SANS Digital Forensics and Incident Response Blog: Tag - FAT

Examining Windows Mobile Devices Using File System Forensic Tools

Windows Mobile file systems have similarities with other Microsoft operating systems that make for an easy transition into mobile device forensics for anyone who has performed forensic examinations of Windows computer systems. As with a desktop or laptop computer, Windows Mobile devices retain substantial information about user activities that can be relevant in a digital investigation involving Web browsing, user created files, and Windows registry entries.

Windows Mobile uses a variation of the FAT file system called the Transaction-safe FAT (TFAT) file system, which has some recovery features in the event of a sudden device shutdown. Here is the volume information of a memory dump from a Windows Mobile device, showing that it is FAT.

$ fsstat SamsungBlackjack.bin

File System Type: FAT16
OEM Name:

... Continue reading Examining Windows Mobile Devices Using File System Forensic Tools

FAT File Sizes

If you're just checking this blog for the first time, you should know that this post is one in a series of posts dealing with a FAT file system that has been tweaked in various ways to make recovery of the data more difficult, if only for the casual observer. Forensics folks like yourselves would have no issue recovering the data, but the point of this series is to learn about the FAT file system and how it works.

In last week's FAT Tuesday post we looked at a file in our usb key image (get it here) called "Scheduled Visits.exe". We looked at the metadata for the file using

Acquiring Data from Windows Mobile Devices

During the debut of SEC563 Mobile Device Forensics last week, Eugene Libster from ManTech brought to my attention the open sourceitsutils package for extracting from Windows Mobile devices. Components of this package, psdread and pdocread, can acquire more data from Windows Mobile devices than many commercial forensic tools, but there are several issues that forensic practitioners need to understand before using these utilities on an evidentiary device.

First, acquiring data using these utilities creates files on the device, necessarily overwriting data. Specifically, an executable file named "itsutils.dll" is copied onto the device, and an error log"itsutils.log"is created on the device. Second, these tools acquire data through a hardware


Sizing up the FAT

Another Tuesday, another FAT post. If you're just joining us, you can find the whole series of posts here.

Over the last month or two, we've been working with a FAT image that has been modified by the suspect in a case we're working. We have slowly been undoing the changes made by the suspect, one file at a time. We have one file left to make right so let's see what's going on with our third and final file. Recall the output from fls from previous posts:
fls ouput from usbkey.img
We've already recovered the first two files and adjusted the cluster chains in

A big FAT lie part 2

Last week we looked at the next file in our disk image (next file according to the output from fls). We saw that though the file was 15585 bytes, istat reported only a single sector for the file. Based on our cluster/sector size of 512 bytes, the file should have occupied 31 sectors (15585/512=30.439..., round up).

We theorized that we may have a broken or missing FAT cluster chain. Knowing the file should occupy 31 clusters, we used the blkstat command to carve out 31 clusters of data beginning at sector 834. We found only nulls.

At this point, most sane investigators probably would have reached for their favorite