Windows 98 vfat

For partitions 8 GB and smaller, the cluster size is reduced to a mere 4K. As you can imagine, it's not uncommon to gain back hundreds of megabytes by converting a partition to FAT32, especially if the partition contains a lot of small files. Updated info quote below. As I mentioned, FAT32 does have limitations. Unfortunately, it isn't compatible with any operating system other than Windows 98 and the OSR2 version of Windows However, Windows will be able to read FAT32 partitions. The other disadvantage is that your disk utilities and antivirus software must be FATaware.

Otherwise, they could interpret the new file structure as an error and try to correct it, thus destroying data in the process. Finally, I should mention that converting to FAT32 is a one-way process. Therefore, before converting to FAT32, you need to consider whether the computer will ever be used in a dual-boot environment. I should also point out that although other operating systems such as Windows NT can't directly read a FAT32 partition, they can read it across the network.

Therefore, it's no problem to share information stored on a FAT32 partition with other computers on a network that run older operating systems. Updated mentioned in comment by Doktor-J assimilated to update out of date answer in case comment is ever lost :. The original article was written in , and being posted on a Microsoft website, probably wasn't concerned with non-Microsoft operating systems anyways. The operating systems "excluded" by that paragraph are probably the original Windows 95, Windows NT 4.

The choosing of the driver determines how some of the features are applied to the file system. For example, systems mounted with msdos driver don't have long filenames they use the 8. Source: this Wikipedia article. Output of commands like df and lsblk indeed shows vfat as the file system type. You can confirm vfat is a module and not a file system type by running modinfo vfat. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams?

Collectives on Stack Overflow. Learn more. Ask Question. Asked 9 years, 5 months ago. Active 10 months ago. Viewed k times. Type del winboot. Use any text editor such as Notepad to open the System. Need Help with this Issue? We help people with technology! It's what we do. Schedule an Appointment with a location for help!

We're not in the Computer Business , we're in the People Business! We have the most comprehensive and efficient technical processes in the industry, forming the core of our high quality service offerings. Our customers are the most important part of our business and we empower our friendly, trained staff to spoil you. In addition, we have a dedicated Customer Support team standing by to help when needed. If you're not satisfied, we're not done! We guarantee satisfaction. We provide a 1 year warranty on new parts and computers we sell.

If you think there are issues after a repair, please visit Data Doctors as soon as possible for no-cost diagnosis. Degaussing of hard disks does not work effectively. The logic circuits would fail if a field strength great enough to completely wipe the platters without residuals were present. Because the voltage requirement for a degausser strong enough to wipe hard disks is fairly high, the secure wipe is a cheaper and safer option.

For those ultra - paranoid about their data being recovered, the best mechanism available is still physical destruction of the disk platters. Shredding and then incinerating appears to be the Department of Defense method of choice.

It is difficult to recover data from a solid hunk of metal. The original versions of FAT permitted the use of file names of up to 11 characters. Hence the 8. FAT clusters have a fixed number of physically addressable sectors per cluster, defined in the boot record. A cluster is the smallest area of space logically addressable by the file system.

The file system does not directly reference sector-level information. This leads to an anomaly in disk storage: slack space. This is perhaps best illustrated with an example:. Because the file system can access only an individual cluster and not a sector , it must use a full 32KB entry to store the 1KB of data.

When the 1KB of data is stored, the file system only overwrites the first 1KB of the 32KB cluster, leaving 31KB of old data in place and untouchable until the cluster is reclaimed. This is called slack space. When conducting a forensic investigation, the slack space noted previously is useful when searching for content from removed files. The searching of slack space in an investigation is detailed in Chapter 5.

The FAT file system retains its name from the File Allocation Table, which identifies the status of individual clusters within a partition. On a FAT partition, the file allocation table is present immediately after the partition boot record. The overall layout of a FAT partition is shown in Figure The boot sector contains the specific information on the layout of the partition and is referenced by the MBR detailed in Chapter 3.

The Boot Sector itself contains the meta-information on the structure of the hard disk and is useful to the forensic analyst in determining the starting locations of both the file allocation tables and the data itself. The boot sector on a FAT32 volume is composed of the key entries useful in forensic analysis shown in Table For the full layout, refer to Appendix D.

The name of the OS that formatted the partition. Can be used to determine legacy OS presence in the case of reformatted drives. The number of sectors sectors reserved for the boot record. This number indicates the beginning of the actual file allocation table. F0 for a floppy drive, F8 for a hard drive. If the media type is changed, the device might not be recognized properly although it may still contain valid data. Reserved for determining FAT mirroring status.

If the backup FAT is being used, this may be of importance and indicate data hiding. A unique number assigned to a partition at format time. Both Quick and Full formats reassign a serial number. This can be used to uniquely identify a partition on a given drive. Immediately following the boot sector is a copy of the file allocation table itself.

The file allocation table indicates the status of individual clusters on the partition and consists of the header and the cluster map. The header for the file allocation table includes two entries each two bytes immediately following the boot sector: media type and partition state.

The media type should match the media type identified at offset 15h. If it does not, this is an indication of potential drive corruption accidental or intentional.

The partition state is used by Windows to indicate whether a proper shutdown has occurred. When Windows starts, this value is set to FF F7, indicating that the partition is actively in use. If Windows detects the partition state as FF F7, it knows that the operating system was not shut down properly and runs scandisk to verify file system integrity.

