Analysis of U disk file system (take FAT32 as an example)
Foreword
I have prepared a USB flash drive. Here I have prepared a USB flash drive. Its system is FAT32. The capacity is 28.8G. Let's take a look at creating two files with the same content on this machine and the USB flash drive. What is the difference? 
We found that these two same files are 9B even if they are the same size, but they occupy different bytes. Why?
This is because the file storage is based on clusters. The clusters in the file system of the two disks are not the same size, and the text file needs to occupy at least one cluster. The other cluster of the U disk where test2 is located is 16 bytes.
The concept of file system cluster:
When writing a file to the disk, the operating system often distributes the file on the discontinuous segment space according to the free cluster in the disk to form a chain storage structure, and divides the segment between segments The connection information is saved in FAT, so that when the operating system reads the file, it can accurately find the location of each segment and read it correctly.
Analysis of U disk file system
- Find a USB drive and open the USB drive in winhex
- It is recommended to find a U disk with a smaller capacity. Please back up the U disk data before doing the experiment
to supplement the knowledge of the operating system boot sector:
OBR (OS Boot Record, operating system boot directory) is usually located in each partition ( The first sector of the partition is a location directly accessible by the operating system and is generated by the advanced formatter. OBR usually includes a boot program and a partition parameter record table called BPB parameter block. The parameters vary according to the partition size and the type of operating system.
The main function of the boot program is to determine whether the first two files in the root directory of this area are the boot files of the operating system. If so, read the first file into memory and give control to the file. The BPB parameter block records important parameters such as the start sector, end sector, file storage format, hard disk media descriptor, root directory size, FAT number, and allocation unit (also called cluster) size of the partition.
The following figure is a BPB table, offset represents the offset, each value represents a different meaning:
FAT32 file system is composed of DBR and its reserved sectors, FAT1, FAT2 and DATA area four parts.
The FAT32 file system is roughly divided into four blocks. The first block is DBR (that is, a boot sector) and its reserved sectors. DBR is also a boot sector. It occupies one sector, but it will be behind him. There is a reserved part. The reserved part may have some parameters to be done in the future. Its length is specified in BPB. The second part is two FAT tables. The last area is called the data area (DATA), which is divided into the root directory, subdirectories, and file area.
Next, open winhex and use winhex to open the U disk:
Click on the partition 1 above. As shown in the figure below, the first sector of this partition 1 is on the 8046 sector, which is where the DBR is located. The
beginning is EB 58, and the meaning of EB is quite For jump (skip, jump), EB 58 means to jump 58 bytes from the current position and jump there, that is, 33 C9 part, then go to execute his boot program part, followed by U disk boot program, and the front part (from 58 to 33 C9 before) is the BPB table, we click View-> Template Manager, and double-click to select Boot Sector FAT32, you can view the content information of the BPB table:
start Those three instructions are jump instructions, which do not belong to the FAT table. From offset 4128768 to 4128778 (ie 4D 53 44 4F 53 35 2E 30), this part (OEM) is the so-called manufacturer logo, which is the U disk What kind of system is used to format it; the next Bytes per sector at offset 4128779 ~ 4128780 represents how big each sector is, that is, 512B (02 00 hex (little endian)); Next offsets 4128781 to 41 The two bits 28782 represent how many sectors each cluster has, that is, 32 (hex 20). The following parameters are all obtained in this way. These parameters have a total offset of 4192278. This is the 55 AA.
Next, note the number:
each sector: 512B
each cluster has 32 sectors
Reserved sector (Reserved sector): 3230 sectors
Number of FATS (FAT table number): 2
(FAT table Length) Sector per FAT: 14769 sectors
Root dir 1st cluster (the cluster number at the beginning of the root directory): cluster 2
It can be calculated that
a cluster is 32x512B = 16384B the
current DBR sector number (8046) + reserved sector number (3230) = 11276, this sector number is the location of our FAT1, we jumped over to take a look:
because our FAT table is 14769 sectors, so we, FAT1 sector number (11276) + one sector length (14769) = 26045 is the starting sector number of the second FAT, we jumped in and found that it is the same as FAT1,
we skip in the future The length of FAT2, 26045 + FAT length (14769) = 40814, it is to the beginning of the 
data area. Isn't the data area divided into three parts? This is where the root directory is located. The cluster number where the root directory is located is in cluster 2. (I said before).
Now we format the U disk. Let's see what the three areas look like after formatting.
Format ...
well.
After opening, the partition 1 will not change (that is, the DBR), and
its various parameters will not change. Jump to FAT1 and 
found that it is a bit different, there is more than one line less than the FAT1 just now. One line is 16 bytes, only the first 12 of the first line have something, and the following are all 0, the same as FAT2. But when I jumped to the data area, I found something. As shown in the figure below, I created a txt file content abcdefg in the U disk, but the root directory became 0, 
which means that after the disk was formatted, the data area was still there. The previous contents of the directory are gone, which means that the data can be recovered. Even if you format it, you can recover it as long as the data area is still there.
But why can't the computer see them? Because the data deletion only "tears off" the directory, and the data is still there.
We have newly created a new.txt file on the U disk with the content 1234567890. Refresh winhex, jump to FAT table 1, and find that FAT1 has multiple 
FF FF FF 0F. Let's
take a look at the structure of the FAT table. It is
found that each entry in the FAT table occupies 4 bytes, that is, 4x8b = 32b. So he called FAT32.
Note: Each entry corresponds to a cluster. That is to say, the No. 2 entry is reserved for the root directory, so the root directory is in the No. 2 cluster. An FFFFFF0F is called an end tag, indicating that the files in this cluster have been completed, that is, this cluster is finished, and the end, the files in the subsequent clusters have nothing to do with my cluster. The whole 0,0 at the back represents a blank cluster, and it has not been divided. As long as a file comes, I can find such a cluster for you to use (for example, I just created a new file. If the file system is small, he will be assigned a cluster, and cluster 3 will be assigned to him, and marked with a deletion mark).
Next, we store a relatively large file in the USB flash drive on the network, refresh winhex, and jump to FAT1: It is
found that this file is not allocated from the 5th entry, but is allocated from 17 00 00 00 (chain storage), The entire file is not completed until the following end tag FF FF FF 0F, a total of 25 clusters are occupied, and the file size can be calculated: 25x16384B = 409600B.
In the figure, you can find the regularity 17 00 00 00—> 18 00 00 00—> 19 00 00 00. Each cluster stores the cluster number of the next cluster, just like the pointer.
Next, jump to the root directory to see: the
root directory records how many files or folders are in the U disk, as shown in the figure is the items registered in the root directory. For example, the previous new.txt and
directory are divided into short file names and long file names.
Short file name:
takes two lines (such as the file name of the new.txt above), a total of 32 bytes. We click View-> Template Manager, and double-click to select FAT Directory Entry to view the content information of this short file name:
analysis:
