MFTEntryCarver: Carve files for MFT entries (eg. blkls output or memory dumps). Recovers filenames (long & short), timestamps ($STD & $FN) and data if resident. It will also parse half broken entries as long as at least one $FN entry is ok. There is a more detailed description of how and why I wrote that and how you can use it on my blog (https://www.cyberfox.blog/carving-mft-mftentrycarver-py/). I’m not really a developer but just an DFIR guy. So please excuse the spaghetti code.
Tag: FAT
Forensic info on exFAT timestamps: first of a series of blog posts
FAT-EFI: FAT EFI loader plugin for Hopper Disassembler
This project is a FAT EFI loader plugin for Hopper Disassembler. Apple uses an extension to the standard PE format for EFI binaries to allow FAT EFI binaries that contain both 32 and 64 bits executables. It is very similar to the FAT format, except for a different magic number and for little endianness. This plugin allows to read these FAT EFI binaries with Hopper Disassembler.[…]
https://github.com/pascalwerz/FAT-EFI
Similar: https://github.com/0xc010d/EFIFatBinary.hopperLoader
Microsoft relicensed EDK2 FatPkg to BSD!!
Laszlo Ersek of RedHat has updated the EDK2’s FatPkg to use the BSD license!
“This is huge. It will enable Fedora to ship OvmfPkg and ArmVirtPkg builds. It will enable RHEL to ship OVMF in Main. Of course other GNU/Linux distros will benefit similarly.”
I rarely say this as much as I’d like to, but: “Great job Microsoft!”
http://thread.gmane.org/gmane.comp.bios.edk2.devel/9930/focus=9956
Intel EFI Disk Utilities
Intel has a set of disk utilities, for creating/checking GPT partitions and FAT file systems. They aren’t included in TianoCore’s EDK2 with the other BSD-licensed UEFI Shell commands. These tools ship separately, with a separate license, presumably due to the tool’s knowledge of FAT file system format. Here’s a brief description of the tools, as excerpted from the download license:
Microsoft EFI Utilities: The term “Microsoft EFI Utilities” shall mean the Guided Partition Table utilities Diskpart (Disk partitioning utility), Efifmt (EFI Format utility) and Efichk (EFI Check Disk utility) stored in a file named GPT_UTIL.zip.
To get the tools, you have to agree to the license on this page, if so you get to download a zip. Then you have to read the readme in that zip, to get the password for the other included zip, which contain the actual tools. Lawyer-designed.
http://www.intel.com/technology/efi/agree_diskutil.htm
The tools come with source, not just binary. They didn’t compile for me, this morning: I think they require a much older EDK2 environment to build. But at least they ship with source, though it is not BSD-licensed Open Source. The tools are old enough that they still use “EFI”, not the newer “UEFI” term.
I wish Intel could donate these tools to the UEFI Forum, so that Intel- *AND* ARM-based users could benefit. TianoCore already has a FAT license, for it’s file system driver. Adding these tools to that package would eliminate one FAT-centric license, and bundle FAT-centric tools along with the FAT-centric file system driver. It would be nice for TianoCore to be able to fix/create ESPs, not just run from ESPs created elsewhere. Perhaps use the Disk Util common code for some other UEFI-based file system diagnostic tools for file systems that UEFI ships, eg UFS, maybe UDF.
Firmware Security 