1 /*
2 ** fatxxfs
3 ** The Sleuth Kit
4 **
5 ** Content and meta data layer support for the FATXX file system
6 **
7 ** Brian Carrier [carrier <at> sleuthkit [dot] org]
8 ** Copyright (c) 2006-2013 Brian Carrier, Basis Technology. All Rights reserved
9 ** Copyright (c) 2003-2005 Brian Carrier. All rights reserved
10 **
11 ** TASK
12 ** Copyright (c) 2002 Brian Carrier, @stake Inc. All rights reserved
13 **
14 **
15 ** This software is distributed under the Common Public License 1.0
16 **
17 ** Unicode added with support from I.D.E.A.L. Technology Corp (Aug '05)
18 **
19 */
20
21 /**
22 * \file fatxxfs.c
23 * Contains the internal TSK FATXX (FAT12, FAT16, FAT32) file system code to
24 * handle basic file system processing for opening file system, processing
25 * sectors, and directory entries.
26 */
27
28 #include "tsk_fatxxfs.h"
29
30 /*
31 * Implementation NOTES
32 *
33 * TSK_FS_META contains the first cluster. file_walk will return sector
34 * values though because the cluster numbers do not start until after
35 * the FAT. That makes it very hard to address the first few blocks!
36 *
37 * Inodes numbers do not exist in FAT. To make up for this we will count
38 * directory entries as the inodes. As the root directory does not have
39 * any records in FAT, we will give it times of 0 and call it inode 2 to
40 * keep consistent with UNIX. After that, each 32-byte slot is numbered
41 * as though it were a directory entry (even if it is not). Therefore,
42 * when an inode walk is performed, not all inode values will be displayed
43 * even when '-e' is given for ils.
44 *
45 * Progs like 'ils -e' are very slow because we have to look at each
46 * block to see if it is a file system structure.
47 */
48
49 /**
50 * Print details about the file system to a file handle.
51 *
52 * @param fs File system to print details on
53 * @param hFile File handle to print text to
54 *
55 * @returns 1 on error and 0 on success
56 */
57 static uint8_t
fatxxfs_fsstat(TSK_FS_INFO * fs,FILE * hFile)58 fatxxfs_fsstat(TSK_FS_INFO * fs, FILE * hFile)
59 {
60 unsigned int i;
61 TSK_DADDR_T next, snext, sstart, send;
62 FATFS_INFO *fatfs = (FATFS_INFO *) fs;
63 FATXXFS_SB *sb = (FATXXFS_SB*)fatfs->boot_sector_buffer;
64 char *data_buf;
65 FATXXFS_DENTRY *vol_label_dentry = NULL;
66 ssize_t cnt;
67
68 // clean up any error messages that are lying around
69 tsk_error_reset();
70
71 if ((data_buf = (char *) tsk_malloc(fs->block_size)) == NULL) {
72 return 1;
73 }
74
75
76 /* Read the root directory sector so that we can get the volume
77 * label from it */
78 cnt = tsk_fs_read_block(fs, fatfs->rootsect, data_buf, fs->block_size);
79 if (cnt != fs->block_size) {
80 if (cnt >= 0) {
81 tsk_error_reset();
82 tsk_error_set_errno(TSK_ERR_FS_READ);
83 }
84 tsk_error_set_errstr2("fatxxfs_fsstat: root directory: %" PRIuDADDR,
85 fatfs->rootsect);
86 free(data_buf);
87 return 1;
88 }
89
90
91 /* Find the dentry that is set as the volume label */
92 vol_label_dentry = NULL;
93 if (fatfs->ssize <= fs->block_size) {
94 FATXXFS_DENTRY *current_entry = (FATXXFS_DENTRY *) data_buf;
95 for (i = 0; i < fatfs->ssize; i += sizeof(*current_entry)) {
96 if (current_entry->attrib == FATFS_ATTR_VOLUME) {
97 vol_label_dentry = current_entry;
98 break;
99 }
100 current_entry++;
101 }
102 }
103
104
105 /* Print the general file system information */
106
107 tsk_fprintf(hFile, "FILE SYSTEM INFORMATION\n");
108 tsk_fprintf(hFile, "--------------------------------------------\n");
109
