We're covering course 8 of the file system. We are now in Module 3. In this module, we'll be talking about the root directory. The root directory is the highest directory level of the volume structure. It contains a listing of the files in directories located in the root of the volume. It is structured in a series of 32 byte directory entries, so two lines of 16. Each directory entry is 32 bytes in length, may contains information about the files and folders on the volume. The file system will read from the top of the directory down, and it stops when it finds a directory entry beginning with hexadecimal 00. This is a look at what the root directory looks like when we do it with our tools. We can see we have entries at the top and then we have an entry starting with 00. Now, the system will stop reading here. Your file system will stop when it comes to these 00s. But be aware, it is possible for data to be written in using a hex editor and another tool beyond those 00s, and this data would be hidden from the file system. There are three types of root directory entries. We can see a volume name entry and this would be a user created name for the volume. This would always be the top entry in the root directory. We also have what we call short filenames entry. Every file and directory will have one of these short filename entries. What short filename means is it means that the name of the file conforms with that 8.3 naming convention, which means it has up to eight uppercase characters, a dot, and then a three-character file extension. If a file does not conform to this, it will also have what we call long filename entries. There'll be a short filename alias, which will be six characters of the file name, followed by a tilde, and then a three-character extension. But the full filename will be in the long filename entries, and these will be located above the short filename. This is a look at a volume directory entry. Remember, we said we had three types and this is the look at a volume name entry. This would be the top entry in the directory if there was a user-created volume name. We can see it begins with the filename, which in our case is FAT 32. It also contains attributes such as read-only in system volume or directory. It has also a modified date and time. Because it is a volume directory entry, it will only have that one timestamp. When we look at a file entry, you will see three timestamps. The short filename entry, just to reiterate, is eight uppercase characters and a three-character file extension, and it is referred to as 8.3 or DOS-compliant. The long filename happens when we mix cases where we have a filename that is longer than eight characters or an extension longer than three characters. This is what causes those long filename entries to be created. Here's a look at a directory entry set. Down here at the bottom, we can see our short filename entry. Every file and directory will have one of these entries. We see the DOS alias, that six character, all uppercase, a tilde, and then an extension. We also see above the long filename entries. We're going to talk about how we read these long filename entries as we go through this course. But this is what a directory entry set would look like. The short filename entry, in this case, we have our filename, SHORT.TXT, and it was named. You can see this is not an alias, there's no tilde D if you look over in the ASCII. This is the name of the file and it would have no long filename entries above it. It's all capital letters, up to eight characters, and then it has that three-character TXT extension. You can see in here, we have the attributes and the attributes would be located at Offset 0B for a length of one byte. That's what we call a packed byte. We break that out to binary, to see which flags were set. In other words, which bits were turned on, and that would tell us which attributes this file had. In our case, it just has the archive bit set. Then we see at Offset 0D, the final time millisecond refinement. This is just a millisecond timestamp that we're going to add to our created date and timestamp. It only refers to the created date. Below that, and at Offset 0E, we see our created date and time. In this case, it's 6/25/2020 at 1:13 PM and that is going to be a length of four bytes. These two bytes at 0E and 0F of the time, and at 01 and 02 would be our date. We have a last access date. Last Access just has a date. You can see that it's 02 and 03 highlighted here in green. This is our last access date. There's no time with that. Next to that we have what we call our first cluster high word. In this case it's 00. The high word is only used if we need more than two bytes to address the cluster. In this case, we did not. Next, we have our modified date and time. Again, the first two bytes are 06 and 07, and these are the time. Then the next two bytes would be the date. You can see those located at offset 108 and 109. Next we have our first cluster little word. Now, since we did not have a high word, this two byte value represents the starting cluster of this file. Then the last four bytes of the entry are the file size in bytes. These are the possible values we can have for that attribute byte. Remember, it's a one-byte value, and it's a packed byte. It gets broken out into binary, and we can see which flags are up. It is possible to have more than one attribute. You could have a read-only system file. In which case should have a hex value of 05. When you broke that out, you would see that those two bits were set. The reserve byte off at 0C, is what we call a case indicator. Reserve byte, if it is hexadecimal 1,0, that means this is a short final day. It is 8.3 compliant file name. If at the reserve byte we saw, a hexadecimal 00, that would indicate you're looking at a long file name and it was not an 8.3 compliant filename. That's when we can identify a short filename from a long filename. File time. FAT, 32 file time in all FAT file times are going to be in local time, whatever time the machine is set to. They're not recorded in Universal Time, UTC. Here we see at offset 0E and F are creation time. Down at offset 1,0 and 1,1, we see our creation date. They are read together as a 32 bit value. This is how the value would be converted into a date and time. Because if you just converted this two-byte value, you're going to get a number, not a date time. But what happens is, your file system is first going to convert those two bytes for time, until little-endian. We saw in the previous slide, it was AB69. Now this is converted to little-endian, so we have 69AB. These bytes are separated. Then each nibble is separated. The six and the nine, and the A and the B. Then each nibble is individually translated from hex to a binary value. Remember, we converted from hex to binary and decimal to binary back in one of our previous courses at the beginning of this path. Once we get each binary value, we can then translate the date and time. We are allowed five bits for the seconds. We take the bits and you can see here at the far right of the screen outlined in yellow, these would be our bits per seconds. We would fill them in to the column values, and since we have five, we have column values from 1-16, 1, 2, 4, 8, 16. Each column value increasing by a power of two. We can see in our example, we have 11 seconds. We must multiply this by two, because we don't have enough bits here to account for 60 seconds. When we multiply 11 by 2, we get 22. Now we're going to move to minutes. We have more bytes to work within minutes. We're allowed six bytes. So we have column values from 1-32 and you can see them in the slide outlined in green. We take our binary values that we converted from A and drop those down into the column values. We can see we have 13 minutes. Then we would move on to hours. You can see hours at the left-hand side here, outlined in red. We would have, again, five bytes toward the hour. We have column values from 1-16. We drop down our binary conversion of our decimal number six into the columns and we can see we end up with 13. Our time would be 13:13:22 PM. We could go back and add in our creation time millisecond value. The FAT creation date is translated in much the same way as the FAT creation time. It is a little endian value, so we would have to translate that. Original value was D950. We converge it here to little endian and we have 50D9. Again, we break the bytes apart, 50 and D9, and then we split the nibbles, the 5, the 0, the D, and the 9. We convert each nibble into its binary value. When we're translating this, we have five bits for the day. We have column values one through 16. Our nibble was nine, so we would drop down our column value nibbles into the correct column values for nine. But we also have one of the D column values since we're using five bytes. For months, we have four bits to work with, and they are outlined in green. We take the next four bits of our value and drop them down into the proper column values. Our year is outlined in red. We take the remaining bytes that we have and we would drop them down into their proper column values. We have seven bits for the year. We come up with a number of decimal 40. Now, the FAT file system uses an absolute date of January 1st, 1980. So we would have to add 1980 to 40, and we come up with 2020. For the months, we come up with six, which would be the sixth month and for the date we come up with 25. That makes our creation date 25, June 2020. That brings us to our last access date. This is translated the same way we do for the creation date. Last accessed only has a date, not a time. You can see in the slide, you have D9 50. You must convert that to little-endian, 50 D9 and that gives us a date of the 25th of June, 2020. We just converted that in the previous slide. Now we're going to talk about the FAT high word. The FAT high word values start at 65,536 and they continue up, a power of two for each column value. If you had a high word, you'd be reading it as a string of four bytes. So it'd be a 32-bit value it'd be four bytes long. We would have to account for 32 bits. We'd start with one, with two, doubling all the way as we go out, to get to 32 bits. We need place values for 32 bits. Then we would split our bytes to the low and the high word. We'd first convert the low word. To convert from hex to binary, we're going to convert each nibble at a time. When we convert nibbles, remember back in the path when we went over that, we used the values one through eight for each nibble. Because a nibble only has four bits. Four bits would be 1, 2, 4, 8. Those would be our 4-bit values. We look at the one. We would start with eight. Eight can't go into one, four does not go into one, two does not go into one, one goes into one. We put a one. We'd have a one in the ones column, a zero in the two, a zero in the four, and a zero in the eight. Then we would move to the seven. We do the same thing. We'd have column values of 1, 2, 4, and 8. Because we're converting a nibble which is four bits long. Eight won't go into seven so we put a zero in the eights column. Four will go into seven, so we put a one, and we subtract 4 from 7, which would give us a remainder of 3. Two will go into three one time, and one will go into one one time. That is how we would convert the byte. We would do the same thing for 2E. We would convert the E, which in hexadecimal E is 14. We would start with our eights. Eight will go into 14 one time, so we would put a one in the eight. That will give us a remainder of six. Four will go into six one time. It will give us a remainder of two. Two will go into two once. We put a one in that column and then we would have zero. Zero will not go into one so we would put a zero in the ones column. Then we continue with two. We'd start with eight, eight will not go into two so we'd put a zero. Four will not go into two. We'd put a zero. Two will go into two so we would put a one and that would give us a remainder of zero. One will not go into zero so we would put a zero in the ones column. That would bring us to our high word. Our high word value when we split the byte is nine. Then we have all zeros for the rest of our value. We'd start with the nine. Eight will go into nine once. A remainder of one. Four will not go into one, so we put a zero. Two will not go into one so we put a zero in that column. One will go into one, we put a one in that column. Now the rest of our values is zero, so would just put zeros in the remainder of the columns to fill in the 32 bits. Now we go back and add the actual column values for our bits. We would start with 524,288. That's where we have our 1, so we have that number. We'd write that down, we'd go to the next column there where we have a 1, and that would be column 65,536. We would write that number down. Our next column value, we have a 1, we have 8,192, we'd write that number down. The next number where we have a 1 in our column value is 2,048, I'm going to write that down. The next column where we have a 1 in our column values is 1,024, and we will write that down. The next number where we have a 1 in our column values is 512, we write that down. The next number would be 64, 32, 16, and 1. We would write all these numbers down and then add them together. That gives us a total of 601,713. The starting cluster for this file would be cluster 601,713. Here we're taking another look at our high word. There's our high word value, 9, and there's our low word value of 71 2E. We convert them to little-Endian, we break them apart, we'd get our values just like we did in the last slide, and we can add those values together, and we come up with our 601,714. Now, your tools are going to do this for you, and you can use the Window's calculator to convert these bytes also. You'd be converting them as a D word, a double word, a 32-bit value. The FAT file modification date and time, it is read little-Endian. If you want to manually decode it, you would do it the same as you did for the file creation date and time, just convert it the same way. Again, your tools will do this for you and you'll see that when we do the walk-through with Active Disk Editor at the end of the module. That file size is read little-Endian, it's four bytes, 32-bit value, and it's the file size in bytes, is the size of the file in bytes. The long file name directory entry. We're looking at a long file name directory entry. We're looking at a file directory set right here, but we're going to focus on the long file name because we've already talked about the short file name. But you can see the DOS alias in slide, and now we can see the long file name entries. The first byte of a long file name entry is called the sequence byte. Now, the right nibble is the sequence order. The right nibble of that byte, you can see we have 1, 2, 3, and 4, that's the order that this file name is read. The left nibble is going to indicate the last entry in the set. You can see we have a 01, 02, a 03, and look, we have a 44. That 4 indicates the last entry in the directory set. It could have been 43 or 42, depending on the length of the file, but the first nibble, the right nibble represents the order, the