Linux is still a niche operating systems but has many very keen fans. With Windows, there are two file systems that may be used, NTFS and FAT, but with Linux (and Ubuntu) it is possible to install several file systems and so there have been many developments each trying to be better, or faster. The most common file systems as Ext2/3, XFS and ReiserFS (version 3).
The most significant feature of ReiserFS is the way it stores the data on the disk. With FAT, each file always takes at least a cluster (maybe 16K). With NTFS each file over about 500 bytes always takes a cluster, while small files may be stored with the directory entry in the MFT block of 1024 bytes. ReiserFS will use blocks to full capacity. Thus with a 4K block, it may actually contain 5 to 20 files, or the start of a long file. This can mean that the disk can be used with virtually no slack or wasted space.
From the recovery view point this makes data carving a nightmare. For most file systems, data carving always examines just the first bytes of a sector to determine if the sector contains a file start. For the same to be true with ReiserFS, it may have to check every byte, or if the data is 64 bit aligned, every eigth byte in order to detect all possible file starts. Fortunately though, long files normally start on block starts, so normal carving will work, but in order to find all short files, a lot more care has to be taken.
No comments:
Post a Comment