svn commit: r312003 - head/usr.sbin/fstyp

Conrad Meyer cem at freebsd.org
Fri Jan 13 02:14:34 UTC 2017 

Forgot to mention:

Documentation: https://www.sans.org/reading-room/whitepapers/forensics/reverse-engineering-microsoft-exfat-file-system-33274

Images for testing: http://www.cfreds.nist.gov/dfr-test-images.html
(raw disk images, include partition tables)


On Thu, Jan 12, 2017 at 6:12 PM, Conrad E. Meyer <cem at freebsd.org> wrote:
> Author: cem
> Date: Fri Jan 13 02:12:58 2017
> New Revision: 312003
> URL: https://svnweb.freebsd.org/changeset/base/312003
>
> Log:
>   fstyp(8): Detect exFAT filesystems
>
>   Simply detect the exFAT filesystem name in the Volume Boot Record
>   (superblock).
>
>   PR:           214908
>   Reported by:  <vermaden at interia.pl>
>
> Added:
>   head/usr.sbin/fstyp/exfat.c   (contents, props changed)
> Modified:
>   head/usr.sbin/fstyp/Makefile
>   head/usr.sbin/fstyp/fstyp.8
>   head/usr.sbin/fstyp/fstyp.c
>   head/usr.sbin/fstyp/fstyp.h
>
> Modified: head/usr.sbin/fstyp/Makefile
> ==============================================================================
> --- head/usr.sbin/fstyp/Makefile        Fri Jan 13 02:11:16 2017        (r312002)
> +++ head/usr.sbin/fstyp/Makefile        Fri Jan 13 02:12:58 2017        (r312003)
> @@ -3,7 +3,7 @@
>  .include <src.opts.mk>
>
>  PROG=  fstyp
> -SRCS=  cd9660.c ext2fs.c fstyp.c geli.c msdosfs.c ntfs.c ufs.c
> +SRCS=  cd9660.c exfat.c ext2fs.c fstyp.c geli.c msdosfs.c ntfs.c ufs.c
>
>  .if ${MK_ZFS} != "no"
>  SRCS +=        zfs.c
>
> Added: head/usr.sbin/fstyp/exfat.c
> ==============================================================================
> --- /dev/null   00:00:00 1970   (empty, because file is newly added)
> +++ head/usr.sbin/fstyp/exfat.c Fri Jan 13 02:12:58 2017        (r312003)
> @@ -0,0 +1,77 @@
> +/*
> + * Copyright (c) 2017 Conrad Meyer <cem at FreeBSD.org>
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + *    notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + *    notice, this list of conditions and the following disclaimer in the
> + *    documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + */
> +
> +#include <sys/cdefs.h>
> +__FBSDID("$FreeBSD$");
> +
> +#include <stdint.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +
> +#include "fstyp.h"
> +
> +struct exfat_vbr {
> +       char            ev_jmp[3];
> +       char            ev_fsname[8];
> +       char            ev_zeros[53];
> +       uint64_t        ev_part_offset;
> +       uint64_t        ev_vol_length;
> +       uint32_t        ev_fat_offset;
> +       uint32_t        ev_fat_length;
> +       uint32_t        ev_cluster_offset;
> +       uint32_t        ev_cluster_count;
> +       uint32_t        ev_rootdir_cluster;
> +       uint32_t        ev_vol_serial;
> +       uint16_t        ev_fs_revision;
> +       uint16_t        ev_vol_flags;
> +       uint8_t         ev_log_bytes_per_sect;
> +       uint8_t         ev_log_sect_per_clust;
> +       uint8_t         ev_num_fats;
> +       uint8_t         ev_drive_sel;
> +       uint8_t         ev_percent_used;
> +} __packed;
> +
> +int
> +fstyp_exfat(FILE *fp, char *label, size_t size)
> +{
> +       struct exfat_vbr *ev;
> +
> +       ev = (struct exfat_vbr *)read_buf(fp, 0, 512);
> +       if (ev == NULL || strncmp(ev->ev_fsname, "EXFAT   ", 8) != 0)
> +               goto fail;
> +
> +       /*
> +        * Reading the volume label requires walking the root directory to look
> +        * for a special label file.  Left as an exercise for the reader.
> +        */
> +       free(ev);
> +       return (0);
> +
> +fail:
> +       free(ev);
> +       return (1);
> +}
>
> Modified: head/usr.sbin/fstyp/fstyp.8
> ==============================================================================
> --- head/usr.sbin/fstyp/fstyp.8 Fri Jan 13 02:11:16 2017        (r312002)
> +++ head/usr.sbin/fstyp/fstyp.8 Fri Jan 13 02:12:58 2017        (r312003)
> @@ -27,7 +27,7 @@
>  .\"
>  .\" $FreeBSD$
>  .\"
> -.Dd February 28, 2016
> +.Dd January 12, 2017
>  .Dt FSTYP 8
>  .Os
>  .Sh NAME
> @@ -43,7 +43,7 @@
>  The
>  .Nm
>  utility is used to determine the filesystem type on a given device.
> -It can recognize ISO-9660, Ext2, FAT, NTFS, and UFS filesystems.
> +It can recognize ISO-9660, exFAT, Ext2, FAT, NTFS, and UFS filesystems.
>  When the
>  .Fl u
>  flag is specified,
> @@ -61,6 +61,8 @@ as, respectively:
>  .It
>  cd9660
>  .It
> +exfat
> +.It
>  ext2fs
>  .It
>  geli
>
> Modified: head/usr.sbin/fstyp/fstyp.c
> ==============================================================================
> --- head/usr.sbin/fstyp/fstyp.c Fri Jan 13 02:11:16 2017        (r312002)
> +++ head/usr.sbin/fstyp/fstyp.c Fri Jan 13 02:12:58 2017        (r312003)
> @@ -57,6 +57,7 @@ static struct {
>         bool            unmountable;
>  } fstypes[] = {
>         { "cd9660", &fstyp_cd9660, false },
> +       { "exfat", &fstyp_exfat, true },
>         { "ext2fs", &fstyp_ext2fs, false },
>         { "geli", &fstyp_geli, true },
>         { "msdosfs", &fstyp_msdosfs, false },
>
> Modified: head/usr.sbin/fstyp/fstyp.h
> ==============================================================================
> --- head/usr.sbin/fstyp/fstyp.h Fri Jan 13 02:11:16 2017        (r312002)
> +++ head/usr.sbin/fstyp/fstyp.h Fri Jan 13 02:12:58 2017        (r312003)
> @@ -39,6 +39,7 @@ char  *checked_strdup(const char *s);
>  void   rtrim(char *label, size_t size);
>
>  int    fstyp_cd9660(FILE *fp, char *label, size_t size);
> +int    fstyp_exfat(FILE *fp, char *label, size_t size);
>  int    fstyp_ext2fs(FILE *fp, char *label, size_t size);
>  int    fstyp_geli(FILE *fp, char *label, size_t size);
>  int    fstyp_msdosfs(FILE *fp, char *label, size_t size);
>

More information about the svn-src-all mailing list