Why do some cookies maintain file slack?
I have noticed that some have slack, while most do not. The ones that do of course are bigger in physical size. Does that have anything to do with it. I have noticed these begin in sector offset 0 a well. I am guessing do to the size.
I have also wondered about the numbers. Some have [1] or [2] in the name. Can someone explain this in a understandable sense. Thanks again. Just trying to make sense of these.
What is the sector size and what is the cluster size on the system?
How does that compare to the size of the file and your observations of the content of the slack?
Research slack space and I bet you will come up with the answer.
Let us know how you get on.
If you search in the forum you will find a number of threads on cookies and I am sure there will be a mention of [1].
H
I am looking at a sector size of 512. I am guessing since slack is what it is, that the cookie maintains the slack because if filled into another secotr, thus the slack I am seeing is from data that was previously on that sector.
As for the [1]. i have looked, but from what I see is it relates to expiration?
Still unclear about the why they can start in offset 0, versus like most started in varying offsets.
Thanks for the response. But still cloudy, think maybe I will get there will little more push. thanka again
I have noticed that some have slack, while most do not.
This is probably because some are resident data with their associate MFT records, whilst some are to big and reside elsewhere on the disk. (of course I'm assuming file system is NTFS).
yeah, that was my conclusion, but I thought maybe I was overlooking something. It is NTFS. I presume this is why they can start at offset 0 , since they are outside
"non resident data." of the $MFT.
I still have not got a good or clear explaination for the [2] (numbers) in the file names. I have seen threads/posts on this, but no good answer just speculation.