If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#161
|
|||
|
|||
COLLECTED hard drive usage after XP NTFS
|
#162
|
|||
|
|||
COLLECTED hard drive usage after XP NTFS
"PCR" wrote in message ... | "MEB" meb@not wrote in message | ... | | Jeff responded to the above with (my response inline): | | | /I'm off to the Indycar racing, so just talk amongst yourselves for a | while. | | | Have fun, wish I was there... zooooooommmmm.... | | He'll run you OVER, if you go there, MEB! | AAAAAWWW, he would not,, or would he? He's a driver? -- MEB _______________ |
#164
|
|||
|
|||
COLLECTED hard drive usage after XP NTFS
BTW Jeff, I reposted this under the other repost with inline reply.. (in
case you didn't notice..) Looks like I may be headed out for awhile, so I may not get to respond for awhile.. Catch ya then.. -- MEB http://peoplescounsel.orgfree.com/ BLOG http://peoplescounsel.spaces.live.com/ Public Notice or the "real world" "Most people, sometime in their lives, stumble across truth. Most jump up, brush themselves off, and hurry on about their business as if nothing had happen." Winston Churchill Or to put it another way: Morpheus can offer you the two pills; but only you can choose whether you take the red pill or the blue one. _______________ "Jeff Richards" wrote in message ... | "MEB" meb@not wrote in message | ... | snip | | Hmm, what program are you using to search the disk? | The verify tool I indicated - disk look program which compares each sector | to sector zero. | | snip | There are several ways for the disk to return the exact same "drive | space". | The CHS changes might have included a Cylinder or other change [LBA | returns | the same size though different CHS]. So you've said the CHS did not change | at all when you say " reported the same configuration", correct? | The number of cylinders, heads and sectors reported under both CHS and LBA | was identical before and after. | | snip | How would any NTFS file structures be placed if the drive has been zeroed | and NTFS has been removed? | Nothing would exist other than a blank partition, supposedly, if your test | has wiped the disk. | If the drive has been zeroed then a blank partition does NOT exist. | Partitioning the drive will replace the NTFS structures and the drive would | no longer be zeroed. Any test would not be able to distinguish between | data left over from the original installation and data installed by the | partitioning procedure, thus invalidating the results. | | So running sdelete from DOS on a blank disk would fill the empty space, | overwriting nothing, if it worked at all. | SDelete will not work with an unpartitioned drive. | | SDelete works on Windows 95, 98, NT 4.0 and Win2K per it's info. | Yes. It is not a utility for examining a blank drive. | | snip | | BTW, you indicated you would first remove the partition by fdisking before | running the Maxtor tool, did you (or did I overlook that)? | | Where did I indicate that? What would be the point? The write zeroes | function overwrites the partition data, and I have made it quite clear that | FDISK removes partitions and does NOT remove data (which is how come data | recovery tools can still work on a drive that has been fdisked). | | As for tools to test with: | | Let's see, first tool, HDAT2 to check SMART and disk. | hdat2all_4_51.zip http://www.hdat2.com/ and the PDF | Create the diskette, do not write protect it. Restart the computer, set | for | floppy boot, start with disk in the floppy drive. | First screen choose the disk, note LBA number and size. | MAIN MENU choose S.M.A.R.T. Menu, choose Read Attribute Data. | Make notes of (Threshold, Value, and Worst, might also note raw values | (raw | data and flags)): | Raw Read Error Rate | Reallocated Sector Count (should be none if this was a new disk) | Read Channel Margin | Calibration Retry Count | Ultra DMA CRC Error Rate | (anything else of interest) | I'm not interested in looking at SMART. It was disabled throughout the test | and could not have played any part in the results. What you are discussing | here is a completely different test (and I don't even know what is being | tested). | | TESTDISK second, use as DOS tool. Create or use a startup disk with | TESTDISK on it (suggest FREEDOS (32bit) startup disk). Startup using the | disk. Type testdisk at command prompt | Second screen should show CHS and MB/MiB; in Analyse (third screen) then | [Search!] (extended search fifth screen), making notes of what each screen | presents. (The second screen does not write the Intel code, it just | indicates what the disk formatting might be or have been) | MB/MiB is 122/114, which is what I would expect. CHS is 14947/255/63 which | again agrees. Options were changed to not force whole cylinder, in order to | ensure all sectors were examined. No partition information was found in | standard or deep search for either an existing (assumed) partition or a | blank disk Proposed partition is the full disk, as per above CHS figures. | | Third tool, WINHEX | Download the demo version (if you don't have it). Not sure what is | available in that version. Install in XP (does not support 98). | XP should not be able to access disk as it is not fdisked or formatted. | This assumption invalidates the test and makes everything subsequent | irrelevant. The very point you were making is that XP is doing something to | the disk at such a low level that it doesn't need a partition or a format. | That's why we used a disk zeroing utility and not a data overwriting utility | (such as MEANDISK) to demonstrate that XP can be fully removed from the | disk. | | I'm off to the Indycar racing, so just talk amongst yourselves for a while. | -- | Jeff Richards | MS MVP (Windows - Shell/User) | | |
#165
|
|||
|
|||
