Show simple item record

dc.contributor.authorKarresand, Nils Martin Mikael
dc.contributor.authorAxelsson, Stefan
dc.contributor.authorDyrkolbotn, Geir Olav
dc.description.abstractThe allocation algorithm of a file system has a huge impact on almost all aspects of digital forensics, because it determines where data is placed on storage media. Yet there is only basic information available on the allocation algorithm of the currently most widely spread file system; NTFS. We have therefore studied the NTFS allocation algorithm and its behavior empirically. To do that we used two virtual machines running Windows 7 and 10 on NTFS formatted fixed size virtual hard disks, the first being 64 GiB and the latter 1 TiB in size. Files of different sizes were written to disk using two writing strategies and the $Bitmap files were manipulated to emulate file system fragmentation. Our results show that files written as one large block are allocated areas of decreasing size when the files are fragmented. The decrease in size is seen not only within files, but also between them. Hence a file having smaller fragments than another file is written after the file having larger fragments. We also found that a file written as a stream gets the opposite allocation behavior, i. e. its fragments are increasing in size as the file is written. The first allocated unit of a stream written file is always very small and hence easy to identify. The results of the experiment are of importance to the digital forensics field and will help improve the efficiency of for example file carving and timestamp verification.nb_NO
dc.publisherSpringer Verlagnb_NO
dc.rightsNavngivelse 4.0 Internasjonal*
dc.titleDisk Cluster Allocation Behavior in Windows and NTFSnb_NO
dc.typeJournal articlenb_NO
dc.typePeer reviewednb_NO
dc.source.journalJournal on spesial topics in mobile networks and applicationsnb_NO
dc.relation.projectNorges forskningsråd: ArsForensica 248094nb_NO
dc.description.localcode© The Author(s) 2019 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.nb_NO
cristin.unitnameInstitutt for informasjonssikkerhet og kommunikasjonsteknologi

Files in this item


This item appears in the following Collection(s)

Show simple item record

Navngivelse 4.0 Internasjonal
Except where otherwise noted, this item's license is described as Navngivelse 4.0 Internasjonal