Course A, the FAT file system or I'm module 2 and in this module, but we're going to talk about the volume boot record. Next slide. The FAT 32 volume boot record, it's located in the first sector of the volume, which is going to be logical sectors 0. Now, don't confuse this with the first sector of the disk, which is Physical sector 0. This is the first sector of the logical volume. This file is going to contain information about the volume. Some of the information of interest to us in the volume boot record. What we're going to see the OEM ID, which will most likely be MS-DOS5.0. This will be the volume ON OEM MID for operating systems, Windows 2009. Most likely that's the only MID we're going to see. We're going to be interested in bytes per sector, which is usually going to be 512. We're usually going to have 512 bytes in a sector. We also need to know how many sectors are in a cluster. This is going to be very important when we're navigating the disk. Sectors per cluster varies. It can either be selected by the operating system or the user does have the option to change that if they would like. We're going to see the number of FATs. There should be two, one is for backup purposes. We're going to see hidden sectors. These are sectors proceeding the volume. These are the sectors on the physical drive that are in front of or preceding the volume itself. We're going to see total sectors. Now, total sectors, times sector signs will give us the size of the volume. We need to know how big the volume is that we're looking at. Next slide. This is more information that we're going to look at in the FAT 32 volume boot record. We're going to look at sectors per FAT, how many sectors are in each FAT? We want to know the starting cluster of the root directory because the root directory is going to be a very important part of the FAT file system that we need to look at. That's usually going to be clustered too. We also want to know where the backup boot sector is located. The backup boot sector will usually be in cluster 6. We're going to want to know the volume serial number because most likely you're going to be looking at FAT on removable media and we're going to need the volume serial number to track that drive across volumes. We're also going to be interested in the volume name, note the volume name in the boot record is not going to be the user-created volume name that's going to be in the root directory. It'll usually say no name in the volume boot record. We're going to want to know the file system type. That's also information in the boot record. Now, do not confuse the volume boot record with the master boot record. The master boot record relates to the physical dense and volume boot record relates to the logical volume. Next slide. We can see here in the chart, all the important information we just talked about in the chart shows us the offsets where we can find that information. These offsets are relative to the start of the Data Structure. If we're looking at the volume boot record, the offsets you see, they're relative to the start of a volume boot record, not the start of the physical drive. Just keep that in mind. The start of the Data Structure. Next slide. This is a look at a FAT 32 volume book record. This is what it's going to look like. We'll look at it with our tools. It's located on logical sector 0 and these values are going to be interpreted little-endian. The volume boot record is going to be one sector in size, it's 512 bytes, one sector. Next slide. Now we're going to do a walk-through and take a look at the volume boot record with active disk editor. I need you to please attach your MBR underscore VHD virtual hard drive and remember to note the disk number of their VHD in the volume letters assign to your virtual hard drive. I'm also going to need you to open active disk editor. The first thing we need to do is attach our MDR VHD. We're going to go to do disk management. Once you're in disk management, we're going to go to Actions. Attach VHD. We're going to browse to where we saved our MBR VHD. Mine is on my desktop in a folder called Class VHD. We're going to select the MBR VHD. We're going to click Open. We're going to click Okay and the VHD will attach. Once you've attached the VHD, note the disk number and the logical volume letters. Next we're going to open active disk editor. Once active disk editors open, locate the physical disk, expand it. We're going to select FAT 32 A is the volume that we're going to look at. So right-click open and disk editor. Once it opens, it should open right to your volume boot record. Because it's logical sector zero and we're looking at the logical drive if it doesn't simply go to navigate and go to boot sector zero. Once you've done that, we're going to take a look at some of the information we went over in our slides. We have the OMED, which we expect is MSDOS5.0. You can see that it's located at offset 03. Next, we have our bytes per sector. Now remember these values are red little endian. It'll be read from left to right. If we take a look down and our data interpreter, we can see the 16 bit unsigned value is 512. Our bytes per sector are 512. If we look up, we can see that is what our tool is telling us. We have 512 bytes per sector. Next we're going to look at sectors per cluster. We can see that it's two. We have two sectors per cluster. So our clusters will be 1024 in size. You can see the number of FATs is two, which is what we'd expect to see. That's located at offset hexidecimal 10. We can see we have a media descriptor, and our media descriptor is F8. F8 indicates fixed disk. We can see we have hidden sectors, which these are the sectors proceeding the volume. The sectors before the logical volume that are on the physical disk. Again, this value is red little endian. We can see that we have a 128 sectors proceeding the volume. Total sectors, the next value we want to look at. This tells us how many total sectors are on the volume, and this is a 32 bit value. If we look at our data interpreter and we look at the unsigned 32-bit value, we have 204,800 sectors. That is what our tool is reporting. If we multiply the total number of sectors times the sector size, that will account for all of the data on the volume. We're doing an exam, we want to be able to account for all the data on the volume. We can also see sectors per FAT 769, and that would be located right here in the hex, and again it's red little endian. Our root cluster is cluster 2. We can see that in the hex root cluster, cluster 2, backup boot sector, it offset hexadecimal 32. Again, we're navigating from the start of the volume boot record, not the start at the physical desk. We can see our backup boot sector is located in Sector 6. We can see our volume serial number is located at offset hexadecimal 43. That's our volume serial number. Now considering that in this case we do have a fixed disk because we have attached to virtual hard drive. But if we were using a thumb drive, a volume serial number would be important to track the use of that USB device on this system and also on other systems that it may have been plugged into. You see our volume label is no name, which is what we expect to see in the volume boot record. If there was a user-created volume label that would be in the root directory. We're going to take a look at the root directory in our next module. We can also see our file system type. Our file system is FAT 32, and down at the end of the sector, we have our boot sector signature as 55 AA, which is what we expect to see. That is all the important information contained in the FAT 32 volume boot record.
