±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 4 Visitors: 140

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Is it possible to change a directory entry record in exFAT?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Skywalker
Senior Member
 

Is it possible to change a directory entry record in exFAT?

Post Posted: Sep 05, 19 01:28

Hi everybody,

I'm studying a case in which it is possible a directory entry has been modified (manipulated). I know there is a checksum in every directory entry, could it be possible to manipulate the checksum too? How could I prove the register was manipulated?

Thanks and regards.  
 
  

Passmark
Senior Member
 

Re: Is it possible to change a directory entry record in exF

Post Posted: Sep 05, 19 02:09

Every time you create a file, or modify a file, the directory entry gets modified.
So yes it is possible, the file system wouldn't work if it wasn't.

But I am guessing you are suggesting it was modified by a hex editor (or similar). In which case anything is possible. The possibility of detecting this depends on how good the tool was (or how much knowledge the person had) and how good your own knowledge is. But to be honest not many people have the knowledge to directly edit the file system in hex.

I haven't checked but I would have thought chkdsk would pick up a bad checksum.  
 
  

athulin
Senior Member
 

Re: Is it possible to change a directory entry record in exFAT?

Post Posted: Sep 05, 19 06:26

- Skywalker
I'm studying a case in which it is possible a directory entry has been modified (manipulated).


A reasonably quick TLDR can be found here: community.spiceworks.c...ny-cartoon . Only 'human error' applies everywhere for you: the user of the exFAT volume, to whoever reverse-engineered exFAT for the information you seem to rely on, and to yourself and other analysts working on it. Then think about how you use the word 'prove'.

Long version:

Please define/describe 'manipulation', why some form of manipulation is the only explanation to what you have found, and perhaps more details as to what exactly the manipulation is thought to have been done, and what resources would be required to do them successfully. Getting those details down helps in avoiding investigation drift, as well as weeding out blatant absurdities.

Modification happens all the time, both in the course of normal user access, normal program access, and unusual but correct access. And as you have a software environment, changes can also be due to unusual circumstances that are not adequately handled by that or other software ... that is, bugs. You can get some pretty odd results by a fair amount of 'luck' if you pull the power from a system, for example, and if RAM chip fails unexpectedly, you can also get some outlandish results.

With things such as exFAT, intended to be used on external media, you also have to take different implementations into account. Last I heard (though things may have changed) exFAT support was something you had to license from Microsoft. Reverse-engineered implementations will thus run the risk of doing things differently, especially in unusual circumstances, as well as being incomplete for some scenarios, and the effect of those two factors (non-standard implementation, unusual circumstances) may produce effects that can be taken for hostile and intentional.

I know there is a checksum in every directory entry, could it be possible to manipulate the checksum too?


This is why you need an idea of how the modification/manipulation was performed. I believe you could easily use a hex editor such as HxD or Winhex or ... that allows you to edit every single bit on the media that the platform allows you to see. I have used HxD to 'tweak' timestamps in NTFS images; I don't expect it to be much more difficult to tweak bytes in an exFAT image. All I think I needed was very good knowledge of the file system, local admin privileges to access to raw 'disk', the hex editor, and sufficient amounts of good luck or backup to ensure that any mistake I made would not cause a total failure. (external volumes are somewhat easier in that last respect).

Also ... as exFAT specifications are proprietary and licensed (?), you may also consider if your knowledge about exFAT is reliable. You are not basing your ideas about manipulation on reverse-engineered information from outdated versions or incompletely done analysis, are you? (Me ... I would stay away from trying too hard interpret file systems artifacts if the file system does not have up-to-date public specification -- which means that anything involving FAT, last defined in 2000 I believe is one of those areas where the term 'as far as I know' would feature very prominently. And if you have to use that phrase, 'proof' is probably not the correct term for what you are doing.)

(Checksums can be tricky: some specification allows them to be explicitly undefined. If exFAT allows that, you better know the exact circumstances. And it's not at all unusual for specifications to get checksum algorithms wrong, or for software to implement them wrong. If you know of any such implementation, such checksums might be indicators that that particular implementation has been used, for example.)

Again, define 'manipulation'. State what actions ('change checksum', 'alter file size', 'remap sectors', ...) you believe have been performed, and then look at each of those individually (that is, what does it take technically to make such a change), together, as well as in the context of Real World. If the 'manipulation' requires, say, an hour to perform, but the external medium has not been out of sight for an hour, you clearly have to look for alternative explanations.

To prove manipulation, you probably have to prove user-controlled action, directly or indirectly (i.e. it could not have been a bug, or a glitch, or some other malfunction), as well as intent.

If you have not thought about proving those in a computer environment, it's time to do so now. Me, if I had to ask, I would not even try, unless I had much more than just an exFAT volume. Just about everything I once might have put down to malice aforethought turned out be bugs, uninformed users (who happily did what equally clueless people on the Internet recommended them to do in order to speed up their computers), failed hardware, and people blindly following official instructions that actually were not valid for the particular equipment.

And that's Dave, in different incarnations. See TLDR link above.  
 
  

Skywalker
Senior Member
 

Re: Is it possible to change a directory entry record in exFAT?

Post Posted: Sep 05, 19 18:50

- athulin
- Skywalker
I'm studying a case in which it is possible a directory entry has been modified (manipulated).


A reasonably quick TLDR can be found here: community.spiceworks.c...ny-cartoon . Only 'human error' applies everywhere for you: the user of the exFAT volume, to whoever reverse-engineered exFAT for the information you seem to rely on, and to yourself and other analysts working on it. Then think about how you use the word 'prove'.

