Does somebody knows the concept of the formula to find the block/cluster (ie when using srch_strings)
Block Location = Offset / Blocksize.
Sorry for my bad english.
Thank you
Your question is a bit vague.
Lets assume you are talking about searching a raw disk
The offset would be the byte location from the start of the disk, possible a very large number.
Block and cluster terms for logical locations rather than sector locations
Block size - this could be the sector size, ie 0x200 bytes or a logical block size, Unix often uses 0x400 byes. Counting starts at the start of the partition, not the start of the disk
NTFS and FAT use clusters. Clusters start counting from the start of the partition for NTFS and cluster 2 on a FAT is the end of the FAT table. Cluster on NTFS is normally 0x1000 bytes, and FAT can be many values, always a power of two, such as 0x800, 0x1000, 0x2000.
If you are just interested in sector number, then the formula
sector number = file offset / 0x200
will give you correct answer for the 99.9% of disks that have a sector size of 0x200
Hi mscotgrove
Thank you for answering my question. Yes that's what I mean.
Mike,
I'm a 'newb' - troll but never contribute this forum - (not interested in getting flamed for my lack of knowledge/experience). I know what you explained below is elemental to this work - and have read it in course materials (I'm not student - rather a mid-lifer working and self educating to hopefully get INTO a paying position in this line of work) - but I just wanted to tell you that the manner in which you laid this out is awesome - concise, clear directly to the point. Again - sure it's like complimenting someone on identifying the color blue - for most of the savvy experts that may read this - but I appreciated it.
- nobody of significance 😉
Your question is a bit vague.
Lets assume you are talking about searching a raw disk
The offset would be the byte location from the start of the disk, possible a very large number.
Block and cluster terms for logical locations rather than sector locations
Block size - this could be the sector size, ie 0x200 bytes or a logical block size, Unix often uses 0x400 byes. Counting starts at the start of the partition, not the start of the disk
NTFS and FAT use clusters. Clusters start counting from the start of the partition for NTFS and cluster 2 on a FAT is the end of the FAT table. Cluster on NTFS is normally 0x1000 bytes, and FAT can be many values, always a power of two, such as 0x800, 0x1000, 0x2000.
If you are just interested in sector number, then the formula
sector number = file offset / 0x200
will give you correct answer for the 99.9% of disks that have a sector size of 0x200
At the bottom of this page you can find details of default cluster sizes for volumes of various and a easy way to check the cluster size for your disk.
http//
Your table says FAT32 does not work above 32GB. This is not true, it is just Microsoft that does not allow formating above 32GB.
There are still 500GB drives that are sold as FAT32 (PC and Mac compatible).
If you wish to format a disk there is a free program
fat32format.exe
Google finds it very quickly