Re: [sleuthkit-users] fsstat computation method
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fsstat computation method
|
From: Brian C. <ca...@sl...> - 2005-07-26 16:02:32
|
For both of these calculations, you need to use the sector count that is allocated to clusters. * Data Area: 30016 - 61432496 ** Cluster Area: 30016 - 61432479 *** Root Directory: 30016 - 30047 ** Non-clustered: 61432480 - 61432496 There are 17 sectors at the end of the Data Area that are not allocated to a cluster and therefore they are not used in the calculation. So, use 61432479 instead of 61432496. brian On Jul 25, 2005, at 4:39 PM, youcef bichbiche wrote: > Hi, > does anyone know how the values shown in fsstat are > computed for the meta-data range and the content > cluster range? > > if I take the example shown in the informer #18, we > have a FAT32 file system with with sectors ranging > from 0-61432496. the data area start at 30016 sector. > > according to my understanding the meta-data would be: > 61432496-30016 = 61402480 addreesable sectors > each sector can hold 16 meta-data entry (i.e. 512/32) > so the addressable mata-data range is: 61402480*16 > which gives me: 982439680. because TSK assumes that > the meta-data range doesnt start from 0 but from 3 > then the result will be 982439683 which different from > the value given in the informer which is 982439426. > > the same thing for the cluster range: > 61432496-30016 = 61402480 > 61402480/32 = 1918827.5 > why it's being rounded to 1818828 and not 1918827? > > My last question is just a recommnedation for this > wonderful tool. I really think that directory entry > which contains long file name should show the sequence > number and the checksum. this will ensure that the > long file name and short name match up and can help to > detect hiding data by using unconnected long file name > entries. > > regards > > youcef > > > > > > > ___________________________________________________________ > Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with > voicemail http://uk.messenger.yahoo.com > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
