{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T08:03:31Z","timestamp":1768982611087,"version":"3.49.0"},"reference-count":26,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2019,12,19]],"date-time":"2019-12-19T00:00:00Z","timestamp":1576713600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2019,12,19]],"date-time":"2019-12-19T00:00:00Z","timestamp":1576713600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Mobile Netw Appl"],"published-print":{"date-parts":[[2020,2]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The allocation algorithm of a file system has a huge impact on almost all aspects of digital forensics, because it determines where data is placed on storage media. Yet there is only basic information available on the allocation algorithm of the currently most widely spread file system; NTFS. We have therefore studied the NTFS allocation algorithm and its behavior empirically. To do that we used two virtual machines running Windows 7 and 10 on NTFS formatted fixed size virtual hard disks, the first being 64 GiB and the latter 1 TiB in size. Files of different sizes were written to disk using two writing strategies and the $Bitmap files were manipulated to emulate file system fragmentation. Our results show that files written as one large block are allocated areas of decreasing size when the files are fragmented. The decrease in size is seen not only within files, but also between them. Hence a file having smaller fragments than another file is written after the file having larger fragments. We also found that a file written as a stream gets the opposite allocation behavior, i. e. its fragments are increasing in size as the file is written. The first allocated unit of a stream written file is always very small and hence easy to identify. The results of the experiment are of importance to the digital forensics field and will help improve the efficiency of for example file carving and timestamp verification.<\/jats:p>","DOI":"10.1007\/s11036-019-01441-1","type":"journal-article","created":{"date-parts":[[2019,12,19]],"date-time":"2019-12-19T21:04:28Z","timestamp":1576789468000},"page":"248-258","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Disk Cluster Allocation Behavior in Windows and NTFS"],"prefix":"10.1007","volume":"25","author":[{"given":"Martin","family":"Karresand","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stefan","family":"Axelsson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Geir Olav","family":"Dyrkolbotn","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2019,12,19]]},"reference":[{"key":"1441_CR1","volume-title":"File system forensic analysis","author":"B Carrier","year":"2005","unstructured":"Carrier B (2005) File system forensic analysis. Addison-Wesley Professional, Boston"},{"key":"1441_CR2","unstructured":"Carrier B (2014) Tsk tool overview. http:\/\/wiki.sleuthkit.org\/index.php?title=TSK_Tool_Overview"},{"key":"1441_CR3","unstructured":"Hughes J (2009) The four stages of NTFS file growth. https:\/\/blogs.technet.microsoft.com\/askcore\/2009\/10\/16\/the-four-stages-of-ntfs-file-growth\/. Accessed 24-10-2018"},{"key":"1441_CR4","unstructured":"Karresand M (2008) Completing the picture \u2014 fragments and back again. Licentiate thesis, Link\u00f6ping Institute of Technology, Link\u00f6ping University, Sweden"},{"key":"1441_CR5","doi-asserted-by":"publisher","first-page":"S51","DOI":"10.1016\/j.diin.2019.04.018","volume":"29","author":"Martin Karresand","year":"2019","unstructured":"Karresand M, Axelsson S, Dyrkolbotn GO (2019) Using NTFS cluster allocation behavior to find the location of user data. Digital Investigation. 29(Supplement):S51\u2013S60","journal-title":"Digital Investigation"},{"key":"1441_CR6","doi-asserted-by":"crossref","unstructured":"Karresand M, Shahmehri N (2006) File type identification of data fragments by their binary structure. In: Proceedings from the seventh annual IEEE systems, man and cybernetics (SMC) information assurance workshop, 2006. IEEE, Piscataway, pp 140\u2013147","DOI":"10.1109\/IAW.2006.1652088"},{"key":"1441_CR7","unstructured":"Karresand M, Shahmehri N (2006) Oscar \u2013 file type and camera identification using the structure of binary data fragments. In: Haggerty J., Merabti M. (eds) Proceedings of the 1st conference on advances in computer security and forensics, ACSF. The School of Computing and Mathematical Sciences, John Moores University, Liverpool, pp 11\u201320"},{"key":"1441_CR8","doi-asserted-by":"publisher","first-page":"413","DOI":"10.1007\/0-387-33406-8_35","volume-title":"Security and Privacy in Dynamic Environments","author":"Martin Karresand","year":"2006","unstructured":"Karresand M, Shahmehri N (2006) Oscar \u2013 file type identification of binary data in disk clusters and RAM pages. In: Proceedings of IFIP international information security conference: security and privacy in dynamic environments (SEC2006), Lecture notes in computer science, pp 413\u2013424"},{"key":"1441_CR9","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1007\/978-1-84628-750-3_9","volume-title":"EC2ND 2006","author":"Martin Karresand","year":"2007","unstructured":"Karresand M, Shahmehri N (2007) Oscar \u2013 using byte pairs to find file type and camera make of data fragments. In: Blyth A., Sutherland I. (eds) Proceedings of the 2nd European conference on computer network defence, in conjunction with the first workshop on digital forensics and incident analysis (EC2ND 2006). Springer, Berlin, pp 85\u201394"},{"key":"1441_CR10","doi-asserted-by":"crossref","unstructured":"Karresand