OSC:File Systems
From SOFTICE
|
Pedagogical Objectives
- Introduce Kernel Data Structures:
- Introduce Kernel APIs:
- Big picture:
- File systems disk layout structures
Developed by:
[Synopsis]
We are going to lead this discussion about file systems at two levels;
- the filesystem layout on the disk
- the data structures and API used in the kernel
[Briefing]
Your UML virtual machine has a device (/dev/ubd5) which is linked to a virtual disk file in your home directory. This file is a 10Mb disk image formatted as a FAT-12 partition and will be used in this lab to explore what is the layout on the disk of the information used in a FAT filesystem. We can explore this layout by hand, using the dd command (cf. man dd or http://linuxmanpages.com/man1/dd.1.php) or we can use more elaborated tools which are part of the common toolkit for forensic investigators ([TSK], [FSFA]).
This briefing will be based on the material presented in [FSFA] chapters #9 & #10. Read this reference as well as the documentation available at [TSK] to familiarize yourself with the tools we will be using in the solved section to help you explore "hands-on" the FAT filesystem layout.
[Solved]
This section will complement the readings assigned in the previous one by getting you to explore "hands-on" the FAT partition we will be using throughout this lab.
Tools of the trade
We can easily use the dd command to dump the contents of a specific disk area on our screen. Let's consider the following example:
dd if=/dev/ubd5 bs=1 count=1 skip=3 2>/dev/null | xxd
This command will
- read from an input file (if) which is the device /dev/ubd5 (your FAT partition)
- assume a block size of 1 byte (bs=1)
- extract only 1 block of data (count=1)
- skip the first 3 blocks of data (#0, #1 and #2) each of size 1 byte
In other words, this command extracts form the disk image the value of the byte #3 (starting at 0 of course). The pipe then redirect this data to the xxd command which will format it for easy reading.
Alternately, the same can be done directly with the xxd command:
xxd -s 3 -l 1 -a /dev/ubd5
The options are as follows:
- -s (seek): Starting position within the file, specified in bytes.
- -l (length): The number of bytes you wish to see.
- -a (autoskip): Replace lines that consist solely of null bytes (0) with a single asterisk.
Gathering general partition information
Originally, your FAT partition will be empty. We are going to start analyzing it as described in [FSFA] and progressively create files and directories to observe how the low-level filesystem layout on the disk image evolves. Following the information provided in [FSFA] table 10.1, we are going to start by displaying some basic information:
- OEM name is stored in ASCII in bytes 3-10
softice:~# dd if=/dev/ubd5 bs=1 count=8 skip=3 2>/dev/null |xxd 0000000: 6d6b 646f 7366 7300 mkdosfs.
We can see that this image's OEM is "mkdosfs" and with a little search deduce that it means it has been formated by the mkfs command and more specifically the mkfs.msdos command.
- # of bytes per sector
softice:~# dd if=/dev/ubd5 bs=1 count=2 skip=11 2>/dev/null |xxd or softice:~# xxd -s 11 -l 2 -a /dev/ubd5
000000b: 0002 ..
This information is stored in little endian format which means you have to read here the bytes in reversed order: 00 02 becomes 02 00 which is hexadecimal for 512. We know now that this FAT partition is using 512 bytes per sectors. We can use this information to get an overview of the contents of the first sector of this partition by typing:
softice:~# dd if=/dev/ubd5 bs=512 count=1 2>/dev/null |xxd or softice:~# xxd -l 512 /dev/ubd5
The result will be in both cases:
0000000: eb58 906d 6b64 6f73 6673 0000 0201 2000 .X.mkdosfs.... . 0000010: 0200 0000 28f8 0000 2000 4000 0000 0000 ....(... .@..... 0000020: 0000 0000 4f00 0000 0000 0000 0200 0000 ....O........... 0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................ 0000040: 0000 2976 e4c7 4420 2020 2020 2020 2020 ..)v..D 0000050: 2020 4641 5433 3220 2020 0e1f be77 7cac FAT32 ...w|. 0000060: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2 0000070: e4cd 16cd 19eb fe54 6869 7320 6973 206e .......This is n 0000080: 6f74 2061 2062 6f6f 7461 626c 6520 6469 ot a bootable di 0000090: 736b 2e20 2050 6c65 6173 6520 696e 7365 sk. Please inse 00000a0: 7274 2061 2062 6f6f 7461 626c 6520 666c rt a bootable fl 00000b0: 6f70 7079 2061 6e64 0d0a 7072 6573 7320 oppy and..press 00000c0: 616e 7920 6b65 7920 746f 2074 7279 2061 any key to try a 00000d0: 6761 696e 202e 2e2e 200d 0a00 0000 0000 gain ... ....... 00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
This will serves us as a map as we examine other specific information present in this partition.