110 tsk_fprintf(hFile, "File System Type: FAT");
111 if (fs->ftype == TSK_FS_TYPE_FAT12)
112 tsk_fprintf(hFile, "12\n");
113 else if (fs->ftype == TSK_FS_TYPE_FAT16)
114 tsk_fprintf(hFile, "16\n");
115 else if (fs->ftype == TSK_FS_TYPE_FAT32)
116 tsk_fprintf(hFile, "32\n");
117 else
118 tsk_fprintf(hFile, "\n");
119
120 tsk_fprintf(hFile, "\nOEM Name: %c%c%c%c%c%c%c%c\n", sb->oemname[0],
121 sb->oemname[1], sb->oemname[2], sb->oemname[3], sb->oemname[4],
122 sb->oemname[5], sb->oemname[6], sb->oemname[7]);
123
124
125 if (fatfs->fs_info.ftype != TSK_FS_TYPE_FAT32) {
126 tsk_fprintf(hFile, "Volume ID: 0x%" PRIx32 "\n",
127 tsk_getu32(fs->endian, sb->a.f16.vol_id));
128
129 tsk_fprintf(hFile,
130 "Volume Label (Boot Sector): %c%c%c%c%c%c%c%c%c%c%c\n",
131 sb->a.f16.vol_lab[0], sb->a.f16.vol_lab[1],
132 sb->a.f16.vol_lab[2], sb->a.f16.vol_lab[3],
133 sb->a.f16.vol_lab[4], sb->a.f16.vol_lab[5],
134 sb->a.f16.vol_lab[6], sb->a.f16.vol_lab[7],
135 sb->a.f16.vol_lab[8], sb->a.f16.vol_lab[9],
136 sb->a.f16.vol_lab[10]);
137
138 if ((vol_label_dentry) && (vol_label_dentry->name[0])) {
139 tsk_fprintf(hFile,
140 "Volume Label (Root Directory): %c%c%c%c%c%c%c%c%c%c%c\n",
141 vol_label_dentry->name[0], vol_label_dentry->name[1], vol_label_dentry->name[2], vol_label_dentry->name[3],
142 vol_label_dentry->name[4], vol_label_dentry->name[5], vol_label_dentry->name[6], vol_label_dentry->name[7],
143 vol_label_dentry->ext[0], vol_label_dentry->ext[1], vol_label_dentry->ext[2]);
144 }
145 else {
146 tsk_fprintf(hFile, "Volume Label (Root Directory):\n");
147 }
148
149 tsk_fprintf(hFile, "File System Type Label: %c%c%c%c%c%c%c%c\n",
150 sb->a.f16.fs_type[0], sb->a.f16.fs_type[1],
151 sb->a.f16.fs_type[2], sb->a.f16.fs_type[3],
152 sb->a.f16.fs_type[4], sb->a.f16.fs_type[5],
153 sb->a.f16.fs_type[6], sb->a.f16.fs_type[7]);
154 }
155 else {
156
157 char *fat_fsinfo_buf;
158
159 if ((fat_fsinfo_buf = (char *)
160 tsk_malloc(sizeof(FATXXFS_FSINFO))) == NULL) {
161 free(data_buf);
162 return 1;
163 }
164
165 tsk_fprintf(hFile, "Volume ID: 0x%" PRIx32 "\n",
166 tsk_getu32(fs->endian, sb->a.f32.vol_id));
167
168 tsk_fprintf(hFile,
169 "Volume Label (Boot Sector): %c%c%c%c%c%c%c%c%c%c%c\n",
170 sb->a.f32.vol_lab[0], sb->a.f32.vol_lab[1],
171 sb->a.f32.vol_lab[2], sb->a.f32.vol_lab[3],
172 sb->a.f32.vol_lab[4], sb->a.f32.vol_lab[5],
173 sb->a.f32.vol_lab[6], sb->a.f32.vol_lab[7],
174 sb->a.f32.vol_lab[8], sb->a.f32.vol_lab[9],
175 sb->a.f32.vol_lab[10]);
176
177 if ((vol_label_dentry) && (vol_label_dentry->name[0])) {
178 tsk_fprintf(hFile,
179 "Volume Label (Root Directory): %c%c%c%c%c%c%c%c%c%c%c\n",
180 vol_label_dentry->name[0], vol_label_dentry->name[1], vol_label_dentry->name[2], vol_label_dentry->name[3],
181 vol_label_dentry->name[4], vol_label_dentry->name[5], vol_label_dentry->name[6], vol_label_dentry->name[7],
182 vol_label_dentry->ext[0], vol_label_dentry->ext[1], vol_label_dentry->ext[2]);
183 }
184 else {
185 tsk_fprintf(hFile, "Volume Label (Root Directory):\n");
186 }
187
188 tsk_fprintf(hFile, "File System Type Label: %c%c%c%c%c%c%c%c\n",
189 sb->a.f32.fs_type[0], sb->a.f32.fs_type[1],
190 sb->a.f32.fs_type[2], sb->a.f32.fs_type[3],
191 sb->a.f32.fs_type[4], sb->a.f32.fs_type[5],
192 sb->a.f32.fs_type[6], sb->a.f32.fs_type[7]);
193
194
195 /* Process the FS info */
196 if (tsk_getu16(fs->endian, sb->a.f32.fsinfo)) {
197 FATXXFS_FSINFO *fat_info;
198 cnt =
199 tsk_fs_read(fs,
200 (TSK_DADDR_T) tsk_getu16(fs->endian, sb->a.f32.fsinfo) * fs->block_size,
201 fat_fsinfo_buf, sizeof(FATXXFS_FSINFO));