left nibble indicates the last entry. We've talked about the status byte when we're talking about the long file name. The rest of the long file name pretty much only gives us the name of the file. There is a long file name flag at offset 0B, you'll see a value of 0F. When you see that value of 0F at offset 0B, that tells you you're looking at a long file name. We can also see the reserved byte is 00. We saw a few slides back that, that also indicates a long file name. That is how you can tell you're looking at a long file name entry. Now we're going to do a walk-through and take a look with Active Disk Editor at our root directory. Please attach your MBR_VHD. Once you attach it, note the disk number of your attached VHD, so when we go to look for it, we know what number we're looking for. I also want you to open Active Disk Editor. To start our walk-through, the first thing we need to do is attach our VHD. Go to Actions, attach VHD, navigate out to where your VHD is saved, and click "Open" to attach your VHD. Once your VHD is attached, it should look like mine. You should have an extended partition on there and you should have six volumes. Now, we're going to open up Active Disk Editor. Once Active Disk Editor opens, we're going to select "Open Disk", now we want to look at our volumes, so we're going to select volumes. Because we're looking at a logical volume. We're going to choose our FAT 32 volume S, I'm going to select it, and we're going to click "Open". We're immediately taken to the volume boot record. We covered the volume boot record in our last module. But there are some things you need to look at in a volume boot record all the time. What we want to see is bytes per sector, and make a notice sectors per cluster. We can see we have four sectors per cluster. Our previous walk through we had a FAT volume with two sectors per cluster. There can be variations in how many sectors per cluster you're looking at especially with a FAT volume. You want to check that out and make sure you know bytes per sector and sectors per cluster. Now, we're looking for the root directory and we can see the root cluster is still cluster 2. Cluster 2 is where we want to go. We go ahead and click on "Cluster 2", we'll use our shortcut here, where it says root cluster here on the left-hand side, we'll select cluster 2 and then take in to our FAT 32 root directory. We can see the first entry is our volume label. Right-click and set template position. We can see we have the filename, our volume label has no extension. You're going to see these dots in ASCII represented as hexadecimal 20. We do have an attribute byte. We look at our attribute byte, we're going to expand attribute and we can see we're looking at the volume attribute is set that indicates to us that this is a volume name. We do see one date and time which is a modified date and time, and it is 82, 2020 at 3:09 AM. Now, remember these are local times, which means whatever time it is on the computer, it's going to be the same time that's stored in our directory entries. It is possible that somebody can set their computer to a time zone that they're not in or maybe they got a new computer and never reset the time zone. But this time recorded in the root directory in FAT, is going to be the time from the system it's operating on. Now let's look down you see we have a lot of entries. We're going to take a look at the entry, SHORT. TXT. This is a short filename entry. This file is named SHORT TXT, because you can see in the entry above, it's not related to the century because it starts with a hex E5, which we're going to talk about in future module, but you can also see that this is not a DOS alias. There's no tilde here. It's just the filename, a space, and then the TXT. If this were a DOS alias, that'll be utility. We'll see that when we look at our next directory entry. What we're going to do is highlight the 53, right-click, and "Set template position". Now we can look at our short filename entry. What's nice about this tool is it does highlight it all for us, and it does translate all the data for us. We looked at how we would manually translate the creation date and time in the high word, if we had one. But the entry is going to start with the file name, followed by the file extension. Then we have our attribute byte, and we have a hexadecimal 2,0. We can go ahead in our template and look at our attribute. We can see this is an archived file. None of the other bytes are set, just the archive bit. Then we have that reserved byte. We said that reserved byte will indicate if it's a short filename or a long filename entry. Hexadecimal 1,0 indicates short filename entry. Now we have our millisecond creation time. This is a refinement of 10 milliseconds for the creation date and time only. This only relates to creation time, not modified time. 1F would be a decimal 31. Next, we have our creation date and time. We looked at this in our slides and we learned how to manually interpret that, but you can see here that the tool does interpret it for us. If we wanted to