Introducing fsstat

Introducing fsstat

fsstat is part of The Sleuth Kit, which we’ve discussed installing on a Mac OS X system. According to the man page, fsstat

[d]isplays general details of a file system.

In this post, I’m going to look at fsstat results against our USB image and compare it to what we’ve learned from examining the boot sector. Here’s the output of fsstat against the USB image. I’ve added line numbers, such as [01], to facilitate discussion. It’ll be helpful to have this page open for reference.

$ fsstat image-name.img [01] FILE SYSTEM INFORMATION [02] ——————————————– [03] File System Type: FAT32 [04] [05] OEM Name: BSD 4.4 [06] Volume ID: 0x46fb18f2 [07] Volume Label (Boot Sector): GIGGY [08] Volume Label (Root Directory): GIGGY [09] File System Type Label: FAT32 [10] Next Free Sector (FS Info): 7898 [11] Free Sector Count (FS Info): 4022464 [12] [13] Sectors before file system: 0 [14] [15] File System Layout (in sectors) [16] Total Range: 0 - 4030361 [17] * Reserved: 0 - 31 [18] ** Boot Sector: 0 [19] ** FS Info Sector: 1 [20] ** Backup Boot Sector: 6 [21] * FAT 0: 32 - 3960 [22] * FAT 1: 3961 - 7889 [23] * Data Area: 7890 - 4030361 [24] ** Cluster Area: 7890 - 4030361 [25] *** Root Directory: 7890 - 7897 [26] [27] METADATA INFORMATION [28] ——————————————– [29] Range: 2 - 64359558 [30] Root Directory: 2 [31] [32] CONTENT INFORMATION [33] ——————————————– [34] Sector Size: 512 [35] Cluster Size: 4096 [36] Total Cluster Range: 2 - 502810 [37] [38] FAT CONTENTS (in sectors) [39] ——————————————– [40] 7890-7897 (8) -> EOF

Line 03 gives the file system type, FAT32. We saw this in bytes 17-18, where the number of files in the root directory is zero. Also, bytes 19-20 and 22-23 are zero. Lastly, bytes 32-35 are non-zero. As you’ve seen, when dealing with a hex editor, determining the file system can be a process of elimination. That can be a lot to remember, but fsstat makes it easy for us by spelling it out: FAT32.

Line 05 equates to bytes 3-10, which is the OEM name or the system/product used to format the drive. In our example, we have BSD^^4.4, where ^ equates to one space.

Line 16 shows the max sector is 4,030,361. In bytes 32-35 we saw 9A 7F 3D 00, which is 00 3D 7F 9A (little endian). This equates to 4,030,362, which matches Line 16 when we adjust (-1) for our zero offset.

Line 17 shows that sectors 0-31 are reserved, which we saw in bytes 14-15.

Line 21 and 22 show that we have 2 FATS, which is what we saw in byte 16. Each FAT occupies 3,928 sectors, which we can easily calculate.

Line 34 shows our sector size of 512, which we saw in bytes 11-12.

Finally, line 35 gives a cluster size of 4,096, which we saw in byte 13.

As you can see, there’s a lot more information given by fsstat that we haven’t uncovered yet. I hope to continue walking through the file system showing where this information comes from. Until then, play around with fsstat and compare it to your own images. It’s a lot of fun and very educational. Also, in the event you’re getting information from an automated tool, such as fsstat, that doesn’t jibe with other tools, you need to be able to go to the hex editor and verify. Automated tools aren’t always perfect and you need to be able to back up and verify whatever information you’ve retrieved.

Related Posts

  1. FAT Boot Sector Walk Through
  2. Revisiting Bytes 0, 1 and 2
  3. Revisiting Bytes 3-10
  4. Revisiting Bytes 11-12 and 13
  5. Revisiting Bytes 14-15 and 16
  6. Revisiting Bytes 17 and 18
  7. Revisiting Various Bytes