202
203 if (cnt != sizeof(FATXXFS_FSINFO)) {
204 if (cnt >= 0) {
205 tsk_error_reset();
206 tsk_error_set_errno(TSK_ERR_FS_READ);
207 }
208 tsk_error_set_errstr2
209 ("fatxxfs_fsstat: TSK_FS_TYPE_FAT32 FSINFO block: %"
210 PRIuDADDR, (TSK_DADDR_T) tsk_getu16(fs->endian,
211 sb->a.f32.fsinfo));
212 free(data_buf);
213 free(fat_fsinfo_buf);
214 return 1;
215 }
216
217
218 fat_info = (FATXXFS_FSINFO *) fat_fsinfo_buf;
219 tsk_fprintf(hFile,
220 "Next Free Sector (FS Info): %" PRIuDADDR "\n",
221 FATFS_CLUST_2_SECT(fatfs, tsk_getu32(fs->endian,
222 fat_info->nextfree)));
223
224 tsk_fprintf(hFile,
225 "Free Sector Count (FS Info): %" PRIu32 "\n",
226 (tsk_getu32(fs->endian,
227 fat_info->freecnt) * fatfs->csize));
228
229 free(fat_fsinfo_buf);
230 }
231 }
232
233 free(data_buf);
234
235 tsk_fprintf(hFile, "\nSectors before file system: %" PRIu32 "\n",
236 tsk_getu32(fs->endian, sb->prevsect));
237
238 tsk_fprintf(hFile, "\nFile System Layout (in sectors)\n");
239
240 tsk_fprintf(hFile, "Total Range: %" PRIuDADDR " - %" PRIuDADDR "\n",
241 fs->first_block, fs->last_block);
242
243 if (fs->last_block != fs->last_block_act)
244 tsk_fprintf(hFile,
245 "Total Range in Image: %" PRIuDADDR " - %" PRIuDADDR "\n",
246 fs->first_block, fs->last_block_act);
247
248 tsk_fprintf(hFile, "* Reserved: 0 - %" PRIuDADDR "\n",
249 fatfs->firstfatsect - 1);
250
251 tsk_fprintf(hFile, "** Boot Sector: 0\n");
252
253 if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32) {
254 tsk_fprintf(hFile, "** FS Info Sector: %" PRIu16 "\n",
255 tsk_getu16(fs->endian, sb->a.f32.fsinfo));
256
257 tsk_fprintf(hFile, "** Backup Boot Sector: %" PRIu16 "\n",
258 tsk_getu16(fs->endian, sb->a.f32.bs_backup));
259 }
260
261 for (i = 0; i < fatfs->numfat; i++) {
262 TSK_DADDR_T base = fatfs->firstfatsect + i * (fatfs->sectperfat);
263
264 tsk_fprintf(hFile, "* FAT %d: %" PRIuDADDR " - %" PRIuDADDR "\n",
265 i, base, (base + fatfs->sectperfat - 1));
266 }
267
268 tsk_fprintf(hFile, "* Data Area: %" PRIuDADDR " - %" PRIuDADDR "\n",
269 fatfs->firstdatasect, fs->last_block);
270
271 if (fatfs->fs_info.ftype != TSK_FS_TYPE_FAT32) {
272 TSK_DADDR_T x = fatfs->csize * fatfs->clustcnt;
273
274 tsk_fprintf(hFile,
275 "** Root Directory: %" PRIuDADDR " - %" PRIuDADDR "\n",
276 fatfs->firstdatasect, fatfs->firstclustsect - 1);
277
278 tsk_fprintf(hFile,
279 "** Cluster Area: %" PRIuDADDR " - %" PRIuDADDR "\n",
280 fatfs->firstclustsect, (fatfs->firstclustsect + x - 1));
281
282 if ((fatfs->firstclustsect + x - 1) != fs->last_block) {
283 tsk_fprintf(hFile,
284 "** Non-clustered: %" PRIuDADDR " - %" PRIuDADDR "\n",
285 (fatfs->firstclustsect + x), fs->last_block);
286 }
287 }
288 else {
289 TSK_LIST *list_seen = NULL;
290 TSK_DADDR_T x = fatfs->csize * (fatfs->lastclust - 1);
291 TSK_DADDR_T clust, clust_p;
292
293 tsk_fprintf(hFile,
294 "** Cluster Area: %" PRIuDADDR " - %" PRIuDADDR "\n",
295 fatfs->firstclustsect, (fatfs->firstclustsect + x - 1));
296
297
298 clust_p = fatfs->rootsect;
299 clust = FATFS_SECT_2_CLUST(fatfs, fatfs->rootsect);
300 while ((clust) && (0 == FATFS_ISEOF(clust, FATFS_32_MASK))) {
301 TSK_DADDR_T nxt;
302 clust_p = clust;
303
304 /* Make sure we do not get into an infinite loop */
305 if (tsk_list_find(list_seen, clust)) {
306 if (tsk_verbose)
307 tsk_fprintf(stderr,
308 "Loop found while determining root directory size\n");
309 break;
310 }
311 if (tsk_list_add(&list_seen, clust)) {
312 tsk_list_free(list_seen);
313 list_seen = NULL;
314 return 1;
