This page intentionally left blank.

1-E
A file allocation table (FAT) is a table that Windows maintains on a hard disk that provides a map
of the clusters that a file has been stored in.

The number at the end of the FAT is a multiple of how many clusters can be addressed on the file
system. For example, on a FAT16 system, it can address 2 to the 16th power or 65,536 clusters.

Windows creates a FAT entry for a new file that records where each cluster is located and its
sequential order. When you read a file, the operating system reassembles the file from clusters and
places it as an entire file where you want to read it. For example, if there is a long web page, it
may very well be stored on more than one cluster on your hard disk.

With 32-bit FAT entry (FAT32) support in Windows 95 OSR2, the largest size hard disk that can be
supported is two terabytes!

The extended FAT file system (exFAT) was introduced with Windows CE 6.0 in September 2006.
It was provided for desktops and server support as SP1 for Vista and Server 2008 in March 2008.
Windows XP support was provided in January 2009 in KB Q955704. Details of the file system
specification was provided in an appendix of the patent application 0164440. The file allocation
table (FAT) behaves differently than earlier FAT file systems.

2-E
The FAT file system has been around since the early 1980s and is one of the most simple file
systems. It contains no security features, few time stamps, and several hacks that have allowed it
to still be used today. There are three variations of FAT: FAT12, FAT16, and FAT32. The major
difference in each is the size of addressable entries in the FAT, which will be described later. The
exFAT file system is the newest version and can be found in Windows versions after VISTA SP1
and latest versions of Windows CE 6.0. Although sometimes referred as FAT64, the FAT entries
are 32 bits in length, and all 32 bits are used for cluster addressing.

Refer to pages 211-212 of your Filesystem Forensic Analysis book.

For exFAT refer to the GCFA Gold paper in the SANS reading room titled: Reverse Engineering
the Microsoft Extended FAT File System (exFAT). This is a detailed technical paper on exFAT
written by Robert Shullich.

Another reference is a patent application by Microsoft that has the exFAT 1.00 specification at:
http://appft1.uspto.gov/netacgi/nph-
Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-
bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=20090164440&OS=20090164440&RS=20
090164440

3-E
A FAT12 file system can address 2 to the 12th power, or 4096 clusters and a FAT16 system can
address 2 to the 16th power, or 65,536 clusters. We can see that the cluster size has a big impact
on the maximum file system size because there are a maximum number of clusters that can be
addressed. When larger clusters are used, more disk space is wasted when files only need a
small amount of the cluster. The maximum cluster size of a FAT16 system is 64KB which
limits the maximum file size capacity to 4GB, which is quite small by today’s standards. The
4GB is the maximum calculated value, most FAT16 systems have a 2 GB volume size limit.
Cluster size is important to consider for storage issues. The minimum file size is determined by
the cluster size.

The file allocation table is where information about clusters is stored. Each cluster has an entry
in the FAT that describes how it is used. This is what tells the operating system which parts of
the disk are currently used by files, and which are free for use. The FAT entries are used by the
operating system to chain together clusters to form files.

The FAT12/16 system uses the standard Windows 8.3 naming convention (filename.txt, for
example). The 8.3 naming convention states that all files will be no longer than 8 characters
followed by 3-character file type reference such as .doc, .bmp, or .txt. It should be noted that
pre-Win95, only the 8.3 naming convention was used, but now the long file name support is
available in any FAT file system. Long file name support is used to allow for file names longer
than 8 characters and support for special characters.

FAT16 volumes larger than 2 GB are not accessible from computers running MS-DOS,
Windows 95, Windows 98, Windows Millennium Edition (Me), and many other operating

4-E
systems. This limitation occurs because these operating systems do not support cluster sizes
larger than 32 KB, which results in the 2 GB limit.

If you must share a drive with several OSs, FAT is an excellent choice because of its
compatibility.

5-E
FAT32 was introduced with Windows 95 OSR2 or later.

The FAT file system is one of the most common PC file systems around as it is compatible with
so many different computers. FAT is very reliable since it keeps a table of files and free space. If
your system crashes, the FAT does not lose data, but may not have written the data before the
crash. Typically, running CHKDSK or SCANDISK recovers these lost fragments.

FAT32 is an enhancement of FAT16 and is based on 32-bit file tables instead of 16-bit. FAT32
uses much smaller clusters of 512 bytes to 32 kilobytes supports drives up to 8 terabytes. The
smaller clusters result in better file efficiency and reduced wasted space.

