An interesting question (that noone seems like interested to test/fiddle with) is what happens on 4096 bytes/sector media (and conversely with the much larger $MFT record size)?
http//www.hexacorn.com/blog/2012/05/04/sector-size-and-mft-file-record-size/
Logically the size of the "embedded" file should expand to around 4096-(1024-736)=3808 bytes.jaclaz
That's an interesting point and a good spot - thanks for sharing.
I can't say I've ever personally encountered this in the wild. I'd be interested to hear from practitioners as to what they are seeing at the 'coal face'.
I've taken a quick look over the at sample posted in the link you provided and the following observations jumped straight out at me
The record header size is 72 bytes (previously 56 was the expected size).
The footer is different to previous versions of the MFT.
The Update Sequence Array occurs ever 512 bytes, possibly indicating backwards compatibility with discs with 512 byte sectors.
The information present at offset 168 onwards appears to be slack, based on FF FF FF FF 00 00 00 00 at offset 160 and confirmed by the 68 01 value at offset 18.
Anyone else care to wade in?
Ben
I've taken a quick look over the at sample posted in the link you provided and the following observations jumped straight out at me
…
Good.
I happened to remember that the VSS Microsoft Virtual Disk Driver allows to create virtual disks of a given sector size, so I quickly made one and tested the effect on a file "size.dat" enlarged by fsz.exe.
The limit is 3776 bytes, 3777 gets the "dignity" of occupying a cluster
As seen in the mentioned thread this size may vary of a few bytes depending on the actual method that is used to write the file and on the length of the filename, for file size0123.dat the limit is 3768.
fsz size.dat 3775
OKMyFragmenter v1.2, 2008 J.C. Kessels
0 clusters, 1 fragments.
Finished, 1 files processed.
Next...
Premere un tasto per continuare . . .
fsz size.dat 3776
OKMyFragmenter v1.2, 2008 J.C. Kessels
0 clusters, 1 fragments.
Finished, 1 files processed.
Next...
Premere un tasto per continuare . . .
fsz size.dat 3777
OKMyFragmenter v1.2, 2008 J.C. Kessels
Extent 1 Lcn=5005, Vcn=0, NextVcn=1
1 clusters, 1 fragments.
Finished, 1 files processed.
Next...
jaclaz
In my (fairly quiet) data recovery world I have seen a single 0x1000 MFT disk. I cannot remember if the disk was physically 0x1000 or physical 0x200
However I note that my Microsoft Storage Space has 0x1000 byte blocks, even though the physical drives are 'standard' 0x200 bytes.
In my (fairly quiet) data recovery world I have seen a single 0x1000 MFT disk. I cannot remember if the disk was physically 0x1000 or physical 0x200
It was almost certainly 4096 bytes/sector physical.
"Traditional" or "512n" or "512 native" disks are 512 bytes physical AND expose a 512 bytes sector size.
"Advanced Format" or "512e" disks are 4096 bytes physical BUT expose a 512 bytes sector size.
"Large sectored" or "4k native" disks are 4096 bytes physical AND expose a 4096 bytes sector size.
There is not AFAIK any device that is 512 bytes physical but exposes 4096 bytes.
An interesting (strange) case JFYI is what happened here
http//
http//
where an AF disk changed exposed size when in an external case it was connected to either USB or eSATA connector.
jaclaz
qassam22222's topic sounds criminal in itself and should be banned from this forum. I no more trust qassam22222.
You can start a new tirade of hate against me, but this is my opinion, you either like it or not. I don't care.
Rolf
I think many questions on this forum could help criminals. They also help people trying to control criminals.
I rather hope this group can continue with open discussions from which we can all learn across a large range of topics. I understand your view, but don't agree with it.
qassam22222's topic sounds criminal in itself and should be banned from this forum. I no more trust qassam22222.
You can start a new tirade of hate against me, but this is my opinion, you either like it or not. I don't care.
While of course you are perfectly free to not trust qassam22222 and as well to express your opinion on the legality of deleting one's own files, calling the latter "criminal" seems to me like a bit too extreme.
At least I must confess to have committed the same "crime" (i.e. deleting my own files) tens, hundreds or possibly thousands of times and not only I have never been arrested but I never had, and don't have currently any - not even the slightest - feeling of repentance. 😯
As a matter of fact everyone of us has deleted files (their own ones) "normally" and sometimes (often enough) they have been subsequently overwritten (thus becoming irrecoverable), so you might need to put the accent on the "intent", thus deleting a file and then accidentally making it irrecoverable being "legit" and deleting a file with the intent of making it irrecoverable by overwriting or zeroing the extents where it was stored becoming suddenly a crime.
Maybe a Law mandating the manufacturing and use of WORM (Write Once Read Many) media only should be made (together with another Law prohibiting to destroy the media and a third one mandating the construction of Government warehouses to store them once not anymore in use) …
And come on ) , noone will actually hate you for expressing your opinion, wrong or provocative as it may be, but the fact that you don't care is somehow saddening ( .
jaclaz
Only if you search FF for posts of the mentioned account you will get an impression of the person behind this account. In theory there is no problem - but in reality there is.
FF has a problem. But nobody seems to care.
FF has a problem. But nobody seems to care.
You believe that FF has a problem, you already stated your opinion, and it was discussed here
https://www.forensicfocus.com/Forums/viewtopic/p=6581954/
As it was suggested there, by all means if you believe there is a problem, you are perfectly free to start your own forum (reserved to LE, by invitation only or whatever) and leave Forensic Focus as is.
jaclaz
Its not that easy as you think.
ForensicFocus is a very strong brand and THE site for x-professionals with 36k of 'members'.
To establish a new brand you miss the rules of branding - never try to overcome a strong brand.
In general the potential of collaboration is based on the law of big figures resulting in the probability to solve a technical issue. The more collaboration the more all participants learn and the faster and better you solve technical issues. This all speaks for FF. So there should be a solution within FF. Outside no chance.
BUT I HATE TO FEED CRIMINALS!
Many on FF stay silent to solve this problem. But they reduce the potential of collaboration.
Building a walled garden forum internationally does not work as the process of clearance and background checks would not work. Too complicated, slow and non-functional in general.
Lets play the ball back How can FF (not a new forum) keep criminals out of it?