NTFS is damaged, turecrypt file we know password and file size but we need to find start sector
Please read this newsgroup - the same question was posted last week
i couldn't find the article.do you know where?
Perhaps a separate board for help with student project questions would be good?
http//www.forensicfocus.com/Forums/viewtopic/t=9171/
Incidently, if this is all of the information you have, there is no answer to your question - you can find cluster number, but not sector number.
However, any experienced examiner would have a few good guesses and get the correct location fairly quickly
mscotgrove, how would you find the cluster number from that information? As far as I can see, the record uses 264bytes. I can see 56 bytes for the header, 96 bytes for the standard information attribute, 104 bytes for the filename attribute, and then 8 bytes as the end of entry flag. The rest of the record appears to be mft slack. I could be wrong but I thought that the starting cluster was located in the data attribute, which is missing in this case. Are you saying that the mft slack entries may contain a data run which points to the same starting cluster? I've not done enough study of truecrypt to know how it hides itself but that could be useful to know.