Home Navigation

Recent Events Recent Events
Upcoming Courses Upcoming Courses

Contact Information

TELEPHONE:

Sales & Technical Support
(800) 852-0300

EMAIL:

info@forensics-intl.com
Technical Support:
support@forensics-intl.com

Information

Cluster Defined

All Microsoft operating systems rely upon the storage of data in fixed length blocks of bytes called clusters. Clusters are essentially groupings of sectors which are used to allocate the data storage area in all Microsoft operating systems, i.e., DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP. Clusters can be one sector in size to 128 sectors in size and cluster sizes vary depending on the size of the logical storage volume and the operating system involved. These cluster sizes fall generally within the following ranges:

  • Low density 5.25 inch floppy diskette - 2 sectors

  • High density 5.25 inch floppy diskette - 2 sectors

  • Low density 3.5 inch floppy diskette - 2 sectors

  • High density 3.5 inch floppy diskette - 1 sector

  • Zero - 15MB logical hard drive partition - 8 sectors

  • 16MB -127MB logical hard drive partition - 4 sectors

  • 128MB - 255MB logical hard drive partition - 8 sectors

  • 256MB - 512MB logical hard drive partition - 16 sectors

  • 512MB - 1024MB logical hard drive partition - 32 sectors

  • 1024MB - 2048MB logical hard drive partition - 64 sectors

  • 2048MB - 4095MB logical hard drive partition - 128 sectors

These are general guidelines though because cluster sizes vary between file systems. For the same disk storage space, Windows NTFS, FAT16 and FAT32 based operating systems can have wildly varying cluster sizes. In point of fact, for very small files, Windows NTFS stores the data not in a cluster, but in the Master File Table where other information about the file is stored.

The starting cluster reference number of a file is listed in the directory area of the storage device, e.g., floppy diskette or logical partition of a hard disk drive. The linking of the various potential clusters assigned to one file is done in the File Allocation Table (FAT) in DOS, Windows, Windows 95 and Windows 98 and it is the central record keeper which tracks where file data is stored.

Clusters, disk fragmentation and related computer evidence issues are covered in detail in NTI's 5-Day Computer Forensics Training Course. The potentials for data to be hidden in unallocated clusters and in clusters intentionally marked as bad in the File Allocation Table (FAT) are covered in NTI's 5 Day Computer Forensics Training Course.