Join Us!

Notifications
Clear all

ExFAT version 2  

Page 1 / 2
  RSS
mcman
(@mcman)
Active Member

Has anyone run into the ExFAT ver. 2 filesystem? EnCase and FTK can parse version 1 no problem but won't handle version 2 as far as I've tested. Looking at the raw data in the VBR, all the information seems to be there and there is a file structure but it doesn't look like any of my tools can successfully parse it out properly.

I also cannot find any documentation online about it. This came from a Windows Phone 7 image that I did not acquire. Formatting a USB stick in Windows 8.1 still gives version 1.0 so I'm not sure where I can get additional data to compare. Apparently X-Ways can successfully analyze it but I don't have it here in the office.

Any help would be appreciated.

Jamie

Quote
Posted : 21/01/2014 8:16 pm
jhup
 jhup
(@jhup)
Community Legend

How did you conclude that this is "ver. 2"?

ReplyQuote
Posted : 22/01/2014 12:32 am
mcman
(@mcman)
Active Member

How did you conclude that this is "ver. 2"?

The revision number at 0x68 of the VBR has the value 00 02. Every other ExFAT image I can get my hands on has 00 01.

ReplyQuote
Posted : 22/01/2014 12:41 am
twjolson
(@twjolson)
Active Member

Offset 0x68 has both major and minor version numbers in the form of MM.mm. Is the version 2 in the major or minor version number?

To my knowledge, version 2 doesn't exist. However, version 1.02 is the same as version 1, with the exception that it adds journaling (TexFAT). I THINK the only major difference is that TexFAT contains two File Allocation Tables.

I did the research for Lock and Code's Reference Guide. However, at the time I couldn't generate a version 1.02 file system. So, I am not making promises on the above.

Hope this helps.

Terry

ReplyQuote
Posted : 22/01/2014 7:50 pm
sam305754
(@sam305754)
Junior Member

try Autopsy/ TSK

ReplyQuote
Posted : 22/01/2014 9:25 pm
mcman
(@mcman)
Active Member

Thanks Terry,

It definitely sounds similar to what I'm seeing. Definitely looks to be transactional and after reading up on TexFAT, it's looking more and more likely. I'll take a look for a second FAT to confirm but it's also worth noting that the directory records appear to be padded with a header of A1 followed by a block of zeros. Not sure if that is for future use or what but that seems to be the reason why my tools are having a hard time parsing it because the rest of the filesystem seems to be straight forward.

Here's an exert from the VBR to give you a better idea (note the 00 02 value for the revision number, as far as I see it, this looks like a major value in little endian, hence why I thought it was revision 2)


EB769045584641542020200000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
0000000000000000803FC90000000000
20000000A00C00006019000031490600
020000004300C7070002100009050280
FF000000000000000000000000000000
00000000000000000000000000000000
...
00000000000000000000000000000000
000000000000000000000000000055AA

ReplyQuote
Posted : 22/01/2014 9:34 pm
jaclaz
(@jaclaz)
Community Legend

I'll take a look for a second FAT to confirm but it's also worth noting that the directory records appear to be padded with a header of A1 followed by a block of zeros.

Then it is very likely a TexFAT
http//www.ntfs.com/exfat-textFAT-padding.htm

Still the version seems like a "Major" 2.0, is it possible that Windows Phone 7 (on some specific device or "generally") has introduced a new version (and noone or very few noticed)?

For further confirmation
http//www.active-undelete.com/xfat_volume.htm
(the 02 at 0x6E is TexFAT only)

jaclaz

ReplyQuote
Posted : 22/01/2014 11:14 pm
mcman
(@mcman)
Active Member

I'd agree, the first link outlines exactly what we're seeing and the second one confirms it. The revision number is the only thing that was throwing me off.

Thanks Terry, jaclaz and everyone for the help, it's appreciated.

Jamie

ReplyQuote
Posted : 22/01/2014 11:36 pm
Passmark
(@passmark)
Active Member

mcman,

Would there be any chance of getting a copy of the image file to check if our tools work on it (or fix them up so that they do work if they don't)?