COLLECTED hard drive usage after XP NTFS
ELECTIONS are now over {looks like I won't have anything to do here
(hopefully)}, time to return to the issues of this discussion. Well, Jeff never responded to the request for S.M.A.R.T. data, and for tools he would cross verify the integrity/wipe of the disk with. Ah well, perhaps he had to put it into service. He did leave those issues unanswered; and appeared to indicate the disk would return NTFS information if partitioned. ----- A MASSIVE ONE [Bet you thought this was done]:: I suppose it's now time for more related material {or further indications of XP and its NTFS} based upon an indication I previously presented regarding finding a "table" / boot sector far beyond the end of the supposed disk. Here are some essential aspects of hard drives. For information regarding the possible aspects of this "finding" we revert to: HDAT2en_451.pdf excerpts [rights to this material remain under control of the original creator] : M7. Device Configuration Overlay Menu ATA/ATAPI Device Configuration Overlay (DCO) DCO allows systems to modify the apparent features provided by a hard disk drive device. It provides a set of commands that allow a utility program to modify some of the commands, modes, and feature sets reported as supported by the hard disk drive. It can be used to hide a portion of the hard disk drive's capacity from being viewed by the operating system and the file system. The optional Device Configuration Overlay feature set allows a utility program to modify some of the optional commands, modes, and feature sets that a device reports as supported in the IDENTIFY DEVICE or IDENTIFY PACKET DEVICE command data as well as the capacity reported. Commands of Device Configuration Overlay feature set: DEVICE CONFIGURATION FREEZE LOCK DEVICE CONFIGURATION IDENTIFY DEVICE CONFIGURATION RESTORE DEVICE CONFIGURATION SET M8. Security Menu This menu item is available only for drive, which support Security Mode feature set (bit 1 of word 82). Next features are described in word 128. Maximum password length is 32 characters. Drive Lock is based on the industry standard ATA-3 specification. The standard uses a dual password structure featuring a User and Master password and defines two security modes, High and Maximum. Under High mode, the Master password can be used to unlock a protected hard drive and reset the User password. By contrast, in Maximum mode the Master password can only be used to reformat the hard drive and reset security options for the newly formatted drive. In the Maximum mode, the Master password cannot be used to change the User password without first reformatting the hard drive. This protects against unauthorized access to hard drive by the owner of the Master password. In both security modes, if both passwords are lost, the hard drive is rendered permanently unusable. The decision to implement only the High mode was made to eliminate risk of data loss in the event only the User password is lost. In High security mode, one can unlock the disk with either the user or master password by using the "SECURITY UNLOCK DEVICE" ATA command. In Maximum security mode, one can not unlock the disk without knowing the passwords. One way to reuse the disk is to issue the SECURITY ERASE PREPARE command followed by SECURITY ERASE UNIT. However, The SECURITY ERASE UNIT command will require the Master password and all data will be erased as a result. Security Mode feature set The optional Security Mode feature set is a password system that restricts access to user data stored on a device. The system has two passwords, User and Master, and two security levels, High and Maximum. The security system is enabled by sending a user password to the device with the SECURITY SET PASSWORD command. When the security system is enabled, access to user data on the device is denied after a power cycle until the User password is sent to the device with the SECURITY UNLOCK command. A Master password may be set in addition to the User password. The purpose of the Master password is to allow an administrator to establish a password that is kept secret from the user, and which may be used to unlock the device if the User password is lost. Setting the Master password does not enable the password system. The security level is set to High or Maximum with the SECURITY SET PASSWORD command. The security level determines device behavior when the Master password is used to unlock the device. When the security level is set to High, the device requires the SECURITY UNLOCK command and the Master password to unlock. When the security level is set to Maximum, the device requires a SECURITY ERASE PREPARE command and a SECURITY ERASE UNIT command with the Master password to unlock. Execution of the SECURITY ERASE UNIT command erases all user data on the device. The SECURITY FREEZE LOCK command prevents changes to passwords until a following power cycle. The purpose of the SECURITY FREEZE LOCK command is to prevent password setting attacks on the security system. Sometimes this command will issue Page 50 system BIOS. If device is locked with SECURITY FREEZE LOCK command, then program for this device will show a message "!SECURITY: FROZEN". If device is locked with a password, then program for this device will show a message "! SECURITY: LOCKED". A device that implements the Security Mode feature set shall implement the following minimum set of commands: SECURITY SET PASSWORD SECURITY UNLOCK SECURITY ERASE PREPARE SECURITY ERASE UNIT SECURITY FREEZE LOCK SECURITY DISABLE PASSWORD Support of the Security Mode feature set is indicated in IDENTIFY DEVICE word 82 and word 128. Security mode initial setting When the manufacturer ships the device, the state of the Security Mode feature shall be