Menu

#94 fsstat. Adding some calculations to output.

Next Release (example)
open
nobody
fsstat calculation cluster sector fat ntfs (1)
5
2014-07-24
2014-07-24
Edward
No

There are some calculations missing that can be obtained relatively easy but that would speed up obtaining all the information that is needed in some cases.

In the case of FAT and NTFS images, I believe fsstat would benefit from adding the following:

  • NTFS (calculating Sectors in a Cluster)
  • NTFS (calculating Sector MFT starts at)

FAT systems

  • The basic algorithm for calculating the sector address of cluster C is:
    (C – 2) * (# of sectors per cluster) + (sector of cluster 2)
  • To reverse the process and translate a sector S to a cluster, the following is used:
    ( (S – sector of cluster 2) / (# of sectors per cluster) ) + 2

Chapter 9, FAT Concepts and Analysis.
File System Analysis by Brian Carrier (Sleuth Kit Developer)

Discussion

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.