Re: [sleuthkit-users] Drive slack
Brought to you by:
carrier
From: Sergio W. <ser...@gm...> - 2013-10-22 06:52:35
|
> "which it is not the last sector used by the file" > > what did you mean here? I will try to explain it with "an image". This represents the last cluster associated with the image: CLUSTER: +--------+--------+--------+--------+ |XXX | | |S | +--------+--------+--------+--------+ sector1 sector2 sector3 sector4 The X marks are the data which is the last part of the JPG file (the image has another clusters associated), and the S si where I put the string "SLACKDRIVE". So, when I use the CCleaner, the S should be removed since it is considered as a slack drive space, however the string remains and is not overwritten. I don't understand why this happens because the sector2, sector3 and sector4 should be overwritten by the wipe algorithm. Have I missed something or am I wrong with some concept? Thank you! |