ReplyQuote
Posted : 23/01/2014 3:20 am
twjolson
(@twjolson)
Active Member

mcman,

Would there be any chance of getting a copy of the image file to check if our tools work on it (or fix them up so that they do work if they don't)?

I would be interested in that as well. If version 2 did come out, I'd like to update the Reference Guide.

The 0xA1 directory entry is throwing me off. For GUID directory entries, that starts with 0xA0. And typically if a entry is deleted, it gets a 0xX1. So, a regular directory entry goes from 0x80 to 0x81. I haven't heard of a deleted GUID entry though.

ReplyQuote
Posted : 23/01/2014 7:41 pm
carrier
(@carrier)
New Member

I'd also be interested in seeing the image or at least the results of if The Sleuth Kit works on it. We just incorporated ExFAT support, but it is not officially released (the source is up on github though). I can send you a compiled version though.

ReplyQuote
Posted : 23/01/2014 8:22 pm
jaclaz
(@jaclaz)
Community Legend

Also, we would need to "rebuild the history".

AFAIK

  • exFAT (1.00) was born in 2008 and is NOT transactional
  • TexFAT (1.02) was introduced by Windows Embedded CE 6.0 (circa 2010)

See
http//msdn.microsoft.com/en-us/library/ee490643(v=winembedded.60).aspx

The not so trifling difference between the two above is that though not very popular for a few years, the exFAT is "available" on *all* MS systems since XP (with a specific KB update), on MAC's and in Linux, while the TexFAT was "confined" to Windows Embedded CE.

The "paradigm shift" in common use of it has been IMHO the Windows/MAC compatibility and the licensing to third parties such as RIM, Panasonic. etc. (lately even BMW), while TexFAT is nowhere to be found.

Now, in the meantime we had (after Windows Embedded CE 6.0), based on the same "core"

  • Windows Embedded Compact 7
  • Windows Phone 7 <- this one went up to 7.8 with a "main" intermediate step at 7.5

Later releases, such as

  • Windows Phone 8
  • Windows 8 RT

should have a different "core" or "base".

So it is possible that *anything* 8 has not the TexFAT at all, and that the known 1.02 version is (was) only on Windows Embedded CE 6.0.
What remains to be understood if this version 2.00 is "limited" to Windows Phone 7, if it is also on Embedded Compact 7" and if it is "still" in Windows Phone 7.5 and more generally in Windows Phone 7.x or (say) only in Windows Phone 7.8.

The OP source is a Windows 7 (generically) Phone, it would be IMHO "strange" that noone came across this, since though possibly with a limited diffusion, it's some time that such phones are around
Windows Phone 7 -> November 8, 2010
Windows Phone 7.5 -> September 27, 2011
Windows Phone 7.5 "Tango update" -> Summer 2012
Windows Phone 7.8 -> January 30, 2013

It would be interesting to link these version to one (or more) specific releases or to specific phone Manufacturer/models.

jaclaz

ReplyQuote
Posted : 24/01/2014 12:43 am
mcman
(@mcman)
Active Member

The image definitely has customer data on it so I'm not too sure how much I can share without a lot of sanitizing. I'll definitely run it against an up to date version of TSK and see what I get.

I'll check back with the customer to get some additional details on the source of the image file which can hopefully address a few of the questions that jaclaz brings up. I recall the mention of a Lumia 710 but the TexFAT was only a single partition from a bigger image that I wasn't given (maybe an SD card).

I'll report back what I can find.

ReplyQuote
Posted : 24/01/2014 1:58 am
CyberGonzo
(@cybergonzo)
Member

I'm chiming in for the sake of an email notification when a new post is added to this thread.

And I'm interested in checking an image file as well.

ReplyQuote
Posted : 17/02/2014 8:56 am
sdenis
(@sdenis)
New Member

I have seen two TexFAT file systems like this from Windows 7 phones and the only tool that was able to interpret the filesystem properly was X-Ways.

ReplyQuote
Posted : 28/02/2014 7:13 am
Page 1 / 2
Share: