What is the difference between the physical and logical size shown in Encase/FTK?
All files have a physical and logical size, often the physical size is larger than the logical size, sometimes it is equal to it. But the logical size should never be greater than the physical size, otherwise there is corruption on the file system or something unusual is occurring.
The physical size of a file, is dictated by the minimum number of whole clusters a file needs. e.g If 6 KB file that takes up 1.5 clusters (one cluster = 4kb in this case), it needs 2 clusters for its physical size, and two clusters are 8 KB, therefore the physical size is 8 KB. Its a bit like transporting people. Whats the minimum number of London Taxis you need to move 6 people? 1.5, but you can’t actually order half a cab, you need 2 cabs, therefore the physical space required to carry 6 people is 8 spaces.
The logical size is how big the file actually is, in this case 6 kb, the actual size of the file. The difference between the two sizes is known as “file slack“.
For more detailed information on this, the following articles may be useful:
Video demonstrating file slack.
Where is Your Data? 
March 29, 2009 at 1:49 pm
[…] described as the “spare bit” at the end of the file – its the difference between the logical and physical file […]
April 25, 2009 at 3:34 pm
[…] in general, refers to the difference between the logical file size and physical file size. However slack can be broken down into two different areas, RAM slack and File […]
June 5, 2009 at 11:19 pm
[…] Physical and Logical Size of the […]