- # of sectors per cluster
softice:~# dd if=/dev/ubd5 bs=1 count=1 skip=13 2>/dev/null |xxd or softice:~# xxd -s 13 -l 1 -a /dev/ubd5
0000000: 01 .
FAT filesystems define their unit of allocation as being a "cluster". The 14th byte of information holds the number of sectors per cluster. The above command reveals that this partition has 1 sector (512 bytes) per cluster (maximum in 32Kb).
There are many more data items we could extract but you got the idea for now and we'll leave the others to be explored as exercise 1.
Fat-32 FSINFO
The location of the FSINFO data structure is revealed in bytes 48-49:
softice:~# xxd -a -s 48 -l 2 /dev/ubd5 0000030: 0100 ..
This tells us the data structure is located in sector 1, so let's have a look at it (knowing 1 sector is 512 bytes). One way to check if we're really were we think we are is to look for the signature which marks the end of the FSINFO (0xAA550000 at offset 508-511):
softice:~# xxd -a -s $[512 + 508] -l 4 /dev/ubd5 00003fc: 0000 55aa ..U.
Now we know for sure that dumping the contents of the sector 1 will provide us with an overview of the FSINFO:
softice:~# xxd -a -s 512 -l 512 /dev/ubd5 0000200: 5252 6141 0000 0000 0000 0000 0000 0000 RRaA............ 0000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................ * 00003e0: 0000 0000 7272 4161 4127 0000 0200 0000 ....rrAaA'...... 00003f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
Refering to [FSFA] (table 10.4), we can also recognize the signature marking the beginning of the FSINFO (0x41615252) as well as the signature 0x61417272 at byte range 488-491;
softice:~# xxd -a -s $[512 + 484] -l 4 /dev/ubd5 00003e4: 7272 4161 rrAa
We can see that there is not much of the "non-essential" information that has been filled in here. Only the number of free clusters is available at:
softice:~# xxd -a -s $[512 + 488] -l 4 /dev/ubd5 00003e8: 4127 0000 A'..
In our partition we have therefore 0x0000 2741 = 10,049 free clusters.
Fat-32 table data structure
Besides information items which are relevant to the entire's partition structure, we can also try to extract items which provide information about the contents of this partition (files, directories).
Let's first determine where is our FAT table.
softice:~# dd if=/dev/ubd5 bs=1 count=1 skip=16 2>/dev/null |xxd or softice:~# xxd -a -s 16 -l 1 /dev/ubd5
0000000: 02 .
The above command reveals that this partition stores an extra copy of the FAT table. We know that the first one is located after the reserved area which size is:
softice:~# dd if=/dev/ubd5 bs=1 count=2 skip=14 2>/dev/null |xxd or softice:~# xxd -s 14 -l 2 /dev/ubd5
0000000: 2000 ..
That is 0x20 = 32 sectors (32x512 Bytes).
Let's check how big exactly is out FAT table on this partition:
softice:~# xxd -s 36 -l 4 /dev/ubd5 0000024: 4f00 0000 O...
This means that each FAT is 0x0000 004F = 79 sectors long (512 bytes each). So, in order to extract the information about the FAT, we need to skip the reserved area (32 sectors) and then list the contents of the next 79 sectors):
softice:~# xxd -a -s $[32 * 512] -l $[79 * 512] /dev/ubd5 0004000: f8ff ff0f ffff ff0f f8ff ff0f 0000 0000 ................ 0004010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ * 000ddf0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Notice the -a option which replaces a bunch of consecutive empty lines by a single '*' character on the screen. As you can see, our partition being empty for now, we don't have much information in FAT table.