6-E
Overview of FAT Filesystem’s Limits.

http://technet2.microsoft.com/windowsserver/en/library/810c3217-77bb-4553-b6ce-
3ff10dbdbac91033.mspx?mfr=true

7-E
FAT is divided into multiple regions. The FAT, which contains an entry for each cluster on a
volume, is so critical to the operation of a FAT partition there is a backup copy of the FAT so that
if a file system driver or a program such as chkdsk cannot access one copy of the FAT it will use
the other.

The FAT is a table where each entry can point to the next cluster in a file, the End of File (EOF)
marker, or 0 if the cluster is not being used. To read the contents of a file, you read the contents of
one cluster, look at its entry in the FAT to find the next cluster, read the contents of the cluster,
and refer back to the FAT. This process continues until an EOF is found in the FAT.

Refer to pages 213-218 of your Filesystem Forensic Analysis book.

The data area is also known as the cluster area. Remember, clusters are a multiple of sector size
with a set maximum depending on what the file system format. In the FAT, cluster number 2 is
not at the beginning of the filesystem (at the logical beginning) it is at the beginning of the data
area and is in a different location between FAT12/16 and FAT32. For the FAT12/16 system, the
location of cluster 2 is immediately after the root directory. In the FAT32 system, cluster 2 will
be at the start of the data area. In FAT32, the root directory can sit anywhere inside the data area
as it does not have a set maximum. The root directory on FAT32 is generally at the beginning of
the data area though.

Refer to page 222 of your Filesystem Forensic Analysis book.

8-E
The boot sector is the very first sector on a disk. It has two important functions, the first one is to
load in your operating system and secondly it tells us all kinds of information about the disk that
it's on.

Two important things that are stored in the boot sector are the size of each sector, usually 512
bytes and the total number of sectors. With this information we can tell how much data the disk
will hold.

9-E
This is the layout of a typical FAT12/16 Boot sector.

The OEM name is the eight-byte ASCII string that identifies the system that formatted the disk.
All eight characters are meaningful. Spaces or zeroes are appended if the name is less than eight
characters long. OEM name is nice to display near to the other disk information, but it is
absolutely useless for any other purpose.

Refer to pages 254-255 of your Filesystem Forensic Analysis book.

10 - E
This is the layout of a typical FAT32 Boot sector.

Refer to pages 254-258 of your Filesystem Forensic Analysis book.

11 - E
The Root Directory contains all the files or folders in the root directory of the FAT filesystem.
In a FAT12/16 system it limits the amount of entries to the root directory to 512 because the
value is preassigned. This is not a problem with FAT32 root directories as there is not a size
limit.

The key to the FAT Directory Entry is that it only has ONE cluster listed for the start of the
file. That cluster is the FIRST cluster of the file. Every cluster is represented in the FAT,
therefore, in order to complete the file, the OS must use the FAT to complete the data run of
the file. The cluster chain is followed until the end-of-file marker is found at the last cluster in
the list.

Refer to pages 227-228 of your Filesystem Forensic Analysis book.

12 - E
There are three times found on a FAT filesystem. The first time is creation time, which is written
when a new file is created on the file system. The second time is the data change time, which
updates when the file data was last written to the cluster area. The third time is the last accessed
day, the FAT file system only keeps track of the last accessed time to the day it was accessed, not
the exact time of day.

Refer to pages 234-235 of your Filesystem Forensic Analysis book.

exFAT uses the same 32 bit Date/Time timestamp format of previous FAT file systems. Each of
these 32 bit values provide accuracy to an even second (double seconds), and provides the date
and time for all three timestamps (M – Modification, A – Accessed, C – Create). The creation and
modification timestamps have an additional byte which may add between 0-1990 milliseconds to
the timestamp and increase the accuracy to within 10ms. A one byte time zone offset for each of
the three timestamps exists when the drivers have UTC support. The time is stored in local time,
but the time zone offset indicates the time zone setting of the operating system at the time the
timestamp itself is updated. If the driver does not have UTC support, then these time zone offsets
are not updated, and may be zero. The time zone offset is a 7-bit signed value indicating the time
zone, in 15 minute increments. This defines a range of ± 16 hours.

13 - E
The FAT directory entry for the file Scheduled Visits.EXE. It stores both the long filename
(Scheduled Visits.exe) and the short name using the 8.3 DOS format of SCHEDU~1.EXE. In
addition to the filename, it stores the creation time/date, last access date, last modification
time/data, starting cluster number, and file size.

