Unexpected EWF behaviour

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I’m running XPe with use and IDE EWF overlay (protected disk, overlaying to a
disk). I ran some rudimentary soak tests on the drive. All that was happening
was a little app started and read and wrote to the drive, after 5 mins the
power was pulled from the machine, 30 seconds later the power was put back.
This was repeated for 10 days, unsurprisingly at the end of the 10 days the
machines were starting to complain about corrupt hard disks, I issued the
command “ewfmgr c: -restore†and all the error disappeared. So far as I
expected, but then I too the disk out of the terminal and put it into my
development pc and ran chkdsk. This is where I got a little confused, chkdsk
reported that it was deleting “corrupt attribute records†and also that it
was “recovering orphaned filesâ€, it also told me that it corrected errors in
the MFT and in the “volume bitmapâ€.

These errors were not on the disk before the testing started, (chkdsk was
run before I started), so how is the disk being corrupted when ewf should be
protecting it? Or do I simply misunderstand the errors that I’m reading?

Thanks for any help,
Rob
 
Hi Rob. It's difficult to tell exactly what may be causing those corruption
errors, but keep in mind that if a physical write is being done to the hard
drive when it loses power, just about anything can happen. At that point,
the presence of EWF is meaningless, because we're now talking about the
possibility of the HDD read/write head writing random garbage data anywhere
on the physical drive. This can cause a literal stripe of bad data to
appear on the disk as the head moves back to its home position.

If your environment is such that your EWF-enabled machine is likely to lose
power frequently, you might consider moving to a RAM or RAM-REG overlay if
the written data is not important to keep. However, if you do need to keep
the data between boots, I would suggest optimizing your system in such a way
that the likelihood of physically writing data to the hard drive when the
power goes out is minimized - perform all your writes at once, write the
smallest amount of data at any one time as possible, etc. Power
stabilization is also recommended.

--
Matt Kellner ([email protected])
STE, Windows Embedded Group

This posting is provided "AS IS" with no warranties, and confers no rights.
===============================
 
Back
Top