disabled. The initial Master password value is not defined by ATA standard. If the Master Password Revision Code feature is supported, the manufacturer shall set the Master Password Revision Code to FFFEh. User password lost If the User password sent to the device with the SECURITY UNLOCK command does not match the user password previously set with the SECURITY SET PASSWORD command, the device shall not allow the user to access data. If the Security Level was set to High during the last SECURITY SET PASSWORD command, the device shall unlock if the Master password is received. If the Security Level was set to Maximum during the last SECURITY SET PASSWORD command, the device shall not unlock if the Master password is received. The SECURITY ERASE UNIT command shall erase all user data and unlock the device if the Master password matches the last Master password previously set with the SECURITY SET PASSWORD command. Attempt limit for SECURITY UNLOCK command The device shall have an attempt limit counter. The purpose of this counter is to defeat repeated trial attacks. After each failed User or Master password SECURITY UNLOCK command, the counter is decremented. When the counter value reaches zero the EXPIRE bit (bit 4) of word 128 in the IDENTIFY DEVICE information is set to one, and the SECURITY UNLOCK and SECURITY UNIT ERASE commands are command aborted until the device is powered off or hardware reset. The EXPIRE bit shall be cleared to zero after power-on or hardware reset. The counter shall be set to five after a power-on or hardware reset. Page 51 M8.1 SET PASSWORD This item is for command SECURITY SET PASSWORD to set password identifier (User, Master), security level (High, Maximum), new password and Master Password Revision Code for password Master. M9. SET MAX (HPA) Menu The Host Protected Area security commands using a single command code and are differentiated from one another by the value placed in the Features register. In addition, a device supporting the Host Protected Area feature set may optionally include the security extensions. Following commands are defined in this featu READ MAX ADDRESS/READ MAX ADDRESS EXT SET MAX ADDRESS/SET MAX ADDRESS EXT SET MAX SET PASSWORD SET MAX LOCK SET MAX FREEZE LOCK SET MAX UNLOCK Devices supporting these extensions shall set bit 10 of word 82 and bit 8 of word 83 of the IDENTIFY DEVICE response to one. HPA is defined as a reserved area for data storage outside the normal operating file system. This area is hidden from the operating system and file system, and is normally used for specialized applications. Systems may wish to store configuration data or save memory to the HDD device in a location that the operating systems cannot change. You can see at M13.1.22 Address Offset Mode feature also. M9.1 Set Max Address This menu item is valid for ATA/SATA hard drive only when the Host Protected Area feature set (bit 10 in word 82) is implemented. Use prohibited when the Removable feature set (bit 2 in word 82) is implemented. First, we have to explain the concept: "Native max address": The native maximum address is the highest address accepted by the device in the factory default condition. The native maximum address is the maximum address that is valid when using the SET MAX ADDRESS command. If the 48-bit Address feature set is supported and the 48-bit native max address is greater than 268,435,455, the READ NATIVE MAX ADDRESS command shall return a maximum value of 268,435,454. "Host Protected Area" (HPA) feature set: A reserved area for data storage outside the normal operating system file system is required for several specialized applications. Systems may wish to store configuration data or save memory to the device in a location that the operating systems cannot change. The optional Host Protected Area feature set allows a portion of the device to be reserved for such an area when the device is initially configured. A device that implements the Host Protected Area feature set shall implement the following minimum set of commands: READ NATIVE MAX ADDRESS SET MAX ADDRESS Page 55 A device that implements the Host Protected Area feature set and supports the 48-bit Address feature set shall implement the following additional set of commands: READ NATIVE MAX ADDRESS EXT SET MAX ADDRESS EXT Devices supporting this feature set shall set bit 10 of word 82 to one in the data returned by the IDENTIFY DEVICE or IDENTIFY PACKET DEVICE command. The READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command allows the host to determine the maximum native address space of the device even when a protected area has been allocated. The SET MAX ADDRESS or SET MAX ADDRESS EXT command allows the host to redefine the maximum address of the user accessible address space. That is, when the SET MAX ADDRESS or SET MAX ADDRESS EXT command is issued with a maximum address less than the native maximum address, the device reduces the user accessible address space to the maximum specified by the command, providing a protected area above that maximum address. The SET MAX ADDRESS or SET MAX ADDRESS EXT command shall be immediately preceded by a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command. After the SET MAX ADDRESS or SET MAX ADDRESS EXT command has been issued, the device shall report only the reduced user address space in response to an IDENTIFY DEVICE command in words 60, 61, 100, 101, 102, and 103. Any read or write command to an address above the maximum address specified by the SET MAX ADDRESS or SET MAX ADDRESS EXT command shall cause command completion with the IDNF bit set to one and ERR set to one, or command aborted. If the SET MAX ADDRESS or SET MAX ADDRESS EXT command is issued with a value that exceeds the native maximum address command