315 }
316
317 if (fatfs_getFAT(fatfs, clust, &nxt))
318 break;
319 clust = nxt;
320 }
321 tsk_list_free(list_seen);
322 list_seen = NULL;
323
324 tsk_fprintf(hFile,
325 "*** Root Directory: %" PRIuDADDR " - %" PRIuDADDR "\n",
326 fatfs->rootsect, (FATFS_CLUST_2_SECT(fatfs, clust_p + 1) - 1));
327
328 if ((fatfs->firstclustsect + x - 1) != fs->last_block) {
329 tsk_fprintf(hFile,
330 "** Non-clustered: %" PRIuDADDR " - %" PRIuDADDR "\n",
331 (fatfs->firstclustsect + x), fs->last_block);
332 }
333 }
334
335
336 tsk_fprintf(hFile, "\nMETADATA INFORMATION\n");
337 tsk_fprintf(hFile, "--------------------------------------------\n");
338
339 tsk_fprintf(hFile, "Range: %" PRIuINUM " - %" PRIuINUM "\n",
340 fs->first_inum, fs->last_inum);
341 tsk_fprintf(hFile, "Root Directory: %" PRIuINUM "\n", fs->root_inum);
342
343
344 tsk_fprintf(hFile, "\nCONTENT INFORMATION\n");
345 tsk_fprintf(hFile, "--------------------------------------------\n");
346 tsk_fprintf(hFile, "Sector Size: %" PRIu16 "\n", fatfs->ssize);
347 tsk_fprintf(hFile, "Cluster Size: %" PRIu32 "\n",
348 (uint32_t) fatfs->csize << fatfs->ssize_sh);
349
350 tsk_fprintf(hFile, "Total Cluster Range: 2 - %" PRIuDADDR "\n",
351 fatfs->lastclust);
352
353
354 /* cycle via cluster and look at each cluster in the FAT
355 * for clusters marked as bad */
356 cnt = 0;
357 for (i = 2; i <= fatfs->lastclust; i++) {
358 TSK_DADDR_T entry;
359 TSK_DADDR_T sect;
360 unsigned int a;
361
362 /* Get the FAT table entry */
363 if (fatfs_getFAT(fatfs, i, &entry))
364 break;
365
366 if (FATFS_ISBAD(entry, fatfs->mask) == 0) {
367 continue;
368 }
369
370 if (cnt == 0)
371 tsk_fprintf(hFile, "Bad Sectors: ");
372
373 sect = FATFS_CLUST_2_SECT(fatfs, i);
374 for (a = 0; a < fatfs->csize; a++) {
375 tsk_fprintf(hFile, "%" PRIuDADDR " ", sect + a);
376 if ((++cnt % 8) == 0)
377 tsk_fprintf(hFile, "\n");
378 }
379 }
380 if ((cnt > 0) && ((cnt % 8) != 0))
381 tsk_fprintf(hFile, "\n");
382
383 /* Display the FAT Table */
384 tsk_fprintf(hFile, "\nFAT CONTENTS (in sectors)\n");
385 tsk_fprintf(hFile, "--------------------------------------------\n");
386
387 /* 'sstart' marks the first sector of the current run to print */
388 sstart = fatfs->firstclustsect;
389
390 /* cycle via cluster and look at each cluster in the FAT to make runs */
391 for (i = 2; i <= fatfs->lastclust; i++) {
392
393 /* 'send' marks the end sector of the current run, which will extend
394 * when the current cluster continues to the next
395 */
396 send = FATFS_CLUST_2_SECT(fatfs, i + 1) - 1;
397
398 /* get the next cluster */
399 if (fatfs_getFAT(fatfs, i, &next))
400 break;
401
402 snext = FATFS_CLUST_2_SECT(fatfs, next);
403
404 /* we are also using the next sector (clust) */
405 if ((next & fatfs->mask) == (i + 1)) {
406 continue;
407 }
408
409 /* The next clust is either further away or the clust is available,
410 * print it if is further away
411 */
412 else if ((next & fatfs->mask)) {
413 if (FATFS_ISEOF(next, fatfs->mask))
414 tsk_fprintf(hFile,
415 "%" PRIuDADDR "-%" PRIuDADDR " (%" PRIuDADDR
416 ") -> EOF\n", sstart, send, send - sstart + 1);
417 else if (FATFS_ISBAD(next, fatfs->mask))
418 tsk_fprintf(hFile,
419 "%" PRIuDADDR "-%" PRIuDADDR " (%" PRIuDADDR
420 ") -> BAD\n", sstart, send, send - sstart + 1);
421 else
422 tsk_fprintf(hFile,
423 "%" PRIuDADDR "-%" PRIuDADDR " (%" PRIuDADDR
424 ") -> %" PRIuDADDR "\n", sstart, send,
425 send - sstart + 1, snext);
426 }
427
428 /* reset the starting counter */
429 sstart = send + 1;
430 }
431