M, Shahmehri N (2008) Reassembly of fragmented jpeg images containing restart markers. In: Proceedings - 4th annual European conference on computer network defense, EC2ND 2008, pp 25\u201332","DOI":"10.1109\/EC2ND.2008.10"},{"key":"1441_CR11","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1007\/978-3-030-28752-8_8","volume-title":"Advances in Digital Forensics XV","author":"Martin Karresand","year":"2019","unstructured":"Karresand M, Warnqvist \u00c5, Lindahl D, Axelsson S, Dyrkolbotn GO (2019). In: Advances in Digital Forensics XIV, chap. 8 Creating a map of user data in NTFS to improve file carving, pp. 133\u2013158. Springer International Publishing AG, Cham"},{"key":"1441_CR12","unstructured":"(2017) Microsoft: System requirements. https:\/\/support.microsoft.com\/en-gb\/help\/12660\/windows-8-system-requirements. Accessed 30-04-2018"},{"key":"1441_CR13","unstructured":"Microsoft: Windows 10 system requirements (2017). https:\/\/support.microsoft.com\/en-us\/help\/4028142\/windows-windows-10-system-requirements. Accessed 30-04-2018"},{"key":"1441_CR14","unstructured":"Microsoft: Windows 7 system requirements (2017). https:\/\/support.microsoft.com\/en-us\/help\/10737\/windows-7-system-requirements. Accessed 30-04-2018"},{"key":"1441_CR15","unstructured":"Microsoft: How ntfs works (2018). https:\/\/technet.microsoft.com\/pt-pt\/library\/cc781134(v=ws.10).aspx. Accessed 30-09-2018"},{"issue":"3","key":"1441_CR16","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1016\/j.diin.2014.06.008","volume":"11","author":"W Minnaard","year":"2014","unstructured":"Minnaard W (2014) The Linux FAT32 allocator and file creation order reconstruction. Digital Investigation 11(3):224\u2013233. https:\/\/doi.org\/10.1016\/j.diin.2014.06.008. Special Issue: Embedded Forensics","journal-title":"Digital Investigation"},{"issue":"2","key":"1441_CR17","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1109\/MSP.2008.931081","volume":"26","author":"A Pal","year":"2009","unstructured":"Pal A, Memon N (2009) The evolution of file carving. IEEE Signal Proc Mag 26(2):59\u201371. https:\/\/doi.org\/10.1109\/MSP.2008.931081","journal-title":"IEEE Signal Proc Mag"},{"key":"1441_CR18","doi-asserted-by":"publisher","unstructured":"Poisel R, Tjoa S (2013) A comprehensive literature review of file carving. In: 2013 International conference on availability, reliability and security, pp 475\u2013484. https:\/\/doi.org\/10.1109\/ARES.2013.62","DOI":"10.1109\/ARES.2013.62"},{"key":"1441_CR19","doi-asserted-by":"publisher","unstructured":"Roussev V, Garfinkel S (2009) File fragment classification-the case for specialized approaches. In: 2009 Fourth international IEEE workshop on systematic approaches to digital forensic engineering, pp 3\u201314. https:\/\/doi.org\/10.1109\/SADFE.2009.21","DOI":"10.1109\/SADFE.2009.21"},{"key":"1441_CR20","volume-title":"Operating system concepts","author":"A Silberschatz","year":"2012","unstructured":"Silberschatz A, Galvin P, Gagne G (2012) Operating system concepts, 9th edn. Wiley, Hoboken","edition":"9th edn."},{"key":"1441_CR21","volume-title":"Operating systems \u2013 internals and design principles","author":"W Stallings","year":"2012","unstructured":"Stallings W (2012) Operating systems \u2013 internals and design principles, 7th edn. Pearson Education Inc., Upper Saddle River","edition":"7th edn."},{"key":"1441_CR22","unstructured":"(2017) Superuser: What block allocation algorithm does ntfs use?. https:\/\/superuser.com\/questions\/274855\/what-block-allocation-algorithm-does-ntfs-use. Accessed 24-01-2019"},{"key":"1441_CR23","volume-title":"Modern operating systems","author":"A Tanenbaum","year":"2015","unstructured":"Tanenbaum A, Bos H (2015) Modern operating systems, 4th edn. Pearson Education Inc., Upper Saddle River","edition":"4th edn."},{"key":"1441_CR24","unstructured":"Tse W (2011) Forensic analysis using fat32 file cluster allocation patterns. Master\u2019s thesis, University of Hong Kong"},{"key":"1441_CR25","doi-asserted-by":"publisher","unstructured":"Willassen S (2008) Finding evidence of antedating in digital investigations. In: 2008 Third international conference on availability, reliability and security, pp 26\u201332. https:\/\/doi.org\/10.1109\/ARES.2008.149","DOI":"10.1109\/ARES.2008.149"},{"key":"1441_CR26","unstructured":"Willassen S (2008) Methods for enhancement of timestamp evidence in digital investigations. Ph.D. thesis, Norwegian University of Science and Technology, Faculty of Information Technology, Mathematics and Electrical Engineering, Department of Telematics"}],"container-title":["Mobile Networks and Applications"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11036-019-01441-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s11036-019-01441-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11036-019-01441-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,12,18]],"date-time":"2020-12-18T00:23:12Z","timestamp":1608250992000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s11036-019-01441-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,12,19]]},"references-count":26,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,2]]}},"alternative-id":["1441"],"URL":"https:\/\/doi.org\/10.1007\/s11036-019-01441-1","relation":{},"ISSN":["1383-469X","1572-8153"],"issn-type":[{"value":"1383-469X","type":"print"},{"value":"1572-8153","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,12,19]]},"assertion":[{"value":"19 December 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}