hh.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Disk Cluster Allocation Behavior in Windows and NTFS
Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjovik, Norway.
Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS).
Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjovik, Norway.
2020 (English)In: Mobile Networks and Applications, ISSN 1383-469X, E-ISSN 1572-8153, Vol. 5, no 1, p. 248-258Article in journal (Refereed) Published
Abstract [en]

The allocation algorithm of a file system has a huge impact on almost all aspects of digital forensics, because it determines where data is placed on storage media. Yet there is only basic information available on the allocation algorithm of the currently most widely spread file system; NTFS. We have therefore studied the NTFS allocation algorithm and its behavior empirically. To do that we used two virtual machines running Windows 7 and 10 on NTFS formatted fixed size virtual hard disks, the first being 64 GiB and the latter 1 TiB in size. Files of different sizes were written to disk using two writing strategies and the $Bitmap files were manipulated to emulate file system fragmentation. Our results show that files written as one large block are allocated areas of decreasing size when the files are fragmented. The decrease in size is seen not only within files, but also between them. Hence a file having smaller fragments than another file is written after the file having larger fragments. We also found that a file written as a stream gets the opposite allocation behavior, i. e. its fragments are increasing in size as the file is written. The first allocated unit of a stream written file is always very small and hence easy to identify. The results of the experiment are of importance to the digital forensics field and will help improve the efficiency of for example file carving and timestamp verification. © 2019, The Author(s).

Place, publisher, year, edition, pages
Springer, 2020. Vol. 5, no 1, p. 248-258
Keywords [en]
Allocation algorithm, Digital forensics, File carving, NTFS, Boron compounds, Digital storage, Electronic crime countermeasures, File organization, Titanium compounds, Bitmap files, Different sizes, File systems, Large blocks, Storage media, Computer forensics
National Category
Computer Systems Computer Sciences
Identifiers
URN: urn:nbn:se:hh:diva-41539DOI: 10.1007/s11036-019-01441-1ISI: 000513451700026Scopus ID: 2-s2.0-85077062891OAI: oai:DiVA.org:hh-41539DiVA, id: diva2:1390969
Available from: 2020-02-03 Created: 2020-02-03 Last updated: 2021-10-25Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Axelsson, Stefan

Search in DiVA

By author/editor
Axelsson, Stefan
By organisation
Halmstad Embedded and Intelligent Systems Research (EIS)
In the same journal
Mobile Networks and Applications
Computer SystemsComputer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 159 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf