exFAT: valid data length is ignored

[msuhanov]

Hello.

According to the exFAT specification, the valid data length field is used to define which data in the stream is uninitialized.

Currently, bytes beyond the valid data length are reported as file data (by The Sleuth Kit). This is incorrect, technically such bytes belong to the slack.

This also leads to unexpected results — a file exported using The Sleuth Kit has different data compared to the same file exported using Windows (because Windows reports such uninitialized data as null bytes).

Here is an example:

$ icat -V
The Sleuth Kit ver 4.11.1

$ icat exfat_allocation.raw 2058 | hexdump -C
00000000  50 54 52 4e 50 54 52 4e  50 54 52 4e 50 54 52 4e  |PTRNPTRNPTRNPTRN|
*
08000000

A corresponding directory entry set is:

002100e0  85 02 e8 af 20 00 00 00  60 68 3a 54 60 68 3a 54  |.... ...`h:T`h:T|
002100f0  60 68 3a 54 53 53 8c 8c  8c 00 00 00 00 00 00 00  |`h:TSS..........|
00210100  c0 03 00 08 62 c3 00 00  00 00 00 00 00 00 00 00  |....b...........|
00210110  00 00 00 00 08 00 00 00  00 00 00 08 00 00 00 00  |................|
00210120  c1 00 74 00 65 00 73 00  74 00 2e 00 62 00 69 00  |..t.e.s.t...b.i.|
00210130  6e 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |n...............|

ValidDataLength is 0, DataLength is 0x08000000. So, this file actually contains null bytes, not the "PTRN" pattern.