432 return 0;
433 }
434
435 uint8_t
fatxxfs_open(FATFS_INFO * fatfs)436 fatxxfs_open(FATFS_INFO *fatfs)
437 {
438 const char *func_name = "fatxxfs_open";
439 TSK_FS_INFO *fs = &(fatfs->fs_info);
440 FATXXFS_SB *fatsb = (FATXXFS_SB*)(&fatfs->boot_sector_buffer);
441 int i = 0;
442 TSK_DADDR_T sectors = 0;
443 TSK_FS_DIR * test_dir1; // Directories used to try opening the root directory
444
445 // clean up any error messages that are lying around
446 tsk_error_reset();
447
448 /* Calculate block sizes and layout info */
449 // sector size
450 fatfs->ssize = tsk_getu16(fs->endian, fatsb->ssize);
451 if (fatfs->ssize == 512) {
452 fatfs->ssize_sh = 9;
453 }
454 else if (fatfs->ssize == 1024) {
455 fatfs->ssize_sh = 10;
456 }
457 else if (fatfs->ssize == 2048) {
458 fatfs->ssize_sh = 11;
459 }
460 else if (fatfs->ssize == 4096) {
461 fatfs->ssize_sh = 12;
462 }
463 else {
464 tsk_error_reset();
465 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
466 tsk_error_set_errstr
467 ("Error: sector size (%d) is not a multiple of device size (%d)\nDo you have a disk image instead of a partition image?",
468 fatfs->ssize, fs->dev_bsize);
469 if (tsk_verbose)
470 fprintf(stderr, "%s: Invalid sector size (%d)\n",
471 func_name, fatfs->ssize);
472 return 1;
473 }
474
475 // cluster size
476 fatfs->csize = fatsb->csize;
477 if ((fatfs->csize != 0x01) &&
478 (fatfs->csize != 0x02) &&
479 (fatfs->csize != 0x04) &&
480 (fatfs->csize != 0x08) &&
481 (fatfs->csize != 0x10) &&
482 (fatfs->csize != 0x20) &&
483 (fatfs->csize != 0x40) && (fatfs->csize != 0x80)) {
484 if (tsk_verbose)
485 fprintf(stderr, "%s: Invalid cluster size (%d)\n",
486 func_name, fatfs->csize);
487 tsk_error_reset();
488 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
489 tsk_error_set_errstr("Not a FATXX file system (cluster size)");
490 return 1;
491 }
492
493 // number of FAT tables
494 fatfs->numfat = fatsb->numfat;
495 if ((fatfs->numfat == 0) || (fatfs->numfat > 8)) {
496 if (tsk_verbose)
497 fprintf(stderr, "%s: Invalid number of FATS (%d)\n",
498 func_name, fatfs->numfat);
499 tsk_error_reset();
500 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
501 tsk_error_set_errstr("Not a FATXX file system (number of FATs)");
502 return 1;
503 }
504
505 /* We can't do a sanity check on this b.c. TSK_FS_TYPE_FAT32 has a value of 0 */
506 /* num of root entries */
507 fatfs->numroot = tsk_getu16(fs->endian, fatsb->numroot);
508
509 /* if sectors16 is 0, then the number of sectors is stored in sectors32 */
510 if (0 == (sectors = tsk_getu16(fs->endian, fatsb->sectors16)))
511 sectors = tsk_getu32(fs->endian, fatsb->sectors32);
512
513 /* if secperfat16 is 0, then read sectperfat32 */
514 if (0 == (fatfs->sectperfat =
515 tsk_getu16(fs->endian, fatsb->sectperfat16)))
516 fatfs->sectperfat =
517 tsk_getu32(fs->endian, fatsb->a.f32.sectperfat32);
518
519 if (fatfs->sectperfat == 0) {
520 if (tsk_verbose)
521 fprintf(stderr,
522 "%s: Invalid number of sectors per FAT (%d)\n",
523 func_name, fatfs->sectperfat);
524 tsk_error_reset();
525 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
526 tsk_error_set_errstr
527 ("Not a FATXX file system (invalid sectors per FAT)");
528 return 1;
529 }
530
531 fatfs->firstfatsect = tsk_getu16(fs->endian, fatsb->reserved);
532 if ((fatfs->firstfatsect == 0) || (fatfs->firstfatsect > sectors)) {
533 tsk_error_reset();
534 tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
535 tsk_error_set_errstr
536 ("Not a FATXX file system (invalid first FAT sector %"
