Overview of fcopy

1
Overview of fcopy

• Presented by Kris Urrutia
• fcopy tool written by Kris Urrutia

2
What is fcopy?

• A forensic-safe copy utility.
• Creates a perfect facsimile of the input file.
• Compatible with FAT12 and FAT16.
• Easily extendible to FAT32.

3
What is fcopy? (cont)

• Based on fudir, a directory listing tool written
  by Kris Urrutia and Matthew Kwok.

4
How does it work?

• Identifies the location of the file specified by
  the user.
• Finds the directory entry associated with the
  file.
• Determines the starting cluster of the file from
  this directory entry.

5
How does it work?

• Uses the FAT table to find the files linking
  clusters.
• Read the sectors for all of the files clusters
  and places the contents into a new file.
• Stop reading the FAT when ltEOFgt marker is found
• The cluster associated with this entry is the
  last cluster of the file.

6
How does it work?

• Save the copied file.
• Set the directory entry of the copied file to the
  directory entry of the original file.
• Except for the bytes at offset 26 and 27, which
  contain starting cluster info.

7
Future Enhancements

• Support for Long File Names
• Slightly difficult to incorporate.
• Support for new files systems
• FAT32, NTFS, ext2, etc.
• Multi-file copying.