Hi Andrew. I am not an expert on EWF Disk Overlays, so I can't guarantee
that this information is 100% accurate. But I did some investigation into
these questions, so I'll try to address them here.
Generally speaking, the EWF Disk Overlay functions as a separate place for
the system to perform all write operations that it would normally perform on
the protected partition. Other than redirecting those writes to another
place on the drive, there is essentially no difference in operation as far
as the writes themselves are concerned, so any write to the overlay will
function in the same way as a write to the main partition would when EWF is
not involved. This would include partial writes.
Will the previous version of the file be maintained in the overlay?
This depends on how far into the write operation the system was when it lost
power. As with any hard disk write, once data is actually written to any
part of the hard drive, it's there. Also, if the hard drive is physically
writing data at the time of power loss, there is a chance of that data
becoming corrupt or being written to the wrong sectors, etc., potentially
corrupting any amount of data on the drive regardless of EWF protection.
This is a fairly rare case these days, but it does still happen on occasion.
If you are using multiple overlay levels and you have a previous version of
your file in, say, Level 1, then a write to Level 2 will not overwrite the
Level 1 file until and unless you specifically commit the entire overlay to
the hard drive. In this case, a partial write could easily be rejected
simply by discarding the top overlay level.
Or will the original version of the file be used next time?
Again, this depends on the nature of the write. If writing to the same
overlay level as the original file, if any data was actually written to the
overlay, it's likely that that data will replace the original data. Because
the overlay does not have file-by-file control, but instead acts as a
literal record of all write operations to the partition, a partial write to
the overlay has the same function as a partial write to the protected
partition - namely, the original version of the file will be overwritten in
the overlay, even with partial new data.
The nice thing about an EWF overlay is that, assuming no other part of the
drive has been affected, you can discard the overlay at any time (with a
reboot, of course).
Or will the entire overlay be discarded on the next reboot?
EWF does not validate the overlay on boot, so if any corruption has taken
place in the overlay and you commit it, it will corrupt the protected
partition. Unfortunately, there's no direct way to know if the EWF
partition is valid at any particular time, so if you suspect that the
partition is likely to be corrupt, you would be best advised to discard it
rather than commit it.
What if the file does not exist in the original partition?
Just like in a regular file system, if the system is creating a new file,
the writes needed to create that file and its entry in the file system are
stored to the overlay.
Will there be some indication to the user what had happened?
No. Again, EWF has no at-boot validation, so it has no way of knowing what
happened to the system. EWF will not report any such situation.
However, it is possible that CHKDSK could still be used to examine the
"virtual partition" consisting of the protected partition and the EWF
overlay combined - if it doesn't detect any problems, you can probably
safely assume that the overlay is okay.
What if power is lost during an overlay commit?
Two things: (1) The data from the overlay will likely only be partially
written to the protected partition, possibly resulting in corruption of one
or more files or possibly the entire partition, depending on what was being
written at the time. (2) The state of the overlay will not have been
updated to reflect that the overlay was committed, so it will still contain
all of the pre-commit writes and think that it is in a non-committed state.
This will likely throw the protected partition and the overlay out of sync
with each other.
Also, as I mentioned above, if a physical write is taking place at the time
the hard drive loses power, just about anything can happen to the data being
written as well as the data already on the drive. In short, losing power
during a write is generally a very bad thing, no matter what the
circumstances.
I hope this information is helpful and useful to you. Good luck in
developing your applications. =) Please let us know if you have any more
questions.
--
Matt Kellner (
[email protected])
STE, Windows Embedded Group
This posting is provided "AS IS" with no warranties, and confers no rights.
===============================
