SecureArtisan

My Road to Digital Forensics Excellence

File system – exFAT

Posted by Paul Bobby on May 4, 2009

Available to Vista, and to XP via this download, exFAT is the replacement to FAT32. exFAT, also known as FAT64, comes with specific file system advances to improve the efficiency of file system operations on external devices in particular.

Both Brian Carrier and Microsoft themselves have documented the timestamp behavior of FAT16 and NTFS file systems when files and folders are both copied and moved around from one to the other. This post performs a test of files/folders being copied/moved from NTFS to exFAT.

Test Setup
  1. Source volume is NTFS
  2. Destination volume is exFAT
  3. exFAT has no concept of Entry Modified
  4. Copies and Moves are to the ‘exFAT-Test-Destination’ folder
  5. The following screenshots include the timestamps for all test files

image Three folders created on the exFAT volume

imageThe test files and folders on the NTFS volume

Copying Files from an NTFS volume to an exFAT volume

 image The timestamps of the file after being copied

  1. Last Accessed: Changes by +2 seconds
  2. File Created: Time of the actual copy
  3. Last Written: Matches the File Created timestamp
  4. Parent folder timestamps are unchanged
  5. Forensic Implication: If Created > Accessed, implies that the file was copied. It does NOT imply that the file was copied to this volume however, a subsequent test verified that copying a file from the same exFAT volume to another folder on that exFAT volume produced the same timestamp results.
Moving Files from an NTFS volume to an exFAT volume

imageThe timestamps of the file after being moved

  1. Last Accessed: Changes by +2 seconds
  2. File Created: preserved
  3. Last Written: Time of the actual move
  4. Parent folder timestamps are unchanged
  5. Forensic Implication: If Written > Accessed, implies that the file was moved.
Copying Folders from NTFS to exFAT
  1. All timestamps changes to the time of the actual copy
  2. Forensic Implication: No way to determine if a folder was created on, copied to or moved to the exFAT volume, based on timestamps alone.
Moving Folders from NTFS to exFAT
  1. All timestamps changes to the time of the actual move
  2. Forensic Implication: No way to determine if a folder was created on, copied to or moved to the exFAT volume, based on timestamps alone.
Copying Folders from exFAT to exFAT
  1. All timestamps changes to the time of the actual copy
  2. Forensic Implication: No way to determine if a folder was created on, copied to or moved to the exFAT volume, based on timestamps alone.
Moving Folders from exFAT to exFAT
  1. All timestamps changes to the time of the actual move
  2. Forensic Implication: No way to determine if a folder was created on, copied to or moved to the exFAT volume, based on timestamps alone.

In Part 2, I will comment on the +2second strangeness in the Last Accessed timestamp as well as an interesting artifact I discovered when moving folders and copying files in to those moved folders.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: