Operating Systems (CS 330)
Project
FAT File System
Deadline 11th December
Small storage devices, like 4GB pen drive use FAT file system. FAT is one of the oldest file systems and most operating systems support it. Windows and Linux support FAT file system. In this project you will study FAT and use your knowledge to attempt retrieving a deleted file from a FAT storage device. You will use a tool class known as disk editors for this purpose. (There are many disk editors available online as freeware. One such disk editor is Active@ Disk Editor available for download at www.disk-editor.org)
The following is a brief description of FAT.
There are three variants of FAT file system: FAT12, FAT16 and FAT32. They differ from each other in the way file allocation table is built. A typical layout of FAT volume is shown below:
|
Boot Sector |
FAT 1 |
FAT 2 (Duplicate) |
Root Folder |
Other Folders and Files (Data Area of the Disk) |
The boot sector contains the bootstrap program for loading operating system into the memory. It also contains important information about the rest of the file system e.g. total number of clusters in the disk, etc. This info is contained in BIOS parameter block (BPB) and extended BIOS parameter block, within the boot sector. More information about the boot sector can be obtained from: https://technet.microsoft.com/en-us/library/cc976796.aspx
File allocation table or FAT occupies sectors immediately after the boot sector. FAT has one entry or record for each cluster in the disk. FAT16 record is two bytes while as FAT32 record is four bytes. The record identifies the cluster as one of the following: (i) an un-used cluster (0x00000000) (ii) a cluster in use by a file (> 0x00000001) (iii) a bad cluster (0xFFFFFFF7) (iv) last cluster in a file (0xFFFFFFF8 – 0xFFFFFFFF). Values are indicated for FAT32. A FAT has a fixed number of records depending on the size of the disk.
Root folder follows the second copy of FAT. It has an entry for every file and sub-folder in it. In FAT16, the difference between root folder and any other (sub) folder is that root folder is in the fixed location and is of fixed size with space allocated for it at the time of formatting. (Thus there is an upper limit on the number of files and folders that can appear in the root folder.) In FAT32, root folder is the part of the data area of the disk, just like any other file or folder. Data area of the disk is arranged in clusters, first cluster number being 2. The format of all folders is the same. Each entry in a folder is 32 bytes long and includes attributes, such as, name, extension, time created or updated, starting cluster number, size, etc.
Here is a simple example from technet.microsoft.com:
The array indexed from 0 to 8 is the FAT. The above are the entries in the root directory for files named FILE1.TXT, FILE2.TXT and FILE3.TXT. Only two attributes for each file are shown – file name and the starting cluster. Thus FILE2.TXT is stored in clusters starting at cluster 5 and then at 6 and 8.
Step 1
As the first step, open the USB flash drive in the disk editor and locate the boot sector. Read the following information about the flash drive from the BPB and extended-BPB of the boot sector. You will have to refer to online references for the format of the boot sector, for example: https://technet.microsoft.com/en-us/library/cc976796.aspx
(a) What is the sector size – i.e. bytes per sector? (512)
(b) What is the cluster size – i.e. sectors per cluster? (32)
(c) How many hidden sectors are there? Hidden sectors are the first few sectors of the disk. (32)
(d) How many reserved sectors are there? Reserved sectors follow the hidden sectors and include the boot sector. Boot sector is regarded as sector 0. (18)
(e) How many copies of the boot sector does it have?
(f) What is the total number of sectors? (15,633,376)
(g) How many copies of the FAT are there? (2)
(h) What is the FAT size – sectors per FAT? (3815)
(i) What is the cluster number of the root directory? This is the same as the first cluster of the data area. (2)
(j) What is the first sector of the root directory i.e. the first sector of the data area? (114752)
Numbers in brackets are values for the instructor’s 5GB pen drive.
Step 2
Now try to locate your sample file in the root directory. Obtain its starting cluster number and access the starting cluster in the FAT. What is the value for this cluster in the FAT? Obtain the chain of clusters that store file’s data from the FAT. Note that if your file is small it may fit in just one cluster with FAT entry for the cluster indicating this is the last and the only cluster of the file. Access the starting and other clusters of the file and verify that the clusters have file’s data.