If the file is deleted the beginning of the 2nd long entry and the beginning letter of the short
entry will be replaced with the hex value 0xe5.

Refer to pages 261-263 of your Filesystem Forensic Analysis book for Short Entries.

Refer to pages 267-271 of your Filesystem Forensic Analysis book for Long Entries.

14 - E
Data in a FAT file system is stored in a cluster, which is a group of consecutive sectors. Sectors are
512 bytes each and are typically the smallest addressable data unit on a disk. The clusters are
located in the data area of the file system and each one is given an address. We will see later that
the size of the cluster will play a role in how large a file system can be. The FAT sets the allocation
status of a cluster.

Refer to pages 228-229 of your Filesystem Forensic Analysis book.

15 - E
This is an example of a FAT in a HEX editor that shows the FAT16 cluster chains. You can see
the unallocated blocks, the cluster chains, and the end of file marker. Remember, even though we
are looking at data that is stored on the disk, this is considered metadata. The purpose of the FAT
is to essentially provide a “map” that will show us where in the data layer to go to complete the
file. In order for this to work, some structure MUST point to the FAT so we can then figure out
which clusters to go find the file data for that specific file. That structure is the “FAT Directory
Entry” which is the Metadata Layer (Card Catalog) structure of the FAT filesystem.

16 - E
Basically, a file allocation table is just a load of numbers, no filenames, no attributes all those
things are stored elsewhere. For every cluster on the disk there is an entry in the file allocation
table which occupies the number of bits that we are using (12, 16, or 32).

The FAT directory entries cluster addresses point to the beginning of the cluster chain. The
cluster chain then points to the next cluster and then the next cluster until the end of the chain is
reached.

17 - E
This is an example of the FAT Directory Entry in hex that has the cluster address in the short entry
that points to the FAT chain in the FAT. The address 0x0049 points to cluster 0x004a. You can
follow the chain till you see the end of the file marker. The file is a total of five clusters in length.

18 - E
FILENAME LAYER
File Name will be preserved minus the first letter
(0xe5 will replace the first letter in the directory entry)
(in exFAT the file name is preserved, the entry is marked inactive)

METADATA LAYER
Modification/Creation Times and Access Date (Preserved)
File Attributes, Size, and Starting Cluster address (Preserved)

DATA LAYER
Data clusters in FAT will be marked as unallocated (0x00) but data will be preserved at
the original cluster locations
Slack Space will exist

19 - E
This page intentionally left blank.

20 - E
This page intentionally left blank.

21 - E
exFAT, when released for Windows CE 6.0 was implemented with features of Access Control
Lists (object permissions) and Transactional FAT for volume recovery. These features are not
implemented in exFAT version 1.00, but Microsoft has stated an intent to release these features
on the desktop and server in a later release. The file system is extensible, and is designed so that
even other features, such as support for encryption can be introduced in a later release. When
these features are released, exFAT will have security and recoverability features similar to NTFS.

A sector by default is 512 bytes, but the specification allows a maximum of a 4096 byte sector.
The cluster size can be a maximum of 32MB. The entries in the FAT table are 32 bits (not 64, this
is not really FAT64 as some may claim); however, all 32 bits may be used for the address, unlike
FAT32 that only uses 28 bits. There are 11 reserved cluster address values. The theoretical
volume space for an exFAT volume is approximately 257 bytes. If a file system formatted as
exFAT were placed in a partition, the MBR would limit the number of sectors since the count
value is 4 bytes. For a 512 byte sector the file system is limited to 4TB but for 4096 sector the
MBR limits the file system to 16 TB. For larger file system sizes, the exFAT file system should
not be installed in a partition.

exFAT uses the file allocation table (FAT) differently in that it doesn’t use the FAT unless the file
is fragmented and cannot be written as contiguous clusters. A bitmap is used to keep track of
whether a cluster is free or allocated. If all the files on an exFAT formatted file system are written
as contiguous clusters, the FAT would never be used and this can be a tremendous reduction in
I/O overhead.

22 - E
There is no limit on the root directory size. Subdirectories are limited to 256MB. Since
directory entries are 32 bytes, and a minimum of 3 directory entries are required to define a
file, the maximum number of files in a subdirectory is 223/3 . The size of a file is stored as a
64 bit number, which can hold a value representing a file size of 16 Exabytes. Since this
value is larger than the maximum volume space of 128 Pedabytes, file sizes are limited to as
large as the file system itself. Recall that for FAT32 this limit is 4GB.

