Re: [sleuthkit-users] USB flash disk and TSK

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Wrt your question about the number of clusters...your
calculation is based on 4 bytes being used per
cluster.
This is a FAT16 file system so only 2 bytes will be
used per cluster. I believe the correct calculation is
number of FAT sectors * bytes per sector / number of
bytes per cluster i.e. (247 * 512) / 2 = 63232.

HTH

Eamonn

--- youcef bichbiche <ybi...@ya...> wrote:

> Hi,
> 
> I have a 128 MB USB flash disk which I imaged using
> the dd tool.
> 
> the mmls command on the image is giving me this
> output:
> 
>      Slot    Start        End          Length      
> Description
> 00:  -----   0000000000   0000000000   0000000001  
> Primary Table (#0)
> 01:  -----   0000000001   0000000031   0000000031  
> Unallocated
> 02:  00:00   0000000032   0000252927   0000252896  
> DOS FAT16 (0x06)
> 
> the fssat is giving me this output:
> 
> File System Type: FAT16 
> 
> OEM Name: MSDOS5.0 
> Volume ID: 0x1c52e261 
> Volume Label (Boot Sector): NO NAME 
> Volume Label (Root Directory): FORENSIC 
> File System Type Label: FAT16 
> 
> Sectors before file system: 32 
> 
> File System Layout (in sectors) 
> Total Range: 0 - 252895 
> * Reserved: 0 - 0 
> ** Boot Sector: 0 
> * FAT 0: 1 - 247 
> * FAT 1: 248 - 494 
> * Data Area: 495 - 252895 
> ** Root Directory: 495 - 526 
> ** Cluster Area: 527 - 252894 
> ** Non-clustered: 252895 - 252895 
> 
> 
> 
> 
>
--------------------------------------------------------------------------------
> METADATA INFORMATION 
> Range: 2 - 4037890 
> Root Directory: 2 
> 
> 
> 
> 
>
--------------------------------------------------------------------------------
> CONTENT INFORMATION 
> Sector Size: 512 
> Cluster Size: 2048 
> Total Cluster Range: 2 - 63093 
> 
> 
> - what puzzles me about the mmls output is that
> adding
> all the sectors (1+31+252896) will give me a size
> around 126M and not 128M.
> 
> - The other puzzling thing is the fsstat output. the
> FAT table is 247 sectors and therefore capable of
> holding 31616 entries (128 * 247), whereas the
> cluster
> range is 2-63093. This means that we have a lot of
> clusters which cannot be referenced via the FAT
> table.
> 
> 
> can anyone shed a light on this please
> 
> 
> 
> 
> 
> 
> 		
>
___________________________________________________________
> 
> How much free photo storage do you get? Store your
> holiday 
> snaps for FREE with Yahoo! Photos
> http://uk.photos.yahoo.com
> 
> 
>
-------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's
> Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv
> or your very own
> Sony(tm)PSP.  Click here to play:
> http://sourceforge.net/geronimo.php
> _______________________________________________
> sleuthkit-users mailing list
>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 