I am writing a UDF that utilizes the defragmentation API (specifically FSCTL_GET_RETRIEVAL_POINTERS and IOCTL_VOLUME_LOGICAL_TO_PHYSICAL) to map a file's location on disk. The goal is to use this to update my secure file deletion script. I have a few unanswered questions though regarding the filesystem that are fairly important. Any takers?
1) Are file extents (not including the final extent or files taking up only a single extent) guaranteed to completely fill a block of clusters, ie no unused bytes at the end of the last cluster in the block?
2) Is a disk cluster guaranteed to only contain data from one file? So a 2K file only takes up part of a 4K cluster... can the rest of that cluster contain data from another file? If so, same question regarding a single sector (usually 512 bytes, vs a 4K cluster)?
I think the answer is yes to both question... but that's a dangerous assumption when you're writing directly to the disk.
NTFS Questions
Started by
wraithdu
, Sep 28 2011 08:28 PM
8 replies to this topic
#1
wraithdu
-
- MVPs
-
- 2,137 posts
I am less fun than a twisted ankle.
Posted 28 September 2011 - 08:28 PM
#2
BrewManNH
-
- MVPs
-
- 6,815 posts
באָבקעס מיט קודוצ׳ה
Posted 28 September 2011 - 08:41 PM
1 file per cluster, 1 file per sector. Not sure what a file extent is, but if you have a 4K cluster size and a 1K file, that file will inhabit one cluster, and approx. 3K of that cluster will be unknown data.
How to ask questions the smart way!
Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.
Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.
_FileGetProperty - Retrieve the properties of a file SciTE Toolbar - A toolbar demo for use with the SciTE editorGUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.
GUIToolTip UDF Demo - Demo script to show how to use the GUIToolTip UDF to create and use customized tooltips.
#3
wraithdu
-
- MVPs
-
- 2,137 posts
I am less fun than a twisted ankle.
Posted 28 September 2011 - 10:10 PM
Thank you. And an extent is a contiguous block of clusters belonging to a file, ie an extent is one fragment of a fragmented file. While the clusters that make up an extent must be contiguous, the extents that make up a file can be located physically anywhere on the disk, hence file fragmentation and the need to defragment.
So that just leaves #1 above. I'm pretty sure the answer is yes. I've successfully tested reading the mapped extents in order, directly from the disk, and comparing the rebuilt file to the original. This is actually an interesting process when it comes to compressed and EFS encrypted files. The original file cannot be trivially recovered since the OS implements the compression or encryption transparently, and it doesn't know the rebuilt file is either compressed or encrypted. But the the rebuilt file contains the actual compressed or encrypted data as it is stored on disk.
So that just leaves #1 above. I'm pretty sure the answer is yes. I've successfully tested reading the mapped extents in order, directly from the disk, and comparing the rebuilt file to the original. This is actually an interesting process when it comes to compressed and EFS encrypted files. The original file cannot be trivially recovered since the OS implements the compression or encryption transparently, and it doesn't know the rebuilt file is either compressed or encrypted. But the the rebuilt file contains the actual compressed or encrypted data as it is stored on disk.
Edited by wraithdu, 28 September 2011 - 10:15 PM.
#4
BrewManNH
-
- MVPs
-
- 6,815 posts
באָבקעס מיט קודוצ׳ה
Posted 28 September 2011 - 10:23 PM
As long as the file fragment you're dealing with isn't the last one, then it will be filled with the file's information and nothing else, because the last one is the only one that may or may not fill that last cluster.
How to ask questions the smart way!
Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.
Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.
_FileGetProperty - Retrieve the properties of a file SciTE Toolbar - A toolbar demo for use with the SciTE editorGUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.
GUIToolTip UDF Demo - Demo script to show how to use the GUIToolTip UDF to create and use customized tooltips.
#5
wraithdu
-
- MVPs
-
- 2,137 posts
I am less fun than a twisted ankle.
Posted 29 September 2011 - 05:09 AM
Thanks for confirming what I originally suspected.
#6
KaFu
-
- MVPs
-
- 3,162 posts
Hey, it's just me, KhaFoo...
Posted 29 September 2011 - 07:36 AM
Maybe this is useful to you too 
...
Edit: See below...
...Edit: See below...
Edited by KaFu, 29 September 2011 - 07:56 AM.
OS: Windows 7 - 64bit - Ultimate, AutoIt Version: 3.3.8.1, AutoIt Editor: SciTE, Website: http://www.funk.eu, My unsolved Questions: Get default Window Size and Position, 
AMT - Auto-Movie-Thumbnailer (2013-Mar-22) 
COP - Color Picker (2009-May-21) 
HMW - Hide my Windows (2012-Jan-02) 
HRC - HotKey Resolution Changer (2012-May-16) 
ICU - Icon Configuration Utility (2013-Jan-11) 
SMF - Search my Files (2013-Apr-25) - THE file info and duplicates search tool 
SSD - Set Sound Device (2011-Jan-15)My DLL Collection Thread | Interesting AutoIt Posts Library - My UDFs | Recommended Projects | Recommended UDFs | Recommended Tutorials | ...
#7
AdmiralAlkex
-
- MVPs
-
- 4,490 posts
I'm on a boat
Posted 29 September 2011 - 07:43 AM
Maybe this is useful to you too
...
[#10171] You do not have permission to view this attachment.
Heh?
How To Ask Questions The Smart WayHow to Report Bugs EffectivelySome of my scripts: ShiftER, Codec-Control, Resolution switcher for HTC ShiftSome of my UDFs: SDL UDF, SetDefaultDllDirectories, Converting GDI+ Bitmap/Image to SDL Surface
#8
KaFu
-
- MVPs
-
- 3,162 posts
Hey, it's just me, KhaFoo...
Posted 29 September 2011 - 07:58 AM
Not sure what went wrong. It was an attachment I added to another post already, maybe that's the problem. I've re-uploaded it now.
NTFS Documentation.pdf.zip 273.67K
88 downloads
NTFS Documentation.pdf.zip 273.67K
88 downloads
OS: Windows 7 - 64bit - Ultimate, AutoIt Version: 3.3.8.1, AutoIt Editor: SciTE, Website: http://www.funk.eu, My unsolved Questions: Get default Window Size and Position, AMT - Auto-Movie-Thumbnailer (2013-Mar-22) COP - Color Picker (2009-May-21) HMW - Hide my Windows (2012-Jan-02) HRC - HotKey Resolution Changer (2012-May-16) ICU - Icon Configuration Utility (2013-Jan-11) SMF - Search my Files (2013-Apr-25) - THE file info and duplicates search tool SSD - Set Sound Device (2011-Jan-15)My DLL Collection Thread | Interesting AutoIt Posts Library - My UDFs | Recommended Projects | Recommended UDFs | Recommended Tutorials | ...
#9
AdmiralAlkex
-
- MVPs
-
- 4,490 posts
I'm on a boat
Posted 29 September 2011 - 09:22 AM
That worked. Quite a lot of information in there!
How To Ask Questions The Smart WayHow to Report Bugs EffectivelySome of my scripts: ShiftER, Codec-Control, Resolution switcher for HTC ShiftSome of my UDFs: SDL UDF, SetDefaultDllDirectories, Converting GDI+ Bitmap/Image to SDL Surface
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