537 PRIuDADDR ")", fatfs->firstfatsect);
538 if (tsk_verbose)
539 fprintf(stderr,
540 "%s: Invalid first FAT (%" PRIuDADDR ")\n",
541 func_name, fatfs->firstfatsect);
542 return 1;
543 }
544
545 /* Calculate the block info
546 *
547 * The sector of the beginning of the data area - which is
548 * after all of the FATs
549 *
550 * For TSK_FS_TYPE_FAT12 and TSK_FS_TYPE_FAT16, the data area starts with the root
551 * directory entries and then the first cluster. For TSK_FS_TYPE_FAT32,
552 * the data area starts with clusters and the root directory
553 * is somewhere in the data area
554 */
555 fatfs->firstdatasect = fatfs->firstfatsect +
556 fatfs->sectperfat * fatfs->numfat;
557
558 /* The sector where the first cluster is located. It will be used
559 * to translate cluster addresses to sector addresses
560 *
561 * For TSK_FS_TYPE_FAT32, the first cluster is the start of the data area and
562 * it is after the root directory for TSK_FS_TYPE_FAT12 and TSK_FS_TYPE_FAT16. At this
563 * point in the program, numroot is set to 0 for TSK_FS_TYPE_FAT32
564 */
565 fatfs->firstclustsect = fatfs->firstdatasect +
566 ((fatfs->numroot * 32 + fatfs->ssize - 1) / fatfs->ssize);
567
568 /* total number of clusters */
569 fatfs->clustcnt = (sectors - fatfs->firstclustsect) / fatfs->csize;
570
571 /* the first cluster is #2, so the final cluster is: */
572 fatfs->lastclust = 1 + fatfs->clustcnt;
573
574
575 /* identify the FAT type by the total number of data clusters
576 * this calculation is from the MS FAT Overview Doc
577 *
578 * A FAT file system made by another OS could use different values
579 */
580 if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT_DETECT) {
581
582 if (fatfs->clustcnt < 4085) {
583 fatfs->fs_info.ftype = TSK_FS_TYPE_FAT12;
584 }
585 else if (fatfs->clustcnt < 65525) {
586 fatfs->fs_info.ftype = TSK_FS_TYPE_FAT16;
587 }
588 else {
589 fatfs->fs_info.ftype = TSK_FS_TYPE_FAT32;
590 }
591
592 fatfs->fs_info.ftype = fatfs->fs_info.ftype;
593 }
594
595 /* Some sanity checks */
596 else {
597 if ((fatfs->fs_info.ftype == TSK_FS_TYPE_FAT12)
598 && (fatfs->clustcnt >= 4085)) {
599 tsk_error_reset();
600 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
601 tsk_error_set_errstr
602 ("Too many sectors for TSK_FS_TYPE_FAT12: try auto-detect mode");
603 if (tsk_verbose)
604 fprintf(stderr,
605 "%s: Too many sectors for FAT12\n", func_name);
606 return 1;
607 }
608 }
609
610 if ((fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32) && (fatfs->numroot != 0)) {
611 tsk_error_reset();
612 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
613 tsk_error_set_errstr
614 ("Invalid TSK_FS_TYPE_FAT32 image (numroot != 0)");
615 if (tsk_verbose)
616 fprintf(stderr, "%s: numroom != 0 for FAT32\n", func_name);
617 return 1;
618 }
619
620 if ((fatfs->fs_info.ftype != TSK_FS_TYPE_FAT32) && (fatfs->numroot == 0)) {
621 tsk_error_reset();
622 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
623 tsk_error_set_errstr
624 ("Invalid FAT image (numroot == 0, and not TSK_FS_TYPE_FAT32)");
625 if (tsk_verbose)
626 fprintf(stderr, "%s: numroom == 0 and not FAT32\n", func_name);
627 return 1;
628 }
629
630 /* additional sanity checks if we think we are using the backup boot sector.
631 * The scenario to prevent here is if fat_open is called 6 sectors before the real start
632 * of the file system, then we want to detect that it was not a backup that we saw.
633 */
634 if (fatfs->using_backup_boot_sector) {
635 // only FAT32 has backup boot sectors..
