fsstat is part of The Sleuth Kit, which we’ve discussed installing on a Mac OS X system.
Category Archives: Forensics
Revisiting Various Bytes
This is the last post (hopefully) on our walk through the boot sector. There are couple byte ranges I want to briefly discuss, so I’m grouping them all into the final post. For reference, here’s our ever-present hex editor screenshot.
Revisiting Bytes 17 and 18
This is an important difference between FAT12/FAT16 and FAT32. In FAT12 and FAT16, the beginning of the data area is reserved for the root directory. In FAT32, the root directory can be located anywhere in the data area.
Revisiting Bytes 14-15 and 16
A FAT file system contains a FAT Area. This is the File Allocation Table area. For now, think of the FAT Area as a list of file names and pointers to the Data Area, and think of the Data Area as the place where a file’s content actually resides. So, we’ve got our boot sector, followed by a list of file names which point to that particular file’s content.
Revisiting Bytes 11-12 and 13
Bytes 11-12 give the number of bytes per sector. Byte 13 gives the number of sectors per cluster.
Revisiting Bytes 3 – 10
As previously noted, the disk image we’re working with is little endian, meaning that we read from right to left. However, this doesn’t seem to apply to bytes 3-10, which contain the OEM name …
Revisiting Bytes 0, 1 and 2
Getting around a hex editor and jumping to the boot code.
All the Endian You Need to Know
It all has to do with ordering. Big endian is read left to right. Little endian is right to left.
FAT Boot Sector Walk Through
This is a basic walk through of the boot sector of a FAT file system. We’re just going to look at the first 36 bytes, which is the same whether it’s FAT12, FAT16 or FAT32.
MacBook Pro as Forensics Workstation
I try to use my MacBook Pro for most of my day-to-day work. However, when it comes to digital forensics, I typically use my Linux workstation. While this works well, and I enjoy using Linux, it bothers me that I have to switch systems. So, I set about to get all of my [...]