Disk clusters
 		Previous Topic  Next Topic 

Home



Disks consist of sectors, normally 512 (0x200) bytes in length.  With a modern, 500GB disk, this means there are about 1,000,000,000 separate sectors that the operating system has to manage.  As these numbers can get rather large, operating systems work in groups of sectors, and call it a cluster.  A cluster is then the smallest amount of disk that can be allocated, and are always contigious runs of sectors.


The size of a cluster is always a compromise.  A large cluster means that there are fewer clusters for the operating system to manage, but there is always the problem that a small file will require a complete cluster, and so can represent a large amount of wasted space.  A small cluster reduces the amount of wasted space, but will require many more to be tracked by the operating system.


When recovering a disk it is often useful to know the size and location of clusters.  If the disk has a valid operating system, then this will be determined from information within the BPB.  If the operating system information is lost - or maybe not valid due to a reformat - then it will be necessary to determine the cluster size, and location.  There are built in tools for FAT and NTFS disks to try and determine values, but the other way is to examine the log after an Image Raw Scan.


Once a Image Raw scan of a disk is done, the log should be opened, and the data viewed in hex mode



The important parameters are the start sector value, and Incr(ement) sector, and the reason for viewing in hex is that all clusters sizes are multiples of2, ie 1,2,4,8,16 etc.


In the example above it can be seen that the majority of increments are multiples of 0x20 (ie 32).  With an Image Raw, there may be false positive starts detected, and so it can be seen that the top few values do not fit the pattern.  For the majority of the files, it looks safe to say that the cluster size is 0x20


Looking at the Start Sector it is very clear that the majority of files start with a sector value ending in 9.  The first cluster of a disk can be located on any sector location, and so for a cluster size of 0x20, the start of a cluster could in theory be any value between 0x00 and 0x1F.  In the example above, files always start at vlaue such as 0xb9, 0x19, 0x39  so the start value of the cluster would be sector 0x19.