Question about RAM EWF usage

[Doug Gordon]

This question was prompted by another recent post regarding RAM EWF filling
up memory and requiring a reboot. I'd appreciate a definite answer from
someone who really knows for certain how EWF works.

My understanding is that RAM EWF stores changes to the protected partition
by mapping chunks of memory to changed sectors (or clusters) on the disk.
So, for example, if a cluster is 32K in size and I write some data to
cluster #X, 32K of RAM is allocated to contain the updated disk data. Now,
if I later write some more data to the same cluster #X, my understanding is
that the changes would be written to the same 32K of RAM that was already
allocated for this cluster, so no additional RAM is allocated.

Given my assumptions about how it works, I would say that if I have a RAM
size that is greater than my protected partition size, I will never take up
all of my RAM for EWF purposes. In actuality, it should take a lot less
since much of the system partition is used for all of the EXE, DLL, and
other program files that never get written to.

Am I correct about this?

The only reason I'm asking is that I read someone's post a while ago that
implied that the disk writes are queued up so that every write to the
protected partition would consume an additional chunk of RAM, eventually
requiring a reboot to recover the memory. But I think that their observation
was based on a misunderstanding of how file space is allocated when you
"overwrite" a file with a copy operation.

Doug G

 

[Sean Liming \(eMVP\)]

I asked something similiar when I wrote my first book on XPe a few years
ago. Here is what I confirmed then: "For example you have a drive that is
512MB in size. The OS and other files take up 412MB. This leaves you with
100MB of free drive space. If you have 512MB of RAM, than EWF RAM overlay
should only take 100MB."

The answers since then have been mixed. With NTFS, there are various log
files that are being kept. This is what the previous NG poster has seen. Log
files tend to grow, thus taking more space in the overlay as time goes on.
As far as re-writing data, I haven't asked this question nor investigated
the issue.

The EWFMGR utility and EWF APIs have provide functions to monitor overlay
space information; so there is a way to test the system out and see what
happens to the overlay.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit.

 

[Mark K Vallevand]

Except for Sean's comment about NTFS log files, you are basically correct.
In our very long term testing, the RAM used to cache the disk updates will
stop growing at some point. All of the clusters that could be updated are
cached in RAM. We also took detailed and extreme care to minimize the
updates to the files that our software was doing.

--
Regards.
Mark K Vallevand (e-mail address removed)

Beer is living proof that God loves us and wants us to be happy.
- Benjamin Franklin


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.