Disk Cluster Allocation Behavior in Windows and NTFS
2020 (English)In: Mobile Networks and Applications, ISSN 1383-469X, E-ISSN 1572-8153, Vol. 5, no 1, p. 248-258Article in journal (Refereed) Published
Abstract [en]
The allocation algorithm of a file system has a huge impact on almost all aspects of digital forensics, because it determines where data is placed on storage media. Yet there is only basic information available on the allocation algorithm of the currently most widely spread file system; NTFS. We have therefore studied the NTFS allocation algorithm and its behavior empirically. To do that we used two virtual machines running Windows 7 and 10 on NTFS formatted fixed size virtual hard disks, the first being 64 GiB and the latter 1 TiB in size. Files of different sizes were written to disk using two writing strategies and the $Bitmap files were manipulated to emulate file system fragmentation. Our results show that files written as one large block are allocated areas of decreasing size when the files are fragmented. The decrease in size is seen not only within files, but also between them. Hence a file having smaller fragments than another file is written after the file having larger fragments. We also found that a file written as a stream gets the opposite allocation behavior, i. e. its fragments are increasing in size as the file is written. The first allocated unit of a stream written file is always very small and hence easy to identify. The results of the experiment are of importance to the digital forensics field and will help improve the efficiency of for example file carving and timestamp verification. © 2019, The Author(s).
Place, publisher, year, edition, pages
Springer, 2020. Vol. 5, no 1, p. 248-258
Keywords [en]
Allocation algorithm, Digital forensics, File carving, NTFS, Boron compounds, Digital storage, Electronic crime countermeasures, File organization, Titanium compounds, Bitmap files, Different sizes, File systems, Large blocks, Storage media, Computer forensics
National Category
Computer Systems Computer Sciences
Identifiers
URN: urn:nbn:se:hh:diva-41539DOI: 10.1007/s11036-019-01441-1ISI: 000513451700026Scopus ID: 2-s2.0-85077062891OAI: oai:DiVA.org:hh-41539DiVA, id: diva2:1390969
2020-02-032020-02-032021-10-25Bibliographically approved