aborted shall be returned. A volatility bit in the Sector Count register allows the host to specify if the maximum address set is preserved across power-on or hardware reset cycles. On power-on or hardware reset the device maximum address returns to the last non-volatile address setting regardless of subsequent volatile SET MAX ADDRESS or SET MAX ADDRESS EXT commands. If Value volatile bit is set to one, the device shall preserve the maximum values over power-up or hardware reset. If Value volatile bit is cleared to zero, the device shall revert to the most recent non-volatile maximum address value setting over power-up or hardware reset. Typical use of these commands would be: 1. on reset a) BIOS receives control after a system reset b) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command to find the max capacity of the device c) BIOS issues a SET MAX ADDRESS or SET MAX ADDRESS EXT command to the values returned by READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT d) BIOS read configuration data from the highest area on the disk e) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command followed by a SET MAX ADDRESS or SET MAX ADDRESS EXT command to reset the device to the size of the file system 2. on save to disk a) BIOS receives control prior to shut down Page 56 b) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command to find the max capacity of the device c) BIOS issues a volatile SET MAX ADDRESS or SET MAX ADDRESS EXT command to the values returned by READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT d) Memory is copied to the reserved area e) Shut down completes f) On power-on or hardware reset the device max address returns to the last non-volatile setting These commands are intended for use only by system BIOS or other low-level boot time process. Using these commands outside BIOS controlled boot or shutdown may result in damage to file systems on the device. Devices should return command aborted if a subsequent non-volatile SET MAX ADDRESS or SET MAX ADDRESS EXT command is received after a power-on or hardware reset. SET MAX ADDRESS command shall be aborted if a SET MAX ADDRESS EXT has established a host protected area and vice versa, SET MAX ADDRESS EXT command shall be aborted if a SET MAX ADDRESS has established a host protected area. Hosts shall not issue more than one non-volatile SET MAX ADDRESS or SET MAX ADDRESS EXT command after a power-on or hardware reset. Devices should report an IDNF error upon receiving a second non-volatile SET MAX ADDRESS command after a power-on or hardware reset. M9.2 Set Password The SET MAX SET PASSWORD command allows the host to define the password to be used during the current power-on cycle. The password does not persist over a power cycle but does persist over a hardware or software reset. This password is not related to the password used for the Security Mode Feature set. When the password is set, the device is in the Set Max Unlocked mode. M9.3 Lock The SET MAX LOCK command allows the host to disable the SET MAX commands (except SET MAX UNLOCK) until the next power cycle or the issuance and acceptance of the SET MAX UNLOCK command. When this command is accepted, the device is in the Set max locked mode. M9.4 Unlock The SET MAX UNLOCK command changes the device from the Set Max Locked mode to the Set Max Unlocked mode. M9.5 Freeze Lock The SET MAX FREEZE LOCK command allows the host to disable the SET MAX commands (including Set Max Unlock) until the next power cycle. When this command is accepted, the device is in the Set Max Frozen mode. Page 57 M13.1.22 Address Offset Mode (Reserved Area Boot) This feature is described in "Address Offset Reserved Area Boot", INCITS TR27:2001. Computer systems perform initial code booting by reading from a predefined address on a disk drive. To allow an alternate bootable operating system to exist in a reserved area on disk drive, Address Offset Feature provides a Set Feature function to temporarily offset the drive address space. The offset address space wraps around so that the entire disk drive address space remains addressable in offset mode. The Set Max pointer is set to the end of the reserved area to protect the data in the user area when operating in offset mode. This protection can be removed by a SET MAX ADDRESS / SET MAX ADDRESS EXT command to move the Set Max pointer to the end of the drive. Set Feature Command Subcommand code 09h "ENABLE ADDRESS OFFSET MODE sub command" offsets address LBA 0 (Cylinder 0, Head 0, Sector 1) to the start of a non-volatile reserved area established using the SET MAX ADDRESS / SET MAX ADDRESS EXT command. The offset condition is cleared by SET FEATURE command Subcommand 89h "DISABLE ADDRESS OFFSET MODE", Software Reset, Hardware Reset or Power on Reset. Upon entering offset mode, the capacity of the drive returned in the IDENTIFY DEVICE data is the size of the former reserved area. A subsequent SET MAX ADDRESS / SET MAX ADDRESS EXT command using the address returned by READ MAX ADDRESS / READ MAX ADDRESS EXT command allows access to the entire drive. Addresses wrap so the entire drive remains addressable. If a non-volatile reserved area has not been established before the device receives a SET FEATURES ENABLE ADDRESS OFFSET MODE sub command, the command fails with Abort error status. Disable Address Offset Mode removes the address offset and sets the size of the drive reported by the IDENTIFY DEVICE command back to the size specified in the last non-volatile SET MAX ADDRESS / SET MAX ADDRESS EXT command. IDENTIFY DEVICE Word 83 bit 7 indicates the device supports the Set Features Address Offset Mode. IDENTIFY DEVICE Word 86 bit 7 indicates the device is in address offset mode. Before Enable Address Offset Mode A