Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SV: Cluster size

from [Svein Yngvar Willassen] Network Security [Permanent Link]
Subject: SV: Cluster size
Date: Wed, 22 Dec 2004 10:25:49 +0100 
Hello!

Many data recovery tools use this procedure to identify cluster-size:

1. Identify for the file system type data that uniquely identify the
beginning of a directory, for example in FAT, this is the so called ".",
".." signature.

2. Since directories must occupy at least one cluster, this signature
will only appear at the beginning of clusters

3. Search the disk for the unique signature. The cluster-size can now be
calculated from the distance between subsequent directory-hits by
finding the least common denominator of these.

4. Having calculated the cluster size it may also be possible to
calculate the start of the first cluster. For example in FAT, this can
be done simply by looking at the cluster for the "." in the directories
found by searching.

5. Having identified the cluster-size and the start-position, it is easy
to recover files from the entries found in the directory hits.

Some programs that (seem to) implement this procedure are R-STUDIO,
EasyRecovery Professional and RecoverMyFiles.

Using "Folder scan" in EnCase does not implement this procedure. There
you have to know the cluster-size and the start of the first cluster.

--
Svein Y. Willassen, M.Sc.


-----Opprinnelig melding-----
Fra: Brian Carrier [mailto:carrier@cerias.purdue.edu] 
Sendt: 21. desember 2004 02:44
Til: Lily Tse
Kopi: forensics@securityfocus.com
Emne: Re: Cluster size

On Dec 13, 2004, at 7:14 PM, Lily Tse wrote:


Hi,
  I know that there are different default cluster sizes an operating
system uses during a high level format depending on how big the volume
is.  However, cluster size can be changed easily.  Assuming that the 
all
the VBRs on a hard disk have been destroyed (BIOS parameter block info
is lost), is there any way I can find out the exact cluster size for
FAT16, FAT32, NTFS, EXT2, and EXT3 volumes?


Here are some ideas.  All of which require you to go hunting for data 
structures.

FAT32 has a backup copy of the boot sector in sector 6, so you could 
try and get it from there.  But, if we assume that both are destroyed, 
you may be able to figure the size out for FAT if you can determine 
where the primary and backup FAT structures start and end and you can 
determine the size of the data area.  The size of each FAT will tell 
you roughly how many clusters the file system had in the data area.  
So, divide the size of the data area by the estimated number of 
clusters and you should roughly have the cluster size (roughly because 
not all entries in the last sector of the FAT may have been used).  
This assumes you know which FAT type it was though and the "official" 
method for determining FAT type is based on the number of clusters ...

NTFS is a little harder.  There is typically a backup copy of the boot 
sector, so that could give you the size.  If we again assume that it is 
destroyed, you may be able to guess based on the location of key data 
structures.  For example, if the first MFT entry is found at a byte 
offset that is a multiple of 1,024 but not a multiple of 4,096.

Ext2/3 has backup copies of the superblock all over the file system, so 
finding the block size could be easier.  If we again assume that all 
copies are destroyed, then you may be able to take advantage of the way 
that most Ext2/3 file systems are created.  They are organized into 
block groups and the number of blocks in each block group is set to the 
number of bits in a block (so that the block bitmap is only one block 
in size).  If you can determine the size of the block groups (using the 
location of standard data structures) then you could figure out the 
block group size and therefore a potential block size.

brian


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Two hash, Danny De Cock
Next by Date:  Re: mactimes, Aubrey Beesley
Previous by Thread:  Re: Cluster size, Brian Carrier
Next by Thread:  RE: Cluster size, Watkins Capt Timothy J
Indexes:  [Date] [Thread] [Top] [All Lists]