The first sector (512 bytes) of this FAT could also have been extracted using sleuthkit specific tools such as:
softice:~# dcat -f fat32 /dev/ubd5 32 | xxd 0000000: f8ff ff0f ffff ff0f f8ff ff0f 0000 0000 ................ 0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Double Checking
We can verify all these information we extracted by hand from the partition by using the fsstat command of the sleuthkit:
softice:~# fsstat -f fat32 /dev/ubd5 FILE SYSTEM INFORMATION -------------------------------------------- File System Type: FAT32 OEM Name: mkdosfs Volume ID: 0x44c7e476 Volume Label (Boot Sector): Volume Label (Root Directory): File System Type Label: FAT32 Next Free Sector (FS Info): 190 Free Sector Count (FS Info): 10049 Sectors before file system: 0 File System Layout (in sectors) Total Range: 0 - 10239 * Reserved: 0 - 31 ** Boot Sector: 0 ** FS Info Sector: 1 ** Backup Boot Sector: 6 * FAT 0: 32 - 110 * FAT 1: 111 - 189 * Data Area: 190 - 10239 ** Cluster Area: 190 - 10239 *** Root Directory: 190 - 190 METADATA INFORMATION -------------------------------------------- Range: 2 - 160802 Root Directory: 2 CONTENT INFORMATION -------------------------------------------- Sector Size: 512 Cluster Size: 512 Total Cluster Range: 2 - 10051 FAT CONTENTS (in sectors) -------------------------------------------- 190-190 (1) -> EOF
Here's a file
Let's now create a file on our dos partition which is mounted at /mnt/dos/;
cd /mnt/dos/ echo "softice" > hello.txt cd - umount /mnt/dos
Let's have a look at the root directory entry for this partition. First, we locate in which cluster the root directory entry is stored. The fsstat command tells us that it is located at sector 190 which is the sector at which data cluster are stored.
We can now display its contents with;
softice:/mnt# dcat -f fat32 /dev/ubd5 $[190] |xxd 0000000: 4845 4c4c 4f20 2020 5458 5420 0000 0000 HELLO TXT .... 0000010: 0000 0000 0000 20ab fb34 0300 0800 0000 ...... ..4...... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ softice:/mnt#
Following [FSFA] (table 10.5), we can pick information byte per byte;
- File name at byte range 0-10
softice:~# dd if=/dev/ubd5 bs=1 count=11 skip=$[190 * 512] 2>/dev/null | xxd 0000000: 4845 4c4c 4f20 2020 5458 54 HELLO TXT
- Address of the file's first cluster (low 2 bytes at 26-27, high 2 bytes at 20-21)
softice:~# dd if=/dev/ubd5 bs=1 count=2 skip=$[190 * 512 + 20] 2>/dev/null | xxd 0000000: 0000 .. softice:~# dd if=/dev/ubd5 bs=1 count=2 skip=$[190 * 512 + 26] 2>/dev/null | xxd 0000000: 0300 ..
Which means the first cluster for the file "hello.txt" located in the root directory of our FAT-32 partition is: 0x0000 0003 = 3.
Let's now have a look at the contents of our FAT:
softice:~# dcat -f fat32 /dev/ubd5 32 | xxd 0000000: f8ff ff0f ffff ff0f f8ff ff0f ffff ff0f ................ 0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[FSFA] explains that the first 2 entries of the FAT are not used to track files and directories and our previous exploration tells us that the entry at index 3 is the one corresponding to the first cluster of our file. In this scenario, it contains 0x0fff ffff which is the hexadecimal marker used to notify that this FAT-32 entry is the last cluster of the file.
The next step is to actually try and extract the contents of our file.
Now we know, from the FAT-32 table, that its contents span a unique cluster; cluster #3. However, since the two first entries are not used to store information about the two first data clusters, the cluster containing the data for our file is cluster #1 (3-2). Using fsstat, we already know that the first data cluster is at sector 190 (root directory entry), we can therefore say that the cluster containing the data for our hello.txt file is at sector #191.
