Indentifying the cluster size based on data content, rather than relying on the meta-data of file system, is an important issue in the field of the disk forensics and file caving. When the file system on an evidence disk has been intentionally or accidentally damaged, it is necessary to indentify the cluster size. This paper presents a method to identify the disk cluster size based on data content for various file systems. The main idea is using the difference between the entropy difference distributions of the non-cluster boundaries and the cluster boundaries to identify the cluster size. The chi(2) statistic is adopted to reveal this difference. Experimental results demonstrate that the proposed approach is effective in identifying the cluster size.

• 出版日期2010-10
• 单位杭州电子科技大学