reserved area has been created using a non-volatile SET MAX ADDRESS command or SET MAX ADDRESS EXT command. User Accessible Area Reserved Area LBA=0____________LBA=R________LBA=M After Enable Address Offset Mode The former reserved area is now the user accessible area. The former user accessible area is now the reserved area. User Accessible Area Reserved Area _____________LBA=0(former Reserved Area)LBA=M-R(former User Accessible Area)LBA=M Page 67 After SET MAX ADDRESS/SET MAX ADDRESS EXT command Using the Value Returned by READ MAX ADDRESS/READ MAX ADDRESS EXT command User Accessible Area ________________LBA=0___________________________LB A=M Set Feature Disable Address Offset Mode, hardware or Power on Reset returns the device to Address Offset Mode Disabled. Software reset returns the device to Address Offset Mode Disable if Set Features Disable Reverting to Power On Defaults has not been set. M13.1.23 SET MAX security extension If this feature is enabled then with command SET MAX SET PASSWORD was enabled SET MAX security extension on device (device is locked). M13.1.26 Device Configuration Overlay feature set The optional Device Configuration Overlay feature set allows a utility program to modify some of the optional commands, modes, and feature sets that a device reports as supported in the IDENTIFY DEVICE or IDENTIFY PACKET DEVICE command response as well as the capacity reported. (See detailed info) [above at M7] ++++++++END excerpts+++++ Reviewing the found "table" beyond the supposed end of the Maxtor disk, and applying a "template" for boot sector/ partition table entries, I find that this contains three 'partitions' (there might be more but my template only shows the four normally available areas - remember partition tables are 'chained' together)[hence the issue c_quirke referenced, and I referred to]. Both disks [Samsung and Maxtor] supported ATA3 specifications which include DCO, reserved boot sector, and other 'commands' / features. Two of those "partitions" are not NTFS, but appear to be fat12. Hence, these are apparently the BIOSreserved sectors reserved area boot - first called areas. Two other (or more) other filing systems may also be using this reserved area boot extension / commands: EXT3 and Reiser4+[FS] (possibly HFS+ as well) These are also difficult to remove completely. As this referencing is done in the bios booting area, and radically changes how the disk is accessed, eg, the 'extra sectors become the MBR, partition information and user area' while some of the normal used areas, becomes 'reserved' until OS start after software reset. {Forming what amounts to a DCO} Furthermore, wiping out the 'normal' disk does nothing to remove the BIOS reserved access 'protected areas'. As stated before; placing this as the normal boot sector [MBR] extends the disk far beyond its stated capacity and well into the reserved sectors area. [At least CHS and sector numbering wise] However, if the reserved sectors are used (as shown previously with WinHex ) with the disk "wrapped" and under BIOSXP control, perhaps would be no problems. To explain the non-NTFS "partitions", a simplified exploration of how NTFS must be started and some of its components and requirements [correct me if I'm wrong or if other factors need addressed]. NTFS is generally used within a networked environment and is under control of a "master server" or servers [locally or external]. Such as: When logon is addressed at "workstation" or sub-server startup, it must access various 'servers' to obtain the "rights" necessary for the network logon. Mind, that the system has NOT started yet [many 'control items' and/or files and settings might be necessary from the master servers {locally and external}, so the NT OS isn't available yet. {Check within NTLDR and the other 'base' files of XP/NT for the coding and calls used at startup.} To many variables are involved in the NTFS file system for normal DOS access. From Data Recovery E-Book V1.5 Copyright © 2006 CHENGDU YIWO Tech Development Co.' Ltd. All Right Reserved High-level features of NTFS 1. Multi-data streams 2. Name based on Unicode 3. General index mechanism 4. The dynamic bad cluster reprints maps 5. Supports POSIX 6. File compression 7. File encrypts 8. Disk quota 9. Hard link and soft link 10. Link tracks 11. Log records 12. Fragmentation 2.NTFS file system terminology LCN: Logical Cluster Number VCN: Virtual Cluster Number BPB: BIOS Parameter Block FSD: File System Driver SCB: System Control Block FCB: File Control Block EFS: Encrypt File System MFT: Master File Table MFT Mirror: Master File Table Mirror Metadata: It’s data stored in volume, supporting file system management. It cannot be visit by application program, just provides service for the system. [page 72, 73] The MFT contains: Number Metadata Function 0 $MFT MFT itself 1 $MFTMirr Part image of MFT 2 $LogFile Log file 3 $Volume volume file 4 $AttrDef Attribute definition list 5 $Root root directory 6 $Bitmap Bitmap file 7 $Boot boot file 8 $BadClus Bad cluster file 9 $Secure Secure file 10 $UpCase Capitalized file 11 $Extended metadata directory Extended Metadata directory 12 $Extend\$Reparse Reparse Points file 13 $Extend\$UsnJrnl Log changing file 14 $Extend\$Quota Quota management file 15 $Extend\$ObjId Object ID file 16~23 Reserved 24~ User files and directories [page 79] First, when NTFS visits a volume, it must be "loading" this volume: NTFS will check the boot file (file defined by $Boot Metadata file), and find physical disk address of MFT. Then, it can obtain mapping information from VCN to LCN in data attribute of file records, and save it in memory. This mapping information locates where MFT runs in disk. Then next, NTFS opens MFT records of several Metadata files, and then opens these files. If it is necessary, NTFS will start to execute file system recovery operation. After opening the leavings Metadata file in NTFS, users can visit this volume. 