Wednesday, January 5, 2011
Xbox 360 Forensics: Part 2
Quick refresher, what do we mean by big endian? Computers store data as a sequence of zero and one bits usually in groups of 8 bits (a byte) with the right most bit being the least significant. Numbers are stored this way with each bit representing a power of 2. For example 00010000 represents the number 16 since the 5th least significant bit is turned on (2^4 = 16). Easy enough except that using 8 bits the largest number you can represent is 255 (2^7 + 2^6 + 2^5 + 2^4 + 2^3 + 2^2 + 2^1 + 2^0 = 255). The way to represent larger numbers is to add more bytes, unfortunately there isn't a standard on how to represent these numbers. The two options are big endian and little endian which differ by which side the least significant byte is on. For example the 16 bit number 00000001 00000000 could represent the number 1 in a little endian system and 256 in a big endian system. Most personal computers - all Intel and AMD processors including recent Apple computers - are little endian but there is a significant minority of devices that are big endian including the Xbox 360 and older Macs.
This means that even though the Xbox and Xbox 360 use the same file system you require a different file system driver to interpret them. There are some other quirks to FATX too such as the absence of the '.' and '..' directory entries so that you can't ascend to a parent directory without remembering what it's called which also require some changes to existing FAT drivers. There are a variety of tools available to process FATX drives including the popular Xplorer360 which provides an FTP style interface to the drive for Windows users, the utilitarian uxtaf.c which gives the unix user a custom shell that can access a FATX partition and x360 which uses FUSE to mount a FATX partition on your computer so that you can access it the same way you can access any file on your system. After a bit of reading I decided that x360 was the best choice for me and that's what I started using to look at these file systems but as I hinted in my previous post it didn't go quite to plan.
As an aside it would be amiss of me to fail to mention the Free60.org which taught me almost everything that I know about FATX.