softice:~# dcat -f fat32 /dev/ubd5 191 | xxd 0000000: 736f 6674 6963 650a 0000 0000 0000 0000 softice......... 0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Here's a directory
Now that we added a file to our FAT-32 filesystem and tracked it down by hand, let's do the same with a new directory
mount /dev/ubd5 /mnt/dos -t msdos cd /mnt/dos mkdir stuff cd stuff echo "another softice mark" > somedata.txt cd ~/ umount /mnt/dos
Let's start by getting an overview of these changes' impact on the filesystem with fsstat;
FILE SYSTEM INFORMATION -------------------------------------------- File System Type: FAT32 OEM Name: mkdosfs Volume ID: 0x44c92efe Volume Label (Boot Sector): Volume Label (Root Directory): File System Type Label: FAT32 Next Free Sector (FS Info): 193 Free Sector Count (FS Info): 10046 Sectors before file system: 0 File System Layout (in sectors) Total Range: 0 - 10239 * Reserved: 0 - 31 ** Boot Sector: 0 ** FS Info Sector: 1 ** Backup Boot Sector: 6 * FAT 0: 32 - 110 * FAT 1: 111 - 189 * Data Area: 190 - 10239 ** Cluster Area: 190 - 10239 *** Root Directory: 190 - 190 METADATA INFORMATION -------------------------------------------- Range: 2 - 160802 Root Directory: 2 CONTENT INFORMATION -------------------------------------------- Sector Size: 512 Cluster Size: 512 Total Cluster Range: 2 - 10051 FAT CONTENTS (in sectors) -------------------------------------------- 190-190 (1) -> EOF 191-191 (1) -> EOF 192-192 (1) -> EOF 193-193 (1) -> EOF
The raw contents of the FAT are:
softice:/mnt# dcat -f fat32 /dev/ubd5 32|xxd 0000000: f8ff ff0f ffff ff0f f8ff ff0f ffff ff0f ................ 0000010: ffff ff0f ffff ff0f 0000 0000 0000 0000 ................ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
The clusters 4 and 5 are now marked as being the last ones for two files. One of them has been used to store the directory entries for the stuff directory, while the other one has been used to store the contents of the stuff/somedata.txt file.
Let's examine the contents of sector 193 (corresponding to cluster #5):
softice:/mnt# dcat -f fat32 /dev/ubd5 193 |xxd 0000000: 616e 6f74 6865 7220 736f 6674 6963 6520 another softice 0000010: 6d61 726b 0a00 0000 0000 0000 0000 0000 mark............ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
As expected, this one was allocated for the file stuff/somedata.txt which was created after the directory stuff.
Let's now have a look at sector #192 (corresponding to cluster #4):
softice:/mnt# dcat -f fat32 /dev/ubd5 192 |xxd 0000000: 2e20 2020 2020 2020 2020 2010 0000 0000 . ..... 0000010: 0000 0000 0000 64ac fb34 0400 0000 0000 ......d..4...... 0000020: 2e2e 2020 2020 2020 2020 2010 0000 0000 .. ..... 0000030: 0000 0000 0000 64ac fb34 0000 0000 0000 ......d..4...... 0000040: 534f 4d45 4441 5441 5458 5420 0000 0000 SOMEDATATXT .... 0000050: 0000 0000 0000 6dac fb34 0500 1500 0000 ......m..4...... 0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
This directory entry is somewhat different from the root one we previously studied. In addition to an entry for the somedata.txt file, we have also an entry for the parent directory ("..") and the current one ("."). Let's review the information for each directory entry stored here;
- Current directory
softice:/mnt# dd if=/dev/ubd5 bs=1 count=2 skip=$[192 * 512 + 26] 2>/dev/null | xxd 0000000: 0400 .. softice:/mnt# dd if=/dev/ubd5 bs=1 count=2 skip=$[192 * 512 + 20] 2>/dev/null | xxd 0000000: 0000 ..
This shows that the first entry's first cluster address is 4 which corresponds to our stuff directory.
- Parent directory
softice:/mnt# dd if=/dev/ubd5 bs=1 count=2 skip=$[192 * 512 + 32 + 26] 2>/dev/null | xxd 0000000: 0000 .. softice:/mnt# dd if=/dev/ubd5 bs=1 count=2 skip=$[192 * 512 + 32 + 20] 2>/dev/null | xxd 0000000: 0000 ..
We skip the first 32 bits which contained the data for the previous directory entry and find out that the address of the first cluster for the parent directory is 0 which is located at sector (190 + 0) = 190
- somedata.txt
softice:/mnt# dd if=/dev/ubd5 bs=1 count=2 skip=$[192 * 512 + 64 + 26] 2>/dev/null | xxd 0000000: 0500 .. softice:/mnt# dd if=/dev/ubd5 bs=1 count=2 skip=$[192 * 512 + 64 + 20] 2>/dev/null | xxd 0000000: 0000 ..
