Wednesday, January 5, 2011

Xbox 360 Forensics: Part 2

A bit of a detour from my story,  I thought it'd be good to talk about the Xbox 360 file system briefly. The filesystem is called FATX or sometimes XTAF. As the name suggests it's a descendent of the venerable File Allocation Table (FAT) file system that's been around on DOS based operating systems for about 20 years. FATX removes some legacy support and mandates certain values that previously have been optional. FATX is also the file system used by the original Xbox. The only difference between the original and 360 file systems is that due to the processor architecture change Microsoft elected to use big endian numbers for the 360 which is why it sometimes called the XTAF file system.

Quick refresher, what do we mean by big endian? Computers store data as a sequence of zero and one bits usually in groups of 8 bits (a byte) with the right most bit being the least significant. Numbers are stored this way with each bit representing a power of 2. For example 00010000 represents the number 16 since the 5th least significant bit is turned on (2^4 = 16). Easy enough except that using 8 bits the largest number you can represent is 255 (2^7 + 2^6 + 2^5 + 2^4 + 2^3 + 2^2 + 2^1 + 2^0 = 255). The way to represent larger numbers is to add more bytes, unfortunately there isn't a standard on how to represent these numbers. The two options are big endian and little endian which differ by which side the least significant byte is on. For example the 16 bit number 00000001 00000000 could represent the number 1 in a little endian system and 256 in a big endian system. Most personal computers - all Intel and AMD processors including recent Apple computers - are little endian but there is a significant minority of devices that are big endian including the Xbox 360 and older Macs. 

This means that even though the Xbox and Xbox 360 use the same file system you require a different file system driver to interpret them. There are some other quirks to FATX too such as the absence of the '.' and '..' directory entries so that you can't ascend to a parent directory without remembering what it's called which also require some changes to existing FAT drivers. There are a variety of tools available to process FATX drives including the popular Xplorer360 which provides an FTP style interface to the drive for Windows users, the utilitarian uxtaf.c which gives the unix user a custom shell that can access a FATX partition and x360 which uses FUSE to mount a FATX partition on your computer so that you can access it the same way you can access any file on your system. After a bit of reading I decided that x360 was the best choice for me and that's what I started using to look at these file systems but as I hinted in my previous post it didn't go quite to plan.

As an aside it would be amiss of me to fail to mention the which taught me almost everything that I know about FATX.

1 comment:

  1. That was an illuminating read, I didn't know about big/little endians! At first I thought big endian was a Gibson reference :P