A very useful forensic tool is to determine which file a sector belongs to. In the case of overwritten, or deleted files, a sector may have more than one apparent owner

The value of the absolute location of the sector is entered into the box (in either hex or decima according to the flag) and when Search is pressed the log is examined to determine which file(s) the sector is part of.

Obviously, a sector should only be used in a single file, but if deleted files have been restored within the log, these will be tested as well. If a deleted file has been overwritten, it should be possible to see which file overwrote it.

The routine will search up to 64 fragments on a file.

As a double check, when a file has been isolated, it is possible to view the fragments of the file by clicking on Frags column within the log.