We can quickly verify which is the first (an unique) cluster for our file is the 5th one located at sector (190 + 5 -2) = 193
Similarly, we can now look back into the root directory entry and find out where is stuff:
softice:/mnt# dcat -f fat32 /dev/ubd5 190 |xxd 0000000: 4845 4c4c 4f20 2020 5458 5420 0000 0000 HELLO TXT .... 0000010: 0000 0000 0000 20ab fb34 0300 0800 0000 ...... ..4...... 0000020: 5354 5546 4620 2020 2020 2010 0000 0000 STUFF ..... 0000030: 0000 0000 0000 6dac fb34 0400 0000 0000 ......m..4...... 0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [snip] 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
softice:/mnt# dd if=/dev/ubd5 bs=1 count=2 skip=$[190 * 512 + 32 + 26] 2>/dev/null | xxd 0000000: 0400 ..
[Exercises]
Exercise 1: Need more information
Using the information about directory entries which is available in [FSFA] table 10.5, you will use the dd command (as described in the [solved] section of this lab) to extract and display the following information about the /mnt/dos/stuff/somedata.txt:
- Size of the file
- Date at which the filen was written(year, month, day of the month)
- File attributes (make some additional research to understand the role of each of them)
Exercise 2: Follow this file
Create a new directory /mnt/dos/morestuff in which you will create a new text file secret.dat containing the string "shhhhh". Using the same tools as in the previous section of this lab, you will cut and paste and interpret in a brief report the filesystem layout.
- You will start by extracting the information about the location of the first data cluster and show the contents of the root directory, isolating the information relevant to the morestuff directory.
- You will extract the cluster containing the directory entries for morestuff and detail each entry including the one for secret.dat
- You will display the contents of first cluster allocated to secret.dat
Exercise 3: Dude, where is my file?
Have one of your classmate create a file in /mnt/dos/ containing a single sentence of his/her choice. Your classmate will then erase this file using the rm command. Your job is to retrieve information about this file (clusters' address, contents). You will document all the steps you followed to do so in a brief log of your investigation.
Here are some hints:
- start by looking in the cluster(s) of the directory the file was in
- what happened to the filename?
- Can you still figure out the first cluster of this file?
- Is the data still there?
[Projects]
Project 1: undelete
Write a user space program (expected to be run as root inside of your UML virtual machine) which will allow you to undelete a file that has just been deleted on your /dev/ubd5 FAT partition. To make things simpler, we will assume that the only files that will need undelete will contain a single cluster worth of data and will be located at the root of your FAT-32 partition.
Project 2: dump-file
We want to write a small user space program (expected to be run as root inside of your UML virtual machine) which will navigate through the filesystem layout, starting at the root directory entry, to find the file somedata.txt located in the directory stuff.
Once you find the directory entry corresponding to this file, you will display its contents by reading the first data cluster, checking in the FAT-32 table where is the next one and then display it also. You will copy to your FAT partition a file which is around 4Kb large in order to have an example to test your program.
References
[FSFA] File Systems Forensic Analysis Safary Reference
- Bryan Carrier
- Pearson, 2005/03/17
- Chapter(s): #09 (FAT concepts & analysis), #10 (FAT data structures)
[TSK] The Sleuth Kit
References (Textbooks)
[NUTT] Operating Systems, 3/e
- Gary Nutt, Addison Wesley, ISBN 0-210-77344-9
- http://www.cs.colorado.edu/~nutt/osamp.html
- Chapter(s): #13 (File Management)
[STALL] Operating Systems, Internals and Design Principles
- William Stallings, Prentice Hall, ISBN 0-13-1479-54-7
- http://williamstallings.com/
- Chapter(s): #12 (File Management)
[SILB] Operating System Concepts with Java
- http://os-book.com/
- Abraham Silberschatz, Peter Baer Galvin, Greg Gagne
- Wiley, ISBN: 978-0-471-76907-1
- Chapter(s): #3 (Processes)
[DEIT] Operating Systems
- Deitel, ISBN: 0131828274
- Chapter(s): #10 (File Systems Interface) , #11 (File Systems Implementation)