636 if (fatfs->fs_info.ftype != TSK_FS_TYPE_FAT32) {
637 tsk_error_reset();
638 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
639 tsk_error_set_errstr
640 ("Invalid FAT image (Used what we thought was a backup boot sector, but it is not TSK_FS_TYPE_FAT32)");
641 if (tsk_verbose)
642 fprintf(stderr,
643 "%s: Had to use backup boot sector, but this isn't FAT32\n", func_name);
644 return 1;
645 }
646 if (fatfs->numroot > 1) {
647 uint8_t buf1[512];
648 uint8_t buf2[512];
649 int i2;
650 int numDiffs;
651 ssize_t cnt = 0;
652
653 cnt =
654 tsk_fs_read(fs, fatfs->firstfatsect * fatfs->ssize,
655 (char *) buf1, 512);
656 if (cnt != 512) {
657 if (cnt >= 0) {
658 tsk_error_reset();
659 tsk_error_set_errno(TSK_ERR_FS_READ);
660 }
661 tsk_error_set_errstr2("%s: FAT1", func_name);
662 fs->tag = 0;
663 return 1;
664 }
665
666 cnt =
667 tsk_fs_read(fs,
668 (fatfs->firstfatsect + fatfs->sectperfat) * fatfs->ssize,
669 (char *) buf2, 512);
670 if (cnt != 512) {
671 if (cnt >= 0) {
672 tsk_error_reset();
673 tsk_error_set_errno(TSK_ERR_FS_READ);
674 }
675 tsk_error_set_errstr2("%s: FAT2", func_name);
676 fs->tag = 0;
677 return 1;
678 }
679
680 numDiffs = 0;
681 for (i2 = 0; i2 < 512; i2++) {
682 if (buf1[i2] != buf2[i2]) {
683 numDiffs++;
684 }
685 }
686 if (numDiffs > 25) {
687 tsk_error_reset();
688 tsk_error_set_errno(TSK_ERR_FS_MAGIC);
689 tsk_error_set_errstr
690 ("Invalid FAT image (Too many differences between FATS from guessing (%d diffs))",
691 numDiffs);
692 if (tsk_verbose)
693 fprintf(stderr,
694 "%s: Too many differences in FAT from guessing (%d diffs)\n",
695 func_name, numDiffs);
696 return 1;
697 }
698 }
699 }
700
701 /* Set the mask to use on the cluster values */
702 if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT12) {
703 fatfs->mask = FATFS_12_MASK;
704 }
705 else if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT16) {
706 fatfs->mask = FATFS_16_MASK;
707 }
708 else if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32) {
709 fatfs->mask = FATFS_32_MASK;
710 }
711 else {
712 tsk_error_reset();
713 tsk_error_set_errno(TSK_ERR_FS_ARG);
714 tsk_error_set_errstr("Unknown FAT type in %s: %d\n",
715 func_name, fatfs->fs_info.ftype);
716 return 1;
717 }
718 fs->duname = "Sector";
719
720 /* the root directories are always after the FAT for TSK_FS_TYPE_FAT12 and TSK_FS_TYPE_FAT16,
721 * but are dynamically located for TSK_FS_TYPE_FAT32
722 */
723 if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32)
724 fatfs->rootsect = FATFS_CLUST_2_SECT(fatfs,
725 tsk_getu32(fs->endian, fatsb->a.f32.rootclust));
726 else
727 fatfs->rootsect = fatfs->firstdatasect;
728
729 for (i = 0; i < FATFS_FAT_CACHE_N; i++) {
730 fatfs->fatc_addr[i] = 0;
731 fatfs->fatc_ttl[i] = 0;
732 }
733
734 /*
735 * block calculations : although there are no blocks in fat, we will
736 * use these fields for sector calculations
737 */
738 fs->first_block = 0;
739 fs->block_count = sectors;
740 fs->last_block = fs->last_block_act = fs->block_count - 1;
741 fs->block_size = fatfs->ssize;
742
743 // determine the last block we have in this image
744 if ((TSK_DADDR_T) ((fatfs->fs_info.img_info->size - fatfs->fs_info.offset) / fs->block_size) <
745 fs->block_count)
746 fs->last_block_act =
747 (fatfs->fs_info.img_info->size - fatfs->fs_info.offset) / fs->block_size - 1;
748
749 /*
750 * inode calculations
751 */
752
753 /* maximum number of dentries in a sector & cluster */
754 fatfs->dentry_cnt_se = fatfs->ssize / sizeof(FATXXFS_DENTRY);
755 fatfs->dentry_cnt_cl = fatfs->dentry_cnt_se * fatfs->csize;
756
757 fs->root_inum = FATFS_ROOTINO;
