Clusters consists of one or more
sectors and are exponents of 2. That is clusters are either 2, 4, 8, 16, etc.
However, a cluster can consist of 1 sector. The space in clusters are reserved
for data contents. Whenever data is appended to the file and the file grows,
additional clusters are allocated accordingly (ntfs.com,
n.d.) .
Using an example, if we have a file of 600 bytes and a drive with 1024 bytes cluster, this would require 1 cluster (or 1024) bytes to be reserved since the 600 bytes is more than the size of 1 sector (512 bytes). If this file grows to 1200 bytes then 4 clusters (2048 bytes) will be allocated. To view the disk cluster information on a computer running Microsoft Windows, one can use either fsutil
On a computer running Linux, the term is not cluster but instead blocks. In the image below our “test.txt” file which is 8 bytes actually takes up 8 blocks. From the image above in the “sectors” section we know that each sector is 512 bytes. As a result, the IO Block size for this drive/partition is 512*8 which equals 4096 bytes. Therefore for the purpose of this discussion, this drive/partition uses 4096 bytes block size similar to how Microsoft Windows uses 4096 bytes cluster.
Reference:
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/chkdsk.mspx?mfr=true
http://ntfs.com/hard-disk-basics.htm#SectorsandClusters
https://technet.microsoft.com/en-us/library/cc788080.aspx
In this series
Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)
Forensic Imaging and their Formats - DD (raw)
No comments:
Post a Comment