7. Files and folders of NTFS partition NTFS treats files as a unit of attribute/attribute value. That is the differences between NTFS and other file system. File data is attribute value without names. Other file attributes includes file name, file owner and file time mark, etc. [page 81] [END EXCERPTS] In fact, NTFS uses streams for its files and processes. Therefore, there is no argument that NTFS is not far more complex than the old DOS. One of those two 'non-NTFS' partitions in the found table appears to be a small "networking" 'partition' about the size of a floppy. NTFS can not be read/used by the OS until the file system / server [several files] is 'started' so another non-NTFS 'partition' is apparently required to START the system /server, also about the size of a floppy. Ssssso, this found "table" beyond the stated end of the disk is under 'reserved area boot control' [M13.1.22 Address Offset Mode (Reserved Area Boot)], or, it is a "lost mirror". Though for this to occur, the disk would have had to be configured beyond its normal capacity when XP was installed [which it wasn't prior to installation]. This would also help to explain WHY continued fdisking and formatting would decrease the available disk space. Each time this was done, the program used the 'hard and soft modified' BIOS controlled hard drive data for size; and size reduction results. {Remember the BIOS access area may contain restricted un-writable areas and other coding.] Even using this found table, and trying to "modify" it to work, still ends up with a smaller disk [and one to which an OS can not be installed] and areas which can not be removed. SMART replacement sectors are now used up, but the areas are not BAD SECTORS, just unusable / can not be overwritten. This also helps to explain WHY repeated wiping DOES NOT remove the XP NTFS files. Another issue is that CHS and LBA addressing is not much of a factor in XP, as it uses 'HAL' [hardware application layer] access, which is defined by, controlled by, and within the OS. Here is where hard disk access is controlled; not the BIOS [unless the drive is not recognized / fdisked / formatted] or init13 extensions, after the OS takes control. They just place the heads wherever told. The problem is: The extended/reserved boot sector BIOS info can not be erased or changed with any of the tools I have (or at least safely with the information I presently have), if this is what has occurred. Anyone else find this table yet? Anyone looked into the coding beyond the 'end' of the normal disk structure? Anyone know what has to be changed in that coding and how? Anyone know of what commands (bit changes) and tool(s) to use to remove this issue? You will have to look beyond the supposed end of the disk at the "extra sectors", "reserved sectors" and beyond those, for the full impact and import [ew, look at all the pretty coding, what the heck does it all mean]. Most people will not even run across this issue, as S.M.A.R.T. WILL replace these areas (until it no longer can) if the disk or area is no longer controlled by the OS, as in a re-use of the drive for a non-NT(5) system, when scandisked and defragged or the system attempts to write to those areas. XP/NT may be able [I have not tested this] to re-use these areas if it is re-installed {OS recognized by the BIOS coding, OS recognizes the areas.}. "MEB" meb@not wrote in message ... | Jeff responded to the above with (my response inline): | [also, find the originating discussion post at the bottom to remind everyone | what this discussion is for] | | From: "Jeff Richards" | References: | | | | | | | | | | | | | | | | | | | | | | | | Subject: COLLECTED hard drive usage after XP NTFS | Date: Tue, 17 Oct 2006 20:36:47 +1000 | Newsgroups: microsoft.public.win98.gen_discussion | Path: TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl | Xref: TK2MSFTNGP01.phx.gbl microsoft.public.win98.gen_discussion:816442 No reply - NOT ANSWERED | | | | "MEB" meb@not wrote in message | | ... | | | SYNOPSIS: | | | | | | This is a collected discussion concerning XP hard drive re-use, in | which | | I | | | have personally participated, per [there may be others which I have | | missed]: | | | | | | " IBM T22 and Win 98se"; | | | " New post, ms Everest report"; | | | " Hangs on POST screen"; | | | " win 98 installation" | | | " Updates for Win9X's & reason/logic" | | | " No hard drive?" | | | " Unable to install Win98 SE" | | | " PC100 v PC133 ram" | | | | | | GENERAL REFERENCE and SEARCH TERMS: XP NTFS hard drives, tools used to | | test | | | and/or recover hard drives, NTFS recovery tools, forensic tools for | | analysis | | | of hard drives, securely deleting hard drives, removing XP NTFS from | hard | | | drives. | | | | | | Present participants in this technical discussion: | | | Ron Badour, MS MVP for W98; | | | Jeff Richards MS MVP (Windows - Shell/User); | | | Gary S. Terhune MS MVP Shell/User | | | PCR; | | | Franc Zabkar; | | | and myself - Maurice Edward, Brahier; | | | others who may wish to participate. | | | | | | BACKGROUND: | | | I have presented apparent issues with the re-use of former XP NTFS hard | | | drives for other use or re-use. Tools and techniques normally used for | | | fdisking and formatting, wiping and other activities, apparently do not | | | completely remove XP NTFS from hard drives. | | | | | | Disks used for testing: | | | Samsung (no longer an issue as it is toast, completely un-accessible) | | | Maxtor 87000AB - Hard Disk Family DiamondMax 1750A (per Everest) | | | originally used for XP NTFS testing purposes (the OS), fully