The FAT File Allocation Table data structure is the core data structure of the FAT file system. It is used for space management of the FAT file systems.
The size of the FAT table entries changes depending on the FAT file system type.
| FAT Type | FAT Entry Length |
| FAT12 | 12 bits |
| FAT16 | 16 bits |
| FAT32 | 32 bits |
FAT Free Clusters
A FAT cluster is free only if the associated FAT table entry has a zero value.
FAT table zero value changes depending on the FAT file system type.
| FAT Type | Free FAT Entry Value |
| FAT12 | 0x000 |
| FAT16 | 0x0000 |
| FAT32 | 0x0000000 |
A side note, FAT32 only uses 28 bits of the entry value found in the fat table out of 32 bits. Therefore, it is a must to ignore the highest order of 4 bits.
FAT Allocated Clusters
| FAT Type | First FAT Entry Value |
| FAT12 | 0x002 |
| FAT16 | 0x0002 |
| FAT32 | 0x0000002 |
The Maximum Valid Cluster Number (MAX) for the volume is (CountofClusters + 1).<Review PAGE 15>
FAT Reserved Clusters
There are two set of clusters reserved.
The first set of clusters are reserved and must not be used.
| FAT Type | Reserved FAT Entry Start | Reserved FAT Entry End |
| FAT12 | MAX + 1 | 0xFF6 |
| FAT16 | MAX + 1 | 0xFFF6 |
| FAT32 | MAX + 1 | 0xFFFFFF6 |
The second set of clusters are reserved and must not be used. But, as the specification mentions, these set of clusters may be interpreted as allocated or end of file marker.
| FAT Type | Reserved FAT Entry Start | Reserved FAT Entry End |
| FAT12 | 0xFF8 | 0xFFE |
| FAT16 | 0xFFF8 | 0xFFFE |
| FAT32 | 0xFFFFFF8 | 0xFFFFFFE |
FAT Defective Clusters
It is used as a marked to denote a bad or defective cluster.
| FAT Type | Bad FAT Entry Value |
| FAT12 | 0xFF7 |
| FAT16 | 0xFFF7 |
| FAT32 | 0xFFFFFF7 |
FAT End of File Cluster
It is used to indicate the end of the file or the end of the cluster chain.
| FAT Type | EOF FAT Entry Value |
| FAT12 | 0xFFF |
| FAT16 | 0xFFFF |
| FAT32 | 0xFFFFFFF |
FAT Free Space Determination
When we would like to determine the free space on a FAT file system, we can look at 2 places.
The first one is the FSInfo structure. It has a field of free cluster count. While it is not always up to date, with low precision the free cluster count can be found using FSInfo.
The second one and the main way of determining the free space on a FAT file system is to traverse all the file allocation table entries and check whether the corresponding cluster is free.
FAT Free Space Allocation
FAT Space Deallocation
FAT highlights
The FAT is crucial to a FAT file system and has two purposes. It is used to determine the allocation status of a cluster and to find the next allocated cluster in a file or directory.
There are typically two FATs in a FAT file system, but the exact number is given in the boot sector.
- The first FAT starts after the reserved sectors, the size of which is given in the boot sector.
- The total size of each FAT is also given in the boot sector, and the second FAT, if it exists, starts in the sector following the end of the first.
The table consists of equal-sized entries and has no header or footer values. The size of each entry depends on the file system version. FAT12 has 12-bit entries, FAT16 has 16-bit entries, and FAT32 has 32-bit entries. The entries are addressed starting with 0, and each entry corresponds to the cluster with the same address.
If a cluster is not allocated, its entry will have a 0 in it. If a cluster is allocated, its entry will be non-zero and will contain the address of the next cluster in the file or directory. If it is the last cluster in a file or directory, its entry will have an end-of-file marker.
If an entry has a value of 0xff7 for FAT12, 0xfff7 for FAT16, or 0x0fff fff7 for FAT32, the cluster has been marked as damaged and should not be allocated.
Recall that the first addressable cluster in the file system is #2. Therefore, entries 0 and 1 in the FAT structure are not needed. Entry 0 typically stores a copy of the media type, and entry 1 typically stores the dirty status of the file system. There is also a storage value for the media type in the boot sector, but as previously noted, Windows might not use it and could use the value in FAT entry 0 instead. The dirty status can be used to identify a file system that was not unmounted properly (improper shutdown) or that hardware surface errors were encountered. Both of these values are non-essential and may not be accurate.
[1] https://learning.oreilly.com/library/view/file-system-forensic/0321268172/ch10.html#ch10lev1sec3