23 - E
Four regions make up the exFAT file system:

• The Main Boot Region

The Main and Backup Boot Regions contain a Volume Boot Record (VBR).
The FAT region contain the FAT tables. There will be one FAT table in exFAT version 1.00, but
when the Transaction exFAT support is released, TexFAT will have 2 FAT tables.
The Cluster Heap is the data region and contains the directories, Allocation Bitmap, and the file
data.

Addressing outside the Cluster Heap is in sectors, but addressing inside the Cluster Heap is in
Clusters.

24 - E
This is the layout of a typical exFAT Boot sector.

The Boot regions (Main & Backup) consist of 12 sectors each, and make up the Volume Boot
Record (VBR). The first 9 sectors of the VBR contain the Main and Extended boot records. The
slide above shows part of the Main Boot Record that contains the Boot Parameter Block (BPB)
and executable boot code. The Extended Boot Records contain additional boot code for larger
programs. (Note: FAT32 uses a 3 sector VBR, that allows for the Main boot sector and one extra
sector of boot code. exFAT extends this to 1 Main boot sector and 8 extra sectors for boot code).

The cluster count contains the number of clusters in the Cluster Heap, and directory first cluster is
the cluster address of the root directory. All other address and count values in the BPB are
specified in sectors. The number of sectors and the sectors per cluster values are specified in
powers of 2. In the example above the number of bytes per sector is 9, or 2^9 = 512 bytes. The
number of sectors per cluster is 3, or 2^3 = 8 and the result is a cluster size of 4096 bytes.

A sector is reserved for OEM parameters that manufacturers may insert device specific
parameters. Another sector is reserved and not currently defined.

To complete the VBR the 12th sector contains a checksum of the previous 11 sectors. If the VBR
is improperly modified, such as what might happen if infected by a boot sector virus, the
checksum will not match and the modification will be detected. The Backup VBR can be used to
rebuild the Main VBR if the Main VBR is lost or damaged.

25 - E
Directories in exFAT contain 32 byte records that contain metadata used to define the components
of the file system. The specification, as released in the appendix of the Microsoft patent, calls
these records “entries”, and these slides try to adhere to the naming convention and terminology
used in the patent application. Each entry is defined by a unique one byte entry type that classifies
the entry, and also indicates if the entry is active/inactive, primary/secondary, and critical/benign.

Directory entries are classified as either critical or benign, and as either primary or secondary.
Critical entries are needed for the file system to operate, and if missing or corrupt, may prevent the
volume from being mounted. A benign entry is basically ignored by the file system and if it is
missing or corrupt, will not affect the mount. User entries may be added to the directory to extend
the functionality of the file system. Think of the implication of someone adding benign user
entries to the directory and inserts any type of user data into those entries. What data can be
hidden in the directory?

Most entries are primary entries and can stand alone. An exception is the metadata that defines
files and will require multiple entries. In this case the group of entries make a entry set and is
considered an array. There is no chaining or sequence numbers. The entries of a set must be in
correct order and with no gaps. The first entry will be a primary entry, and the remainder of the set
will contain secondary entries. There is one primary and three secondary entries defined in

26 - E
the specification for a file set. The primary entry is the File Entry, and the secondary entries
are: Stream Extensions Entry, File Name Extension Entry, and Windows CE Access Control
Table Entry. The latter is mentioned in the exFAT 1.00 specification, but is not
implemented. A variation is expected in a future exFAT release that will provide ACL
permissions for files, a feature that never existed in FAT before and today only exists in
NTFS (for the Microsoft desktop/server platforms).

27 - E
A subdirectory is nothing more than a file, and is treated as such.

A file is defined by an ordered and contiguous array of elements comprised of 32-byte directory
entries. This array is called a File Set, and in exFAT 1.00 will contain between 3 to 19 entries.

The first byte of the file entry is either 0x85 for an active entry or 0x05 for an inactive entry. For a
file set, if the entries are marked as inactive, then it is most likely a deleted set. A deleted set occurs
when the file is deleted, or in some cases may occur when a file is renamed and a new entry set
must be created for the file.

The file entry is classified as a primary entry type, is the first entry of a file set, and there is only
one per file set. A 1-byte field in the file entry is a count of secondary entries that follow the file
entry record. A checksum value is computed on the entire entry set, with the exception of the 2-byte
checksum value itself. If a file is deleted, the checksum is not recalculated.