configured, | | | idled as a firewall only. After Samsung loss, normal "old" removal | | | techniques used to re-use the drive as 32bit, then additional testing. | | | [clipped | | | Tools tested so far: | | | | | | hd-util [Samsung]; | | | SH-diag [Samsung]; | | | Sutil [Samsung]; | | | Meandisk; | | | DBan; | | | Wipe; | | | Zap; | | | HDAT2; | | | AEFDISK; | | | GDISK (Symantec); | | | Killdisk; | | | BootitNG; | | | MBRWork; | | | PowerMax [Maxtor]; | | | Maxtor MaxBlast; | | | Super FDisk; | | | MHDD; | | | OnTrack Data Advisor; | | | Seagate SeaTools; | | | Eraser; | | | Testdisk; | | | WinHex. | | | (may already have used several others) | | | | | | Microsoft tools used: | | | CHKDISK (and its autochkdsk - XP versions); | | | Recovery Console; | | | Delpart; | | | fdisk; | | | format; | | | | | | ISSUES: | | | | | | There are hundreds (thousands) of web pages which appear to claim XP | NTFS | | | is capable of being removed via old techniques and tools. | | | My testing (to date) shows this in not true. Several hundred megabytes | of | | | hard drive space (on these small hard drives, who knows how much on | larger | | | drives) still contain files and folders from an XP NTFS installation | after | | | its removal. | | | My personal testing shows that initially, and in particular after | | | continually trying to remove the XP NTFS, the disk will be reduced in | | size. | | | The Maxtor (a 7 gig) now has 5.6 gigabytes of usable space available. | Each | | | attempt to remove XP has added some amount to the original total of | | unusable | | | space (less some sensitive data manually removed via disk editor (so I | | don't | | | inadvertently place it on the eventual web pages)). | | | | | | MBR has been replaced several times, drive has been "hardware" reset, | and | | | dozens of other like activities have been tried unsuccessfully. This has | | | been verified NTFS recovery tools for DOS, Windows and Linux; and disk | | | editors/viewers of varying quality and ability. | | | | | | These hidden/restricted areas are ignored or marked as bad sectors by | | most | | | tools. These areas may cause potential severe errors to occur when disk | | | scanning software is used on the disk, depending on its abilities and/or | | | configuration. | | | | | | PRESENT ACTIVITIES IN THREADS WITH REPLY FROM MEB: | | | | | | IBM T22 and Win 98se | | | "Franc Zabkar" wrote in message | | | ... | | | | MEB | | | | | | | | "Ron Badour" wrote in message | | | | ... | | | | | | | | | "MEB" meb@not wrote in message | | | | | ... | | | | - Franc Zabkar | | | | -- | | | | | | IBM T22 and Win 98se | | | "Jeff Richards" wrote in message | | | ... | | | | Jeff Richards | | | | MS MVP (Windows - Shell/User) | | | | | | "Ron Badour" wrote in message | | | ... | | | | -- | | | | Regards | | | | | | | | | | | | Ron Badour, MS MVP for W98 | | | | | | -- | | | MEB -- MEB http://peoplescounsel.orgfree.com/ BLOG http://peoplescounsel.spaces.live.com/ Public Notice or the "real world" "Most people, sometime in their lives, stumble across truth. Most jump up, brush themselves off, and hurry on about their business as if nothing had happen." Winston Churchill Or to put it another way: Morpheus can offer you the two pills; but only you can choose whether you take the red pill or the blue one. _______________ |
#166
|
|||
|
|||
COLLECTED hard drive usage after XP NTFS
???? (Doesn't this belong in the XP group, or did I miss something)?
MEB wrote: ELECTIONS are now over {looks like I won't have anything to do here (hopefully)}, time to return to the issues of this discussion. Well, Jeff never responded to the request for S.M.A.R.T. data, and for tools he would cross verify the integrity/wipe of the disk with. Ah well, perhaps he had to put it into service. He did leave those issues unanswered; and appeared to indicate the disk would return NTFS information if partitioned. ----- A MASSIVE ONE [Bet you thought this was done]:: I suppose it's now time for more related material {or further indications of XP and its NTFS} based upon an indication I previously presented regarding finding a "table" / boot sector far beyond the end of the supposed disk. Here are some essential aspects of hard drives. For information regarding the possible aspects of this "finding" we revert to: HDAT2en_451.pdf excerpts [rights to this material remain under control of the original creator] : M7. Device Configuration Overlay Menu ATA/ATAPI Device Configuration Overlay (DCO) DCO allows systems to modify the apparent features provided by a hard disk drive device. It provides a set of commands that allow a utility program to modify some of the commands, modes, and feature sets reported as supported by the hard disk drive. It can be used to hide a portion of the hard disk drive's capacity from being viewed by the operating system and the file system. The optional Device Configuration Overlay feature set allows a utility program to modify some of the optional commands, modes, and feature sets that a device reports as supported in the IDENTIFY DEVICE or IDENTIFY PACKET DEVICE command data as well as the capacity reported. Commands of Device Configuration Overlay feature set: DEVICE CONFIGURATION FREEZE LOCK DEVICE CONFIGURATION IDENTIFY DEVICE CONFIGURATION RESTORE DEVICE CONFIGURATION SET M8. Security Menu This menu item is available only for drive, which support Security Mode feature set (bit 1 of word 82). Next features are described in word 128. Maximum password length is 32 characters. Drive Lock is based on the industry standard ATA-3 specification. The standard uses a dual password structure featuring a User and Master password and defines two security modes, High and Maximum. Under High mode, the Master password can be used to unlock a protected hard