Volumes

Volumes are often called partitions. A volume contains only one file system and some parameters :

  • the block size (or cluster size)
  • the location of the catalog (HFS) or the MFT (NTFS) in sectors.
    this is the central database managing all files properties
  • the location of the Journal in bytes (HFS and NTFS) 
  • the location of the Root Folder (FATs)

Most the parameters are locate in the Volume Boot Record (VBR), often located at the first sector of the volume.

When identifying volumes, Tyrhex check, based on file system features, if a more accurate volume name is available and give it to the newly created analysis volume.

Damaged VBR avoid most of software, including all operating systems and most forensic softwares, to analyse the volume content and retrieve file content and information (metadata, file name, date and time, folder structure, …). However using Tyrhex volume editor it remains possible to « rebuild » a basic VBR helping to retrieve all what is still available. 

tyrhex © Yves Vandermeer  2015-2017   #tyrhex