FAT32 & exFAT Analysis (fata)
Introduction
This tool was created to be light weight and assist in the analysis of FAT32 and exFAT filesystems while looking at only the raw disk sectors or volume clusters. The tool's algorithm is operating system agnostic when parsing the files or folders, and since it has no installation requirements, it is useful in various live collection and triaging situations. Furthermore, the tool's architecture was designed to be extensible so as to act as an architecture framework for future FAT filesystem work.
When considering the FAT32 is typically the default filesystem for USB flash drives, coming up with a portable tool that can analyze the contents of the internal structures with or without mounting the device, as well as, not leaving a tool footprint on the system is useful in many forensic use-cases. Now that exFAT is commonly available and used for large storage devices, extending the fata architecture to handle that as well was a logic next step.
The fata tool parses all internal FAT32 and exFAT filesystem data, and attempts to condense the reporting results in such a way as to make the output clear, while restricting the output to one line per record (file or folder). Header information is provided, if requested to assist in the identification of the file content without physically opening the file. Various hashing algorithms options are provided and can be annotated to the output, if requested. By default, both disk and volume offsets are provided where it makes sense, like for cluster runs, volume offset and directory entry locations. In this way, the information allows one to validate any of the results produced by this tool.
In addition to the filesystem internals, fata, allows one to copy all the files that were enumerated; and/or all the system structures, such as the Volume Boot Record, FAT table(s), Bitmap table, unallocated clusters, etc. When found, deleted folders and files are shown and can be extracted, if requested.
Capabilities
The screen shot below shows the available options for this tool.
Downloads
Intel 32-bit Version | Intel 64-bit Version | ARM 64-bit Version | ||||
Windows: | fata32.v.0.13.win.zip | fata64.v.0.13.win.zip | fata64a.v.0.13.win.zip | md5/sha1 | ||
Linux: | fata32.v.0.13.lin.tar.gz | fata64.v.0.13.lin.tar.gz | fata64a.v.0.13.lin.tar.gz | md5/sha1 | ||
Mac OS X: | Not Available | fata.v.0.13.dmg | fata.v.0.3.dmg | md5/sha1 | ||
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present. |