Long version:

Please define/describe 'manipulation', why some form of manipulation is the only explanation to what you have found, and perhaps more details as to what exactly the manipulation is thought to have been done, and what resources would be required to do them successfully. Getting those details down helps in avoiding investigation drift, as well as weeding out blatant absurdities.

Modification happens all the time, both in the course of normal user access, normal program access, and unusual but correct access. And as you have a software environment, changes can also be due to unusual circumstances that are not adequately handled by that or other software ... that is, bugs. You can get some pretty odd results by a fair amount of 'luck' if you pull the power from a system, for example, and if RAM chip fails unexpectedly, you can also get some outlandish results.

With things such as exFAT, intended to be used on external media, you also have to take different implementations into account. Last I heard (though things may have changed) exFAT support was something you had to license from Microsoft. Reverse-engineered implementations will thus run the risk of doing things differently, especially in unusual circumstances, as well as being incomplete for some scenarios, and the effect of those two factors (non-standard implementation, unusual circumstances) may produce effects that can be taken for hostile and intentional.

I know there is a checksum in every directory entry, could it be possible to manipulate the checksum too?


This is why you need an idea of how the modification/manipulation was performed. I believe you could easily use a hex editor such as HxD or Winhex or ... that allows you to edit every single bit on the media that the platform allows you to see. I have used HxD to 'tweak' timestamps in NTFS images; I don't expect it to be much more difficult to tweak bytes in an exFAT image. All I think I needed was very good knowledge of the file system, local admin privileges to access to raw 'disk', the hex editor, and sufficient amounts of good luck or backup to ensure that any mistake I made would not cause a total failure. (external volumes are somewhat easier in that last respect).

Also ... as exFAT specifications are proprietary and licensed (?), you may also consider if your knowledge about exFAT is reliable. You are not basing your ideas about manipulation on reverse-engineered information from outdated versions or incompletely done analysis, are you? (Me ... I would stay away from trying too hard interpret file systems artifacts if the file system does not have up-to-date public specification -- which means that anything involving FAT, last defined in 2000 I believe is one of those areas where the term 'as far as I know' would feature very prominently. And if you have to use that phrase, 'proof' is probably not the correct term for what you are doing.)

(Checksums can be tricky: some specification allows them to be explicitly undefined. If exFAT allows that, you better know the exact circumstances. And it's not at all unusual for specifications to get checksum algorithms wrong, or for software to implement them wrong. If you know of any such implementation, such checksums might be indicators that that particular implementation has been used, for example.)

Again, define 'manipulation'. State what actions ('change checksum', 'alter file size', 'remap sectors', ...) you believe have been performed, and then look at each of those individually (that is, what does it take technically to make such a change), together, as well as in the context of Real World. If the 'manipulation' requires, say, an hour to perform, but the external medium has not been out of sight for an hour, you clearly have to look for alternative explanations.

To prove manipulation, you probably have to prove user-controlled action, directly or indirectly (i.e. it could not have been a bug, or a glitch, or some other malfunction), as well as intent.

If you have not thought about proving those in a computer environment, it's time to do so now. Me, if I had to ask, I would not even try, unless I had much more than just an exFAT volume. Just about everything I once might have put down to malice aforethought turned out be bugs, uninformed users (who happily did what equally clueless people on the Internet recommended them to do in order to speed up their computers), failed hardware, and people blindly following official instructions that actually were not valid for the particular equipment.

And that's Dave, in different incarnations. See TLDR link above.


Hi,

Firstly, thanks you for your wide explanation.

When I say "manipulation", I mean Hex editing. Of course, if the directiry entry checksum/hash function has not been made public by Microsoft, it wouldn't be possible to calculate it unless I could recreate the scenario and check if both checksums match, which is a very, very, very hard work.

Is the checksum algorithm public? If not, is there any tool which checks it?

Thanks!!  
 
  

Passmark
Senior Member
 

Re: Is it possible to change a directory entry record in exF

Post Posted: Sep 06, 19 01:01

Microsoft as published the exFAT spec with a view to having it included into Linux.

See,
www.phoronix.com/scan....cification
and
www.extremetech.com/co...linux-devs

So the information is public.  
 
  

athulin
Senior Member
 

Re: Is it possible to change a directory entry record in exF

Post Posted: Sep 06, 19 05:32

- Passmark
Microsoft as published the exFAT spec with a view to having it included into Linux.


You seem to be right: apparently it happened just a couple of weeks ago: docs.microsoft.com/en-...cification

(I have not read it in detail, so I can't say yet if it is complete. But it's the source to use now.)

I hope someone does compare this specification with whatever reversed engineered attempts exists, and identifies the areas of difference that are of direct forensic interest.  
 
  

Passmark
Senior Member
 

Re: Is it possible to change a directory entry record in exF

Post Posted: Sep 06, 19 06:45

And here is the checksum code.

Code:
UInt16	EntrySetChecksum
(
    UCHAR *	Entries,		// points to an in-memory copy of the directory entry set
	   UCHAR	SecondaryCount
)
{
	   UInt16	NumberOfBytes =	((UInt16)SecondaryCount + 1) * 32;
   	UInt16	Checksum =		0;
   	UInt16	Index;
	
	   for (Index = 0; Index < NumberOfBytes; Index++)
   	{
	      	if ((Index == 2) || (Index == 3))
		      {
		         	continue;
	      	}
	      	Checksum = ((Checksum&1) ? 0x8000 : 0) + (Checksum>>1) + (UInt16)Entries[Index];
	   }
	
	   return Checksum;
}
 
 

Page 1 of 2
Page 1, 2  Next