The file attributes are defined in this entry, and use the same values as previous FAT file systems.
Attributes supported are read-only, system, hidden, archive, and directory. If the attribute is marked
directory, then this file set defines a subdirectory.

exFAT supports UTC timestamps. The Create and Modified timestamps have 3 fields, the
Date/Time, 10ms, and Time Zone offset. The Last Accessed timestamp has 2 fields, Date/Time and
Time Zone offset. The Date/Time timestamps use the same format as in prior FAT versions, these
are 32 bit values, with 16 bits for the date and 16 bits for the time, with an Epoch of Jan 1, 1980,

28 - E
and is accurate to double seconds. The 10ms value is an additional separate number between
0-199 ms that when added to the Date/Time provides accuracy to 10 milliseconds. The
Date/Time recorded is the local time of the machine when the action is taken. The Time Zone
offset, which is a 7-bit signed number in 15 minute increments, provides the time zone set on
the local machine. With this time zone offset, the UTC time of the machine can be calculated.
In order to perform timeline analysis, it is important to know the accuracy of the timestamp,
the proper time zone offset, and the update behavior of the timestamp when the Operating
System changes them. The behavior is sometimes different than expected, and may behave
differently when updated by different Operating Systems. UTC support was available with
Win XP when the patch was first issued, but was not released for Vista/2008 until SP2 was
released. Directory entries created by Vista SP1 will have zero for each of the 3 time zone
offsets, so it may also be important to know which OS and which service levels touched the
directory entry.

29 - E
A file by the name of Coffee Bean.bmp is shown in the slide.

The count of secondary entries is 2, this means that there are 2 secondary entries that follow, this
file set has a total of 3 entries.

The checksum is 0x45A4, and is the checksum taken over all 94 bytes of the file set (3x32 but
excludes the checksum itself).

There are Three Timestamps:

30 - E
The first byte of the stream extension entry is either 0xC0 for an active entry or 0x40 for an
inactive entry.

The stream extension entry is classified as a secondary entry type, and there is only one per file
set.

For quick file lookup, a hash value of the file name is computed and stored in this record.

The length of the file name is recorded in this entry. The file name is in 16-bit Unicode format,
and is not null terminated. The maximum value for this field is 255.

The stream extension entry provides the address of the first data cluster that contains data, and
the total data length of the file. If the file length is zero, then clusters are not allocated and the
cluster address is not defined, and may be zero. The data length is stored in 8 bytes (64-bit
number) which can support a maximum file size of 16 Exabytes, but this is larger than the current
supported maximum volume size.

FAT Chain Invalid is a secondary flag that indicates whether there is a FAT chain in the FAT
table. If this value is set to 1, then the FAT is not used. This occurs when there is either no data
(data length zero) or the file is written as one complete contiguous set of clusters. When this flag
is set, any FAT entries for the allocated clusters are undefined. This is important in order to be
able to extract a file from the Cluster Heap. FAT entries from previously deleted files may exist in
the FAT and are not cleared upon deletion.

31 - E
A file by the name of Coffee Bean.bmp is shown in the slide.

The length of the file name is 0x0F = 15

The address of the first cluster is: 0x000001FE = 510

32 - E
The first byte of the file name extension entry is either 0xC1 for an active entry or 0x41 for an
inactive entry.

The file name extension entry is classified as a secondary entry type, and there may be 1 to a
maximum of 17 of these entries. Each entry may contain up to 15 characters of the file name,
where each character takes up 2 bytes of the entry. All file names are 16-bit Unicode, with no
termination character. A maximum of 255 characters may be defined for the file name, requiring
17 file name extension entries for the maximum file name length. These entries are in forward
order, meaning the first 15 characters of the filename comes first, the next 15 characters comes
next, and so on. This is the reverse of long file name (LFN) support in FAT32, where each
segment of the filename is stored in reverse order. Support for 8.3 filename support does not exist
in exFAT.

If a file is renamed, and the length of the filename does not change, then the new filename may
be recorded in the existing file set. If the size of the new filename is longer than the existing
filename and requires additional file name extension entries, then the complete file set is deleted
(marked inactive) and a new file set is created.

33 - E
Filename is Coffee Bean.bmp in 15 Character Unicode.

34 - E
The FAT (File Allocation Table) in the exFAT file system is not used to determine whether a
cluster is allocated or free.

File fragmentation is defined when the clusters of a file are not in order, or there are gaps in the
clusters (non-contiguous). When a file is fragmented, the FAT is needed to keep track of the
locations of each cluster. The FAT chain then works the same way as in previous FAT versions. If
the storage of the file’s clusters is not fragmented, then the file can be written as one complete set
of ordered contiguous clusters, and read the same way. This makes I/O more efficient since the
FAT would not have to be referenced or manipulated.

