Revisiting Bytes 17 And 18

Revisiting Bytes 17 And 18

Referring back to my recent post, Fat Boot Sector Walk Through, take a look again at bytes 17 and 18. The hex editor screenshot follows. We’re dealing with the last 00 on the first line and the first 00 on the second line. (Remember, you’re counting from zero.)

fat-first-36-hex-bytes.png

In the previous post, I wrote:

Bytes 17 and 18 tell us the number of files in the root directory for FAT12 and FAT16. For FAT32, this usually zero. And again, we’re typical. 00 00.

This is an important difference between FAT12/FAT16 and FAT32. In FAT12 and FAT16, the beginning of the data area is reserved for the root directory. The size of the root directory is fixed (512 entries on non-floppy media), so it’s important to track the number of files. Because of the dynamic nature of FAT32, the root directory can be located anywhere and can be any size, so the number of files doesn’t matter and is therefore noted as zero in bytes 17 and 18.

For more detailed information, which I hope to cover here, see Brian Carrier’s File System Forensic Analysis. It’s the authoritative book on file systems. You need this book. (And if you click the link, I get a kickback from Amazon. Win/win!)