Analyse Individual Clusters.

Log Out | Topics | Search Moderators | Edit Profile

Author Message   rodney spoon Username: nightmares0nwax Registered: N/A Posted on Sunday, Jul 12, 2009 - 17:05:    Hi, i was wondering how to analyse individual clusters? more specifically the cluster slack space. i was thinking on a cluster by cluster basis, rather than gathering slack space of an entire drive. also how to locate individual clusters. Thanks in advance.   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Sunday, Jul 12, 2009 - 17:35:    To navigate to a certain cluster whose number you have in WinHex, open the volume and use Position | Go To Sector and enter your cluster number as a cluster number. To directly navigate to the slack of a file, in X-Ways Forensics, select the file, enable File mode, and use the scrollbar or press Ctrl+End to jump to the end of the physical file. The slack will also be highlighted.   jimbo Username: nightmares0nwax Registered: N/A Posted on Tuesday, Jul 14, 2009 - 10:29:    Thanks for the reply, it was helpful. i managed to view the cluster tip by enabling "Open and search files incl. slack" option in the "Directory browser options" window. is there a way to accurately define the ram slack? Thanks again   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Tuesday, Jul 14, 2009 - 11:16:    Yes, that's all the data from the first byte in the slack to the end of the same sector.   jimbo Username: nightmares0nwax Registered: N/A Posted on Tuesday, Jul 14, 2009 - 12:00:    Thanks for the quick response, i thought as much, but is there anyway to highlight the sectors? differenciate them somhow? or i can only achieve this by counting bits? Thanks.   jimbo Username: nightmares0nwax Registered: N/A Posted on Tuesday, Jul 14, 2009 - 12:02:    i also noticed that sometimes there is a blank spot from the end of the data to the end of the sector, where the ram slack is suppose to be, is that normal? Thanks.   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Tuesday, Jul 14, 2009 - 12:25:    With a specialist license or higher, all the slack space can be highlighted in a different color, and it's very easy to see where the next sector boundary is, too. > i also noticed that sometimes there is a blank spot A blank spot? Feel free to send a screenshot of the whole screen to illustrate.   Jens Kirschner Username: jenskirschner Registered: N/A Posted on Tuesday, Jul 14, 2009 - 14:36:    Is there a chance by "blank spot" you mean zero value bytes only? Because, contrary to the original concept of RAM slack, that is normal and has been ever since Windows 95B (aka OSR-1). The only environment that creates true RAM slack would be an MS-DOS or Win95A system if you can find it...   jimbo Username: nightmares0nwax Registered: N/A Posted on Wednesday, Jul 15, 2009 - 10:23:    yes! so any windows system after 95 produces 0 bytes instead? what about linux and mac os? they are the same? (just out of curiosity) is there a book i can read that will get me started on forensics? thanks for the replies, appreciated.