Step 3
Delete your sample file and see the effect on the file’s entry in the root directory. Is the first cluster of the file indicated in the root directory? What about the FAT entry for the starting cluster – what is it value? Can you obtain the file’s chain of clusters? What about the data in the file’s clusters – do they still have the data? If you are able to find the file’s data, try to retrieve it.
Operating systems
Step 1:
a) 512 bytes per sector.
b) 8 sectors per cluster.
c) 64 hidden sectors.
d) 2,046 reserved sectors.
e) 2 copies of the boot sector, the original and a copy of the original.
f) 15,761,440 sectors.
g) 2 copies of the FAT.
h) 15,361 sectors per FAT.
i) Cluster number 2.
j) Sector 32768.
Step 2:
a) The starting cluster of the sample file is cluster 6.
b) The value of the starting cluster in the FAT is 07000000, which indicates that the sample file spans over multiple clusters creating a chain of clusters.
c) The sample file starts at cluster 6 and spans over 5 cluster which ends at cluster 10.
Step 3:
a) Yes, the first cluster is indicated in the root directory which is cluster 6.
b) The chain of clusters stored in the FAT is no longer available and instead it is set as zeros.
c) Not from the FAT but by calculating the number of sectors based on the size of file, then getting the number of clusters based on sectors per cluster. In this case, the file size is 19,836 bytes dividing it by 512 gets us 39 sectors. Dividing the sectors over 8 leaves us with 5 clusters. Which supports the answers in step 2.
d) Yes, when a file is deleted, the data doesn’t get deleted too, instead it waits until another file takes the place of the previous file’s data.
e) Retrieving a deleted file is a multi-step process. Going into edit mode, the first step is to recover the file’s name in the root directory. When a file is deleted the first character in its name is replaced with 0xE5, so that must be reversed by either getting the first letter from a long entry or putting any character in its place. The second step is to recover the clusters in the FAT, so we must calculate the number of clusters required for the file and chain it together in the FAT. Lastly, we save our edits using Active@ disk editor and the file should show up in file explorer.
Open the Active @ disk editor tool.
Select the flash drive and open it in the disk editor.
Navigate to boot sector and set the template to FAT32 boot sector, on the left panel the BPB information is available, which answers step 1 questions from a to i.
Navigate to root directory and set the template to FAT directory entry, then pin the last two lines in the root directory. The last two lines are the short entry for our sample file, on the left panel the short entry information is available. Take note that the root directory starts at 32768 which is stated next to the pin icon. The starting cluster for the sample file is 6 since we only have a low word and high word is set to 0.
Navigate to FAT where we can see the chain of clusters for the sample file (highlighted in blue), the chain starts at cluster 6 and ends at cluster 10 (0x0A). The value of cluster 6 in the FAT is 0x07 which is the number 7 in decimal, and it indicates that the file spans over from cluster 6 to 7.
After deleting the file and reloading the drive in the tool, we navigate to the root directory to see the changes that happened. The first thing to notice is that the first letter of the file name has changed to 0xE5 which indicates that it has been deleted and to recover the file we must change 0xE5 to T or any other letter by clicking on edit > allow edit content. The starting cluster for deleted file is still showing in the left panel so we may go there and investigate in the FAT.
Navigate to the FAT and check the chain of clusters, it has been deleted and set to 0. Therefore, we can’t get the chain of clusters from the FAT but we can calculate it. Knowing that the size of the file is 19,836 bytes we divide it by 512 bytes then 8 sectors to get the number of clusters which is 5. This means that the deleted file starts at cluster 6 and ends at cluster 10 and to continue recovering the file we must chain the clusters in the FAT again.
We can navigate to the starting cluster of the deleted file by clicking on navigate > go to sector then entering the number 6 in the cluster input field. As you can see the content is still available.
When we are done, we save the edits and refresh the file explorer to find the deleted file back in flash drive.
need an explanation for this answer? contact us directly to get an explanation for this answer