Course list http://www.c-jump.com/bcc/
Current limits exhausted by FAT32, while NTFS is to expensive for flash memory drives
Volumes larger 2TB
Files larger 4GB
Faster I/O
Support for removable media: flexibility and extensibility
Some NTFS features without the NTFS overhead
Adopted by SD Cards:
An SD card (Secure Digital) is a non-volatile memory card using solid-state storage media. It is found extensively in portable devices: mobile phones, digital cameras, GPS devices, and tablets.
Extended File System (exFAT) is a successor of FAT family of file systems (FAT12/16/32)
The principal designs are similar, but exFAT makes improvements:
Larger volume and file size limits
Native Unicode file names
Bigger boot area allowing a larger boot code
Better performance
Time zone offset support
OEM parameters support
Sector size ranges between 512 and 4096 bytes
Clusters size is up to 32MB
Root Directory size is unlimited
Subdirectories limited to 256MB
exFAT is built for speed with less overhead than NTFS
UTC timestamp support is similar to NTFS
On a 32GB to 2TB SDXC card, a single directory can hold
4,000 RAW images
100 HD movies
up to 60 hours of HD recording
about 17,000 hi-resolution photographs
A MBR uses 4 bytes for the number of sectors in a partition
The file systems are limited in size when stored in a MBR partition
To get around the MBR max volume size limitation, exFAT can be created without the partition
Besides SD cards, it is mostly Microsoft Desktop/Microsoft Server domain
No support for older Microsoft file systems
No support for non-Microsoft systems
No XBOX, PS3 or other special device support
The exFAT volume begins in the Boot Region. exFAT Volume Boot Record (VBR) has
length of 12 sectors:
| Sector# | Description |
| 0 | Boot SectorIncludes FAT sector |
| 1...8 | Extended Boot (8 sectors) |
| 9 | OEM Parameters |
| 10 | Reserved |
| 11 | Boot Checksum |
Note that larger VBR capacity creates a potential for more sophisticated boot viruses!
The Extended Boot Sector is a sequence of 8 sectors that contains a boot code, except last 4 bytes in each sector hold extended signature 0xAA550000
If extended Boot Sector is not used, it should be filled with 0x00 with extended signature preserved
| Offset | Description |
| 0 | Jump Instruction |
| ... | Data Fields |
| 120 | Boot Code |
| 510 | 0xAA55 Signature |
The data fields specify
File system name: "EXFAT>
exFAT volume length in sectors
FAT length in sectors
The sector of the first data cluster
Data cluster count
Root directory cluster
Volume serial number
Sectors per cluster
Number of FATs
OEM parameters are sometimes used by OEM implementations and contain a list of parameters with unique GUID numbers
This structure is preserved during exFAT formatting, but can be erased by the secure wipe of the drive
OEM parameters are ignored by the Windows OS
Unused parameters are filled by the parameter of type GUID_NULL
The Boot Checksum sector contains repeating 32-bit checksum of the previous 11 sectors.
The checksum calculation excludes bytes 106, 107, 112, known as volume-flags and percent-in-use fields in the Boot Sector.
The checksum is repeated over the entire sector.
| Sector# | Description |
| 12-23 | Same layout as Main Boot Region |
File Allocation Table (FAT) can have 1 or 2 FATs
In exFAT, FAT table is not used for tracking cluster allocation The Allocation Bitmap is used for this purpose.
FAT is only used for keeping chains of clusters of fragmented files
If a file is not fragmented, FAT table is not updated
An active FAT is marked in volume-flags field of the Boot Sector
| Sector# | Description |
| 24 | FAT Alignment Sector |
| FAT1 sector | First FAT |
| FAT2 sector | Second FAT |
When FAT is used, it's organization is similar to FAT32
exFAT uses 32 bit FAT entries (not 64 bit)
Not used when file contiguous
Never used for the first cluster allocation
As in FAT12/16/32, the first cluster is cluster 2
Each FAT Entry represents one cluster
The second FAT table, if present, is located immediately after the first one and has the same size
FAT Entry is 32 bits in size
First two entries contain 0xFFFFFFFF
Since first cluster is cluster 2, the entries enumerate data clusters as 0x00000002, 0x00000003 and so on. The max value is cluster 0xFFFFFFF6.
