FORENSICS


Forensics: Physical and Logical Size

What is the difference between the physical and logical size shown in Encase/FTK?
All files have a physical and logical size, often the physical size is larger than the logical size, sometimes it is equal to it. But the logical size should never be greater than the physical size, otherwise there is corruption on the file system or something unusual is occurring.
The physical size of a file, is dictated by the minimum number of whole clusters a file needs. e.g If 6 KB file that takes up 1.5 clusters (one cluster = 4kb in this case), it needs 2 clusters for its physical size, and two clusters are 8 KB, therefore the physical size is 8 KB.  Its a bit like transporting people. Whats the minimum number of London Taxis you need to move 6 people? 1.5, but you can’t actually order half a cab, you need 2 cabs, therefore the physical space required to carry 6 people is 8 spaces.
The logical size is how big the file actually is,  in this case 6 kb, the actual size of the file. The difference between the two sizes is known as “file slack“.

Comments

Popular posts from this blog

DM Short

DM MCQ

Creating Chrome Web App