758 fs->first_inum = FATFS_FIRSTINO;
759
760 /* Calculate inode addresses for the virtual files (MBR, one or two FATS)
761 * and the virtual orphan files directory. */
762 fs->last_inum = (FATFS_SECT_2_INODE(fatfs, fs->last_block_act + 1) - 1) + FATFS_NUM_VIRT_FILES(fatfs);
763 fatfs->mbr_virt_inum = fs->last_inum - FATFS_NUM_VIRT_FILES(fatfs) + 1;
764 fatfs->fat1_virt_inum = fatfs->mbr_virt_inum + 1;
765 if (fatfs->numfat == 2) {
766 fatfs->fat2_virt_inum = fatfs->fat1_virt_inum + 1;
767 }
768 else {
769 fatfs->fat2_virt_inum = fatfs->fat1_virt_inum;
770 }
771
772 /* Calculate the total number of inodes. */
773 fs->inum_count = fs->last_inum - fs->first_inum + 1;
774
775 /* Volume ID */
776 for (fs->fs_id_used = 0; fs->fs_id_used < 4; fs->fs_id_used++) {
777 if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32)
778 fs->fs_id[fs->fs_id_used] =
779 fatsb->a.f32.vol_id[fs->fs_id_used];
780 else
781 fs->fs_id[fs->fs_id_used] =
782 fatsb->a.f16.vol_id[fs->fs_id_used];
783 }
784
785 /*
786 * Set the function pointers
787 */
788
789 fs->block_walk = fatfs_block_walk;
790 fs->block_getflags = fatfs_block_getflags;
791
792 fs->inode_walk = fatfs_inode_walk;
793 fs->istat = fatfs_istat;
794 fs->file_add_meta = fatfs_inode_lookup;
795
796 fs->get_default_attr_type = fatfs_get_default_attr_type;
797 fs->load_attrs = fatfs_make_data_runs;
798
799 fs->dir_open_meta = fatfs_dir_open_meta;
800 fs->name_cmp = fatfs_name_cmp;
801
802 fs->fsstat = fatxxfs_fsstat;
803 fs->fscheck = fatfs_fscheck;
804
805 fs->close = fatfs_close;
806
807 fs->jblk_walk = fatfs_jblk_walk;
808 fs->jentry_walk = fatfs_jentry_walk;
809 fs->jopen = fatfs_jopen;
810
811 fatfs->is_cluster_alloc = fatxxfs_is_cluster_alloc;
812 fatfs->is_dentry = fatxxfs_is_dentry;
813 fatfs->dinode_copy = fatxxfs_dinode_copy;
814 fatfs->inode_lookup = fatxxfs_inode_lookup;
815 fatfs->inode_walk_should_skip_dentry = fatxxfs_inode_walk_should_skip_dentry;
816 fatfs->istat_attr_flags = fatxxfs_istat_attr_flags;
817 fatfs->dent_parse_buf = fatxxfs_dent_parse_buf;
818
819 // initialize the caches
820 tsk_init_lock(&fatfs->cache_lock);
821 tsk_init_lock(&fatfs->dir_lock);
822 fatfs->inum2par = NULL;
823
824 // Test to see if this is the odd Android case where the FAT entries have no short name
825 //
826 // If there are no entries found with the normal short name
827 // and we find more entries by removing the short name test for allocated directories, then assume
828 // this is the case where we have no short names
829 fatfs->subtype = TSK_FATFS_SUBTYPE_SPEC;
830 test_dir1 = tsk_fs_dir_open_meta(fs, fs->root_inum);
831
832 if (test_dir1 != NULL && test_dir1->names_used <= 4){ // At most four automatic directories ($MBR, $FAT1, $FAT1, $OrphanFiles)
833 TSK_FS_DIR * test_dir2; // to see if it's the Android FAT version
834
835 fatfs->subtype = TSK_FATFS_SUBTYPE_ANDROID_1;
836 test_dir2 = tsk_fs_dir_open_meta(fs, fs->root_inum);
837
838 if (test_dir2 != NULL && test_dir2->names_used > test_dir1->names_used){
839 fatfs->subtype = TSK_FATFS_SUBTYPE_ANDROID_1;
840 }
841 else{
842 fatfs->subtype = TSK_FATFS_SUBTYPE_SPEC;
843 }
844 tsk_fs_dir_close(test_dir2);
845 }
846 tsk_fs_dir_close(test_dir1);
847
848 return 0;
849 }
850
851 /* Return 1 if allocated, 0 if unallocated, and -1 if error */
852 int8_t
fatxxfs_is_cluster_alloc(FATFS_INFO * fatfs,TSK_DADDR_T clust)853 fatxxfs_is_cluster_alloc(FATFS_INFO *fatfs, TSK_DADDR_T clust)
854 {
855 TSK_DADDR_T content = 0;
856
857 if (fatfs_getFAT(fatfs, clust, &content))
858 return -1;
859 else if (content == FATFS_UNALLOC)
860 return 0;
861 else
862 return 1;
863 }
864