Friday, March 22, 2013

Script for FAT Root Directory Parsing

So I recently finished a class at Champlain College entitled Scripting for Digital Forensics.  This class was quite simply bootcamp for learning Python.  We started with basic operators and moved quickly through the eight weeks to eventually being able to write scripts that would be useful for the forensic workplace.

I decided to write my script on parsing a FAT root directory.  At the time of choosing what to do, I was enrolled in another class focusing on file system forensics and we were doing in depth analysis of the FAT file system.  Quickly turned into a no brainer as to what would be a useful and fun script for me to write.

A quick how-to for using the script:

With a FAT file system, navigate to the root directory using WinHex or a similar hex editing tool.  Copy the entirety of the root directory and place it into a new file.  Do a quick edit of the script and change the following sections:

These sections just need to be changed to reflect the path of the root directory file that was created, and then the output path that the user desires.  The third path that needs changed will allow for the script to open the file in notepad automatically.

All that being said, here is the script!

1 comment:

  1. Nice script!

    One fix, you need to shift the high word of the starting cluster up 16 bits before adding the low word.