Special values:
0xFFFFFFF7 bad cluster
0xFFFFFFF8 media descriptor
0xFFFFFFFF the end of file (EOF) mark
The cluster heap is a set of clusters where the user data resides on exFAT:
Root Directory
Files
Directories
Bitmap Allocation Table
UP-Case Table
The allocation status of clusters is tracked by the Bitmap Allocation Table located inside the cluster heap
It is found via Bitmap Directory entry in the root directory
Each bit in the bitmap corresponds to a data cluster:
1 indicates that cluster is occupied
0 means the cluster is free
The first bit refers to cluster 2. Therefore, the first byte in the bitmap describes clusters 2, 3, 4, ... 9.
The second byte describes clusters 10, 11, 12, ... 17, and so on.
Up-case table is located right after the Bitmap Allocation table
Up-case Table is an array of Unicode characters
Character index represents an upper-case Unicode character. For example,
---------------------------------------
Index Value
---------------------- ---------------
...
'A' (unicode 0x0041) 'A' 0x0041
...
'a' (unicode 0x0061) 'A' 0x0041
...
---------------------------------------
exFAT itself is case insensitive, but uses this table to compare file names during search operations
exFAT describes a tree structure of directories and files
The root directory is located at the Root Directory Cluster
Subdirectories are single-linked to the corresponding parent directory
Unlike in FAT12/16/32, no special (.) and (..) directories exist in exFAT pointing to itself and to parent
Each directory consists of a series of directory entries
Entry 0x00 marks the end of the directory
A Directory Entry describes a file or a directory
An entry is a chain of 32 byte-sized primary/secondary entries.
The entire chain makes up the exFAT Directory Entry
The first entry in the chain is a primary directory entry
All subsequent entries, if present, are secondary directory entries.
The 32 byte-sized primary/secondary chain entries can be categorized as
Primary Entries: required - main characteristics
Critical
Benign
Secondary Entries: optional - extended metadata
Critical Primary
Benign Primary
A Directory Entry contains first-cluster field and the data-length of the cluster list
The chain of entries may repeat themselves to indicate additional cluster lists as necessary
Note that Directory Entry uses single bytes to store a cluster
chain and a cluster offset.
Instead of the actual values, the sizes are kept in powers of 2.
----------------------------------------------------
Type Description
------ --------------------------------------------
0x81 Allocation Bitmap
0x82 Up-case Table
0x83 Volume Label (Unicode string)
0x85 File (used for both files and directories)
0xA0 Volume GUID (optional in most systems)
0xA1 TexFAT Padding
0xA2 Windows CE Access Control Table
0xC0 Stream Extension
0xC1 File Name (Unicode string)
----------------------------------------------------
GUIDs are large random machine-generated numbers in format 0x00000000-0000-0000-0000-000000000000
File name is Unicode and can be up to 255 characters
Contains 16 bit Unicode Volume Label
Volume Label is stored as the Primary Entry
It is resident in Root Directory
Code 0x03 means no volume label is specified
The File Directory Entry, used for both files and directories, contains the fields for
File Attributes: Read-Only, Hidden, System, Directory, and Archive
Timestamps: Created, LastModified, LastAccessed, each including timezone offset measured in 15 min increments from UTC
Forensics implication on the MAC time analysis is important:
Tthe MAC timestamps are updated when the file is created or modified
Last Accessed timestamp is aslo updated when the file is created or modified
Last Accessed timestamp appears NOT modified on file read operations
Stream Extension directory entry immediately follows the File directory entry in the entry chain.
Only one Stream Extension entry is present in the chain.
If No-FAT-Chain flag is set, all allocated clusters are contiguous
The Valid-Data-Length field determines how much actual data is written into the file. Any data beyond the valid data length is undefined and exFAT returns zeros.
Given the flexibility of the Directory Entry chains, malicious manipulation of the Allocation Bitmap and user directory has the capability of hiding a file system within the file system!
It is also possible to hide data within the directory metadata itself
| Feature | FAT32 | exFAT |
| Maximum Volume Size | 8 TB | 128 PB |
| Maximum File Size | 4 GB | 16 EB |
| Maximum Cluster Size | 32 KB | 32 MB |
| Maximum File Name Length | 255 | 255 |
| Date/Time resolution | 2 s | 10 ms |
| MBR Partition Type Identifier | 0x0B, 0x0C | 0x07 |
Note that huge cluster size has a potential for a massive slack space!
TexFAT is a transaction-safe version of exFAT
Journaling is done similar to NTFS
No encryption support yet, but Microsoft says it will be easy to support in the future
TexFAT uses 2 copies of the FAT tables and 2 copies of the volume bitmaps
wikipedia.org exFAT article
ntfs.com exFAT overview