "rebuild the history".

AFAIK:
  • exFAT (1.00) was born in 2008 and is NOT transactional
  • TexFAT (1.02) was introduced by Windows Embedded CE 6.0 (circa 2010)
See:
msdn.microsoft.com/en-...d.60).aspx

The not so trifling difference between the two above is that though not very popular for a few years, the exFAT is "available" on *all* MS systems since XP (with a specific KB update), on MAC's and in Linux, while the TexFAT was "confined" to Windows Embedded CE.

The "paradigm shift" in common use of it has been IMHO the Windows/MAC compatibility and the licensing to third parties such as RIM, Panasonic. etc. (lately even BMW), while TexFAT is nowhere to be found.

Now, in the meantime we had (after Windows Embedded CE 6.0), based on the same "core":
  • Windows Embedded Compact 7
  • Windows Phone 7 <- this one went up to 7.8 with a "main" intermediate step at 7.5
Later releases, such as:
  • Windows Phone 8
  • Windows 8 RT
should have a different "core" or "base".

So it is possible that *anything* 8 has not the TexFAT at all, and that the known 1.02 version is (was) only on Windows Embedded CE 6.0.
What remains to be understood if this version 2.00 is "limited" to Windows Phone 7, if it is also on Embedded Compact 7" and if it is "still" in Windows Phone 7.5 and more generally in Windows Phone 7.x or (say) only in Windows Phone 7.8.

The OP source is a Windows 7 (generically) Phone, it would be IMHO "strange" that noone came across this, since though possibly with a limited diffusion, it's some time that such phones are around:
Windows Phone 7 -> November 8, 2010
Windows Phone 7.5 -> September 27, 2011
Windows Phone 7.5 "Tango update" -> Summer 2012
Windows Phone 7.8 -> January 30, 2013

It would be interesting to link these version to one (or more) specific releases or to specific phone Manufacturer/models.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

mcman
Senior Member
 

Re: ExFAT version 2

Post Posted: Jan 24, 14 02:58

The image definitely has customer data on it so I'm not too sure how much I can share without a lot of sanitizing. I'll definitely run it against an up to date version of TSK and see what I get.

I'll check back with the customer to get some additional details on the source of the image file which can hopefully address a few of the questions that jaclaz brings up. I recall the mention of a Lumia 710 but the TexFAT was only a single partition from a bigger image that I wasn't given (maybe an SD card).

I'll report back what I can find.  
 
  

CyberGonzo
Senior Member
 

Re: ExFAT version 2

Post Posted: Feb 17, 14 09:56

I'm chiming in for the sake of an email notification when a new post is added to this thread.

And I'm interested in checking an image file as well.  
 

Page 2 of 3
Page Previous  1, 2, 3  Next