Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • cfr105 Lnguyen Assignment7

    Încărcat de

    api-374125044
    135 vizualizări6 pagini

    Titlu original

    cfr105 lnguyen assignment7

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    135 vizualizări6 pagini

    cfr105 Lnguyen Assignment7

    Încărcat de

    api-374125044

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 6

    Running head: RAM & FILE SLACK 1

    Assignment 7: RAM & File Slack

    Livia Nguyen

    CFR105

    Professor: Frank Griffits

    June 23, 2017


    RAM & FILE SLACK 2

    Explanation:

    Logical File Size is the actual number of bytes occupied by the file data.

    Physical File Size is the number of clusters used by the file on the disk.

    The equation for calculating file slack is physical size logical size = file slack.

    The first step that I have to do is to figure out how many clusters are on the drive by diving the

    file size by the cluster size. Round the number to the next number, if the answer has left over

    when dividing. For example: 5100/40961=1.25, then that will give you 2 clusters.

    I then create a visual look of what the drive would look like with the number that I got from the

    calculation.

    To calculate for the total byte of slack, I subtract the file byte the file bytes by of the total bytes

    cluster slack. The total bytes of slack are the space left over from the end of the data of a file to

    the end of the last cluster of the file.

    The file slack is all of the byte of the full sector within the total bytes of slack. For example:

    there are 6 full sectors, then we multiple it by 512 bytes and that give us the total of 3072 bytes

    of file slack.

    The RAM slack is the slack between the end of the logical file and the rest of the sector, and to

    calculate the RAM slack simply subtract the file slack by the total byte of slack. For example:

    We were given 3092 total bytes of slack and 3072 file slack, then subtract it will give us 20 bytes

    of RAM slack.

    Equation:

    Total byte of slack = size of cluster file size

    File Slack = sectors byte x number of left over sector

    RAM Slack = Total byte of slack File Slack


    RAM & FILE SLACK 3

    1. On an NTFS drive with 512 byte sectors, and 8 sectors per cluster with the size of a cluster is

    4096 bytes, if a file is 5100 bytes long calculate the following three numbers:

    5100/4096=1.24 or 2 clusters 1 cluster = 4096 byte 2 cluster = 8192 byte

    Cluster 1 Cluster 2
    512 512
    RAM slack
    512
    512 512
    512 512
    File Slack
    512 512
    512 512
    512 512
    512 512

    A. the total bytes of slack

    8192-5100= 3,092 byte

    B. RAM slack

    3092-3072= 20 byte

    C. File slack 6 sectors

    512x6= 3,072 byte

    2. A 600-byte file is stored on a hard disk with 4 sectors per cluster and 512-bytes sector,

    calculate the following three numbers:

    4 sectors of 512-bytes sector = 2,048 byte cluster sizes

    600/2048= .21 or 1 cluster 1 cluster = 2048 byte

    Cluster 1 RAM slack


    512

    512 File Slack


    512

    A. the total bytes of slack

    2048-600= 1,448 bytes


    RAM & FILE SLACK 4

    B. RAM slack

    1448-1024= 424 byte

    C. File slack 2 sectors

    512x2= 1,024 byte

    3. A 198-byte file is stored on a standard floppy disk with a 512-bytes sector, calculate the

    following three numbers:

    512/512=1 cluster 1 cluster=512 byte

    Cluster 1 RAM slack


    512

    A. the total bytes of slack

    512-198= 314 byte

    B. RAM slack

    314-0= 314 byte

    C. File slack 0 sector

    512x0= 0 byte

    The result show that there is no file slack and the total bytes of slack is the RAM slack.

    4. A 1024-byte file is stored on a standard floppy disk with a 512-bytes sector, calculate the

    following three numbers:

    1024/512=2 cluster 1 cluster= 512 byte 2 cluster= 1024 byte

    Cluster 1 Cluster 2
    512 512

    A. the total bytes of slack

    1024-1024= 0 byte

    B. RAM slack
    RAM & FILE SLACK 5

    0-0= 0 byte

    C. File slack 0 sector

    512x0= 0 byte

    The result shows that there is no slack space on the disk , that mean that there are no file slack or

    RAM slack on the disk, and that all the sector is filled with file content. However, if the user

    decides to delete all of the content of this file, it will appear to be unallocated, but the content of

    the file remains on the disk and can be recovered by using forensic tool.

    5. A 291,341-byte file is stored on a hard disk with a 8 sectors per cluster and 4096-bytes sector,

    calculate the following three numbers:

    8 sector = 32,768 byte 291,341/32,768=8.89 or 9 cluster 9 cluster = 294,912 byte

    Cluster 1 Cluster 2 Cluster 3 Cluster 4 Cluster 5 Cluster 6 Cluster 7 Cluster 8 Cluster 9


    4096 4096 4096 4096 4096 4096 4096 4096 4096
    4096 4096 4096 4096 4096 4096 4096 4096 4096
    4096 4096 4096 4096 4096 4096 4096 4096 4096
    4096 4096 4096 4096 4096 4096 4096 4096 4096
    4096 4096 4096 4096 4096 4096 4096 4096 4096 RAM slack
    4096 4096 4096 4096 4096 4096 4096 4096 4096
    4096 4096 4096 4096 4096 4096 4096 4096 4096
    4096 4096 4096 4096 4096 4096 4096 4096 4096

    A. the total bytes of slack

    294,912-291,341= 3571 byte

    B. RAM slack

    3571-0= 3571 byte

    C. File slack 0 sector

    512x0= 0 byte

    There are no file slacks left on this hard disk and the slack space on the hard disk is the RAM

    slack
    RAM & FILE SLACK 6

    Reference

    Carrier, B. (2011). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.

    Forensics: RAM Slack and File Slack. (2009, April 25). Retrieved June 22, 2017, from

    https://whereismydata.wordpress.com/2009/04/25/forensics-ram-slack-and-file-slack/

    S-ar putea să vă placă și