Extended FAT (exFAT)December 10, 2009
UPDATED: Time Zones Decoded on exFAT
The work herein is an excerpt from a Microsoft File Systems class being developed by Jeff Hamm for Paradigm Solutions and its clients. Many examiners have had exposure to the FAT and NTFS file systems, but few have had training on Microsoft’s newest file system, Extended FAT (exFAT). This information is provided as a base line to showcase the file system and explain the significance it will have in the computer forensic community.
The material provided was designed as a three hour presentation to be used in conjunction with progressive live demonstrations. Time constraints will limit – and may exclude – the ability to effectively provide a series of live demonstrations of the file system.
At the time of this writing, AccessData and Guidance Software – the developers of the two highest profile forensic tools – do not have their forensic suites capable of viewing exFAT logically. The tools will view the file system as an unallocated area or as free space. WinHex is able to recognize the file system but will not display the logical folder structure. Because of the efficiency of exFAT in maintaining contiguous files whenever possible, the examiner will have luck in retrieving file artifacts by data carving on an exFAT drive. A need to show intent to possess, for a time line of a file, or for any other file system metadata to be presented as evidence will require an examiner to rebuild these file systems manually (for now).
The presentation and this paper begins with the history of the file system, discusses the reasons the examiner needs to be aware of the file system, details the forensic implications, and finally examines the technical details of the file system. An appendix containing the compiled tables for locating data manually on the file system is also attached. These tables are designed to be a quick reference resource for an examiner.
Much of the information was ascertained through research and testing by the author with additional research conducted by fellow examiners working alongside the author. The Microsoft patent application for the file system was an invaluable tool to validate research and theories. Finally, the independent research conducted by Jared Myers of the DCFL was critical in developing this material in the most complete and accurate fashion.
Click here to view the entire exFAT excerpt: exFAT Excerpt 1.4