If a system was shut down by pulling the plug, a hex editor should show the partition state as FF F7. This can provide independent verification of shut-down procedures. Following the FAT header is the cluster map itself. The cluster map contains an entry for every cluster on the drive. For FAT32, each cluster is represented by four bytes. The FAT entry contains one of a number of data entries:. Forensic tools such as hex editors will still allow the viewing of these clusters, which may contain intentionally hidden data if the cluster is marked as bad by the user or unintentionally hidden data data left over in the cluster if the disk reports a single bad sector within it.

When a file is deleted, this cluster map is updated to indicate all clusters associated with that file are available. When this happens, the cluster map will contain 00 00 for any files previously in that cluster. Until another file is written to the disk and needs those clusters, the data in them is still present and may be recovered. The information contains the ordinal number of the cluster in a particular file.

If the file is fragmented , that is if the clusters of a file are not contiguous, the cluster map will indicate the position on the drive of the next cluster in the file. Fragmentation is normal on a disk drive and occurs with usage.

Consider the cluster map scenario shown in Figure A drive contains four files File 1, File 2, File 3, and File 4 , each three clusters in length. File 5, which requires five clusters of space, is written to the disk.

Because there are no contiguous groups of available clusters large enough, it is split between two groups of clusters. This is called fragmentation. Defragmentation is the process of consolidating the data so that the majority of clusters for a given file are contiguous.

This optimizes drive speeds and simplifies the cluster map. Defragmentation can be both a boon and a bane to the forensic analyst. Any clusters at the beginning of a drive are likely to be wiped mostly clean and the information from other clusters stored there. An advantage to the analyst, however, is the fact that those clusters in the upper sectors of the disk now contain copies of information that may not be overwritten for a long time, even if the original files are securely wiped from their new locations.

Following the file allocation table and its backup is the root directory entry for the drive. Entries in FAT32 directories are 32 bits four bytes long, and contain the name and information on files that is used by the operating system. The root directory is the first directory on the drive, of which all other directories are subdirectories. Each and every file has an entry as shown in Table Subdirectories have entries similar to files, and each subdirectory has two additional entries:.

When conducting a forensic analysis, the times and dates of file creation, access, and write are important. Although they can be intentionally altered through the use of a program or by changing the system time, they are still critical to an investigation. The creation time indicates the time at which an entry was first written into the directory for the file. The last accessed time indicates the last time an application referenced that particular file. Note that all applications do not necessarily update this date properly.

A backup program, for example, reads these files without updating the access time. As a result of space limitations, FAT permits the storing of even seconds only, so the seconds value is actually multiplied by 2 for display.

In order to remain backward-compatible with existing operating systems for example, DOS , the long file name LFN extensions are added as new directory entries, the same as existing directory entries.

For older programs to ignore the entries which, if they are designed to accept 8. Older programs will see these entries as being Volume Labels and not files and will ignore them. In addition to supporting up to characters, VFAT supports the use of Unicode to enable support for multiple languages with more characters than ASCII can handle for example, Mandarin Chinese and other double byte languages. For characters not requiring the use of Unicode, the first byte is the ASCII character value and the second byte set to This is in place to support legacy applications looking for a standard FAT entry.

Set to 00 00 for LFN entries. The short name is stored as an abbreviated version of the long name. XXX, where is a unique four digit number. Microsoft began development of its own operating system, Windows NT. FAT32 was not yet available. NTFS version 4. Many features introduced in NTFS 5. Enhancements such as file permissions and change logs offer additional features of use to the forensic examiner.

Features such as compression and encryption also present new challenges during a forensic examination and require special handling. The forensic use of these will be detailed in this and the following chapter. The use of an ADS allows Windows programs to store additional information in the form of a separate stream, all within a single file.

Secondary streams are not visible to most Windows applications, making them a great way to hide information in files. Windows uses a colon to reference an ADS within a file. Each ADS is named, with the name be prefixed by the actual file name. Thus, an ADS called financials within a file innocuous. Likewise, the directory listing would only show the primary file name, not the financials stream. Even file size is not an indication. The file size displayed in Windows Explorer is only the size for the primary stream, allowing a multi-megabyte ADS to exist under a file showing a size of 1K.

In the preceding example, the directory listing does not show the ADS in name or reflect the additional size of the data in either the bytes free or the total bytes listed. The more command, which is ADS-enabled, shows the data is present and accounted for, however. Although not viewable by general tools, ADSs will still be searched when a sector-level copy of the disk is examined for a given string.

Using streams below shows the above-created stream in the innocuous. For the forensic examiner, a logical copyusing the copy command to duplicate files to a floppy, for exampleshould always include a preliminary check for the presence of ADSs. Taking a cue from Unix systems, almost everything within an NTFS partition is a file, including files that contain meta-data about the partition itself.

The exception to this is the partition boot sector which is referenced by the MBR and contains the basics of the partition and bootstrap code. Table shows the key features of the boot sector on an NTFS system which are of use in a forensic examination. The full layout is included in Appendix E.

The number of sectors reserved for the boot record. This number indicates the beginning of the actual NTFS file system. Should always be F8 for a hard drive. The boot sector on an NTFS partition is mirrored on the last sector s of the disk as well, though it is not referenced as such.

The master file table contains the information used to define the partition's file system and its contents, including metadata files. To accommodate all of this information, Microsoft reserves a significant portion The space can be used, when necessary, by other applications but is initially set aside upon formatting.

The key inode attributes are as follows:. The basic file attribute information similar to FAT file information is stored here. The information in the Standard Information includes the times and dates used by Windows for tracking file system additions, updates, and changes.