Under construction; Here are the notes I have taken.
Another feature of FAT32 volume is backup boot sector. This is a feature to provide redundancy for the only boot sector existing on the FAT volume. This can increase the possibility of volume recovery if the boot sector is corrupted for any reason. The location of backup boor sector is indicated by BPB_BkBootSec. 6 is strongly recommended for this field because the boot loader and FAT driver are hard coded to try reading the boot sector at sector 6 when it failed to load the main boot sector. The FAT32 boot sector is actually three 512-byte sectors long. There is a copy of all three of these sectors starting at the sector indicated by BPB_BkBootSec. A copy of the FSInfo sector is also there, even though the BPB_FSInfo field in this backup boot sector is set to the same value as the value in sector 0. All three sectors have boot signature, 0xAA55, at the offset 510. [1]
The boot sector is located in the first sector of FAT file system and contains the bulk of the file system category of data.
FAT12/16 and FAT32 have different versions of the boot sector, but they both have the same initial 36 bytes.
1. My testing has shown that for file systems in an extended partition, Windows sets this value based on the beginning of the extended partition, not the beginning of the disk.
As the field 36-39, shows the size of the fat structure itself rather than the FAT file system size. [2]
FAT Boot Sector Fields
The first value in the boot sector, bytes 0 to 2, is a boot code instruction tells the computer where to find the code needed to boot the operating system.
- If the file system is not used to boot the computer, the value is not needed.
- You could use this value to identify what boot code is used.
- Note that DOS and Windows require that the value be set on non-bootable file systems, but other OSes, such a Linux, do not.
The media type value is used to identify if the file system is on fixed or removable media, but Microsoft Windows does not use it. A second copy of the media type exists in the file allocation table, and it is the one that Windows uses [Microsoft 2001]. The concepts of the other fields were discussed in Chapter 9.
From bytes 36 onward, FAT12 and FAT16 have a different layout than FAT32. The one value that they both have in common is the signature 0x55 in byte 510 and 0xAA in byte 511.
The difference between the FAT12/16 and FAT32 boot sector is that the FAT32 sector includes data to make the file system more scalable and flexible. There can be different policies for how the FAT structures are written to and a backup copy of the boot sector exists. There is also a version field, but there seems to be only one version used by Microsoft at the time of this writing.
The data between bytes 62 to 509 in a FAT12/16 file system, and bytes 90 to 509 in a FAT32 file system do not have a specified purpose, but are typically used to store boot code and error messages.
The volume serial number is located in bytes 67 to 70, and its value is 0x4c194603. The volume label is in bytes 71 to 81 and has the value “NO NAME” (plus four spaces). We will see later that the real label is stored in another location in the file system.<as attributed entries>
The type label is in bytes 82 to 89, and it is “FAT32” (plus three spaces) for this system.<in windows xp example>
** The sample file system image we looked at is from a Windows XP system and it does not use this calculation.
[1] http://elm-chan.org/docs/fat_e.html#fsinfo
[2] https://learning.oreilly.com/library/view/file-system-forensic/0321268172/ch10.html#ch10