validate that, we could break that out and interpret it ourselves. Now, the millisecond time, if we were going to be adding it, you would add it on the end of the time. You'd put a colon after the 50, and add in the millisecond time, which was 31. So it'd be 5:50, 31 milliseconds. Now we have our last access date, and again we only have a date with last access, no time. The next two bytes are going to be the high word. We'd only have a high word if we needed more than two bytes to address the starting cluster of this file. In this case, we don't. Next, we have our modified date and time. Now we have our cluster lowered, and because we did not have a high word, this is the actual starting cluster of our file. Our files are going to start in cluster 10. Now we have the file size. These values all read little-endian, so 00, 0A, we know that A would be 10. A hexadecimal A would be a decimal 10. Again, this would be read little-endian from left to right. Our file size would be 127 bytes. This value is giving us our file size in bytes. That's how we read and interpret this short filename directory entry. Now, a long filename directory entry. We're going to choose this new tilde 1TXT. I can already tell this as the DOS alias by the tilde and ASCII. The tilde is this little squiggly sign right here, that's the tilde. Highlight the beginning of the file entry, right-click, "Set template position". This is, again, a short filename entry. If we look above it, we do see the 0F. The tilde tells us that we're going to have long filename entries above this short filename because it is a DOS alias. It would be read exactly the same way as any other short filename entry. We go above this, we see the status byte for the long filename. The status bytes is 0,1. This tells us the right nibble is the sequence, the left nibble will indicate the last directory entry in the set for that filename. We see 0,1, so this is the first entry, but we're going to have another one above it. We look above it, we do see a 4,2. Two indicates it's the second long filename entry, and the four, the left nibble indicates it's the last one in this directory entry set. We see we have the status byte. Next to status byte, we have the first five characters of the filename. In this case, it would be new space t. Space is count as a character. We can see we have our attribute byte 0F indicates a long filename. We also have our reserved, which is 00 which also indicates long filename. There is a checksum value in here. That's for error checking. Then we have characters 6 through 11 of the filename, and then after that, we're going to have these two bytes that are always going to be 00, and then we have characters 12 and 13 of the filename. It says new texts docu is what we've got so far. We go up to the next long filename directory entry. Remember, all these entries are 32 bytes, two lines of 16 in length. They're 32 byte entries. Right-click, set template position. It's actually showing us the entire directory set here, but we're going to read this one. I'm going to right-click, set template position, and we're going to click in the filename entry. We can see our status byte is 42. Four indicates the last directory entry in the set, so we know this is the last entry for this particular file, and two tells us it's the second one, so this file has two long filename entries. We can see we have remaining characters here of the long filename, the next five characters of the long filename. In this particular case, they are the last ones. We also have our attribute byte which for a long filename will always be 0f. Then we have the reserved byte which is 00, indicating a long filename. Now, we have a checksum byte again. In here, we would have the characters of the extension. The next character is and the filename 6 through 11. In this case, it is our file extension TXT. Then these bytes would always be 00, and this would be the next two characters of the filename, but it is FF, FF, FF, FF because our filename does not have any further characters. Once you come to the last character in the filename, they will pad the rest of the entry with FF, and that is how we read the long filename directory entries. Now, going back to the short filename, it says our starting cluster, there's no high word so our lowered cluster says nine. Let's just take a look and navigate there, so we're going to go to sector and we're going to write this in hex because this tool likes to navigate in hex. We're going to say 0x to indicate we're in hex 09. We're going to write 0x09, we're going to cluster 09. I'm going to say okay, and we get out there. We can see there is a small text document here and we can see what it says. This is a new file document, and we're going to look at directory entries, which is what we're doing. We verified that it's out there. We could verify the size in bytes also. That is how we would read our root directory entries. Your file system will stop reading when it comes to the 00. So if there was any data written in here, it wouldn't see it past the 00 entry.
