Revisiting Bytes 3 - 10

Revisiting Bytes 3 - 10

As previously noted in FAT Boot Sector Walk Through, the disk image we’re working with is little endian, meaning that we read from right to left. However, this doesn’t seem to apply to bytes 3-10, which contain the OEM name (or sometimes the tool used to format the drive).

fat-first-36-hex-bytes.png

Bytes 3-10 contain 42 53 44 20 20 34 2E 34. Referencing a conversion chart, we can translate the hex to ASCII.

HexASCII

42 B

53 S

44 D

20 Space

20 Space

34 4

2E .

34 4

As you can see, no endian-based reordering is necessary to get BSD 4.4. (I formatted this USB stick as FAT32 on an Apple system, thus the BSD 4.4.) If you reference p. 257 in Brian Carrier’s File System Forensic Analysis1, you’ll find a disk image with the following first 15 bytes:

eb58 904d 5344 4f53 352e 3000 0202 2600

Bytes 3-10 are in bold. Referencing our conversion chart, we get the following:

HexASCII

4d M

53 S

44 D

4f O

53 S

35 5

2e .

30 0

Again, no endian-based reordering is necessary. If you search around the ‘net, you’ll find several other examples. I haven’t found anything authoritative as to why endian ordering goes out the window in bytes 3-10. I assume it’s due to fact that OEM is supposed to be ASCII, but that’s just a guess. The important point in all of this is that bytes 3-10 are always read left to right. It is what it is.

Footnotes

1 Yep, click the link, buy the book, I get a kickback and you get the book. Win/win!