The first 2 FAT entries are reserved. The first entry is the media descriptor. This has a value of
0xF8, and is the value for fixed disk. Other values for the media descriptor that were used for
previous FAT releases are no longer valid. The other media descriptor values were defined for
floppy disk, and exFAT cannot be used to format a floppy disk. With the first two FAT entries
being reserved, the cluster addresses start at 2, and cluster 0 and cluster 1 are not defined.

The largest valid value for a cluster address is 0xFFFFFFF6. Addresses 0, 1, and 0xFFFFFFF7-
0xFFFFFFFF may not be used for cluster addresses, and this makes up 11 reserved cluster
addresses. The maximum Cluster Heap that the FAT can support is therefore 2^32-11.

There is one FAT table in exFAT 1.00. FAT32 has 2. In future releases of exFAT, when transaction
safe exFAT (TexFAT) is introduced, there will be 2 FAT tables when TexFAT is active.

35 - E
The FAT table is stored outside of the Cluster Heap, and if there are 2 FAT tables, they are
stored one right after the other. The first FAT table is located by a sector address located in
the VBR, FAT Offset. The size of the FAT table is also located in the VBR.

36 - E
exFAT uses an Allocation Bitmap to keep track of cluster allocation status. Each 8 bit byte keeps
track of 8 clusters, and the first byte (byte 0), first bit (bit 0) of the table has the allocation status
of cluster 2. (Cluster 0 & 1 are reserved, nothing to keep track of). Numeric values in exFAT are
typically little-endian, and the bits of a byte are numbered from right (least significant) to left
(most significant).

The Allocation Bitmap resides in the Cluster Heap, and is allocated the same way as any file. It is
allocated when the file system is created, and does not need to be changed, so it is static. An entry
type 0x81 entry provides the first cluster address and length of the table. For exFAT 1.00 there is
only one Allocation Bitmap table, but for future releases of exFAT, when TexFAT is in use, there
will be two Allocation Bitmap tables, pointed to by two different 0x81 entries. A flag in the
Allocation Bitmap entry indicates which FAT table corresponds to that Allocation Bitmap.

The Allocation Bitmap only needs to be referenced when a file is written. It is not required to be
referenced when the file is read.

Since the Allocation Bitmap is a static data structure, and located in the Cluster Heap, it is stored
like a file and when large cluster sizes are used, can create a large file slack space. This may be
unique because file slack space is being created within the metadata storage.

37 - E
The exFAT file system uses a bitmap to determine the cluster allocation status. This slide shows the
allocation bitmap for the file system used for the exFAT File Set slide that was shown previously.
Remember that the address of the first cluster of Coffee Bean.bmp was 0x01FE = 510.

Two key points to remember, first: since cluster 0 & 1 are not defined, the first allocation bit is for
cluster 2, and second: bits are numbered from right to left, so bit 0 is the least significant bit, and
bit 7 is the most significant bit.

Let’s see how this works:

The first allocation byte (byte 0) is 0b00011111, i.e. bits 7-4 are zero, and bits 3-0 are one. Bit 0 is
for cluster 2, has a value of one, so cluster 2 is allocated. But bit 7 is for cluster 9, has a value of
zero, and this indicates that cluster 9 is free.

Bytes 1 thru 62 are zeroes, and are for clusters 10 thru 505, and these clusters are free.

Byte 63 is 0b11110000, i.e. bits 3-0 are for clusters 509 thru 506 and these are free, while bits 7-4
are for clusters 513-510 and these clusters are allocated.

To find out where a cluster is allocated, first find the offset into the Allocation Bitmap. Take the
cluster number, subtract 2, divide by 8, and drop any remainder.

38 - E
Once you have the offset, the remainder is the bit number of the allocation bit.

For example, cluster 510: Take (510-2)/8 and you get 63 with remainder 4. The offset is 63,
the allocation bit is bit 4.

39 - E
FILENAME LAYER
In exFAT the file name is preserved, the entry is marked inactive
Note: if the file is renamed it could move the file name to a new entry in the directory. In
exFAT, a file will look deleted (inactive) if it were merely renamed

METADATA LAYER
Modification/Access/Creation Times (Preserved)
File Attributes, Size, and Starting Cluster address (Preserved)

DATA LAYER
Data clusters in Allocation Bitmap will be marked as unallocated but data will be
preserved at the original cluster locations
Slack Space will exist

40 - E