[sleuthkit-users] fsstat computation method
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] fsstat computation method
|
From: youcef b. <ybi...@ya...> - 2005-07-25 21:39:17
|
Hi, does anyone know how the values shown in fsstat are computed for the meta-data range and the content cluster range? if I take the example shown in the informer #18, we have a FAT32 file system with with sectors ranging from 0-61432496. the data area start at 30016 sector. according to my understanding the meta-data would be: 61432496-30016 = 61402480 addreesable sectors each sector can hold 16 meta-data entry (i.e. 512/32) so the addressable mata-data range is: 61402480*16 which gives me: 982439680. because TSK assumes that the meta-data range doesnt start from 0 but from 3 then the result will be 982439683 which different from the value given in the informer which is 982439426. the same thing for the cluster range: 61432496-30016 = 61402480 61402480/32 = 1918827.5 why it's being rounded to 1818828 and not 1918827? My last question is just a recommnedation for this wonderful tool. I really think that directory entry which contains long file name should show the sequence number and the checksum. this will ensure that the long file name and short name match up and can help to detect hiding data by using unconnected long file name entries. regards youcef ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com |