drive and reset the User password. By contrast, in Maximum mode the Master password can only be used to reformat the hard drive and reset security options for the newly formatted drive. In the Maximum mode, the Master password cannot be used to change the User password without first reformatting the hard drive. This protects against unauthorized access to hard drive by the owner of the Master password. In both security modes, if both passwords are lost, the hard drive is rendered permanently unusable. The decision to implement only the High mode was made to eliminate risk of data loss in the event only the User password is lost. In High security mode, one can unlock the disk with either the user or master password by using the "SECURITY UNLOCK DEVICE" ATA command. In Maximum security mode, one can not unlock the disk without knowing the passwords. One way to reuse the disk is to issue the SECURITY ERASE PREPARE command followed by SECURITY ERASE UNIT. However, The SECURITY ERASE UNIT command will require the Master password and all data will be erased as a result. Security Mode feature set The optional Security Mode feature set is a password system that restricts access to user data stored on a device. The system has two passwords, User and Master, and two security levels, High and Maximum. The security system is enabled by sending a user password to the device with the SECURITY SET PASSWORD command. When the security system is enabled, access to user data on the device is denied after a power cycle until the User password is sent to the device with the SECURITY UNLOCK command. A Master password may be set in addition to the User password. The purpose of the Master password is to allow an administrator to establish a password that is kept secret from the user, and which may be used to unlock the device if the User password is lost. Setting the Master password does not enable the password system. The security level is set to High or Maximum with the SECURITY SET PASSWORD command. The security level determines device behavior when the Master password is used to unlock the device. When the security level is set to High, the device requires the SECURITY UNLOCK command and the Master password to unlock. When the security level is set to Maximum, the device requires a SECURITY ERASE PREPARE command and a SECURITY ERASE UNIT command with the Master password to unlock. Execution of the SECURITY ERASE UNIT command erases all user data on the device. The SECURITY FREEZE LOCK command prevents changes to passwords until a following power cycle. The purpose of the SECURITY FREEZE LOCK command is to prevent password setting attacks on the security system. Sometimes this command will issue Page 50 system BIOS. If device is locked with SECURITY FREEZE LOCK command, then program for this device will show a message "!SECURITY: FROZEN". If device is locked with a password, then program for this device will show a message "! SECURITY: LOCKED". A device that implements the Security Mode feature set shall implement the following minimum set of commands: SECURITY SET PASSWORD SECURITY UNLOCK SECURITY ERASE PREPARE SECURITY ERASE UNIT SECURITY FREEZE LOCK SECURITY DISABLE PASSWORD Support of the Security Mode feature set is indicated in IDENTIFY DEVICE word 82 and word 128. Security mode initial setting When the manufacturer ships the device, the state of the Security Mode feature shall be disabled. The initial Master password value is not defined by ATA standard. If the Master Password Revision Code feature is supported, the manufacturer shall set the Master Password Revision Code to FFFEh. User password lost If the User password sent to the device with the SECURITY UNLOCK command does not match the user password previously set with the SECURITY SET PASSWORD command, the device shall not allow the user to access data. If the Security Level was set to High during the last SECURITY SET PASSWORD command, the device shall unlock if the Master password is received. If the Security Level was set to Maximum during the last SECURITY SET PASSWORD command, the device shall not unlock if the Master password is received. The SECURITY ERASE UNIT command shall erase all user data and unlock the device if the Master password matches the last Master password previously set with the SECURITY SET PASSWORD command. Attempt limit for SECURITY UNLOCK command The device shall have an attempt limit counter. The purpose of this counter is to defeat repeated trial attacks. After each failed User or Master password SECURITY UNLOCK command, the counter is decremented. When the counter value reaches zero the EXPIRE bit (bit 4) of word 128 in the IDENTIFY DEVICE information is set to one, and the SECURITY UNLOCK and SECURITY UNIT ERASE commands are command aborted until the device is powered off or hardware reset. The EXPIRE bit shall be cleared to zero after power-on or hardware reset. The counter shall be set to five after a power-on or hardware reset. Page 51 M8.1 SET PASSWORD This item is for command SECURITY SET PASSWORD to set password identifier (User, Master), security level (High, Maximum), new password and Master Password Revision Code for password Master. M9. SET MAX (HPA) Menu The Host Protected Area security commands using a single command code and are differentiated from one another by the value placed in the Features register. In addition, a device supporting the Host Protected Area feature set may optionally include the security extensions. Following commands are defined in this featu READ MAX ADDRESS/READ MAX ADDRESS EXT SET MAX ADDRESS/SET MAX ADDRESS EXT SET MAX SET PASSWORD SET MAX LOCK SET MAX FREEZE LOCK SET MAX UNLOCK Devices supporting these extensions shall set bit 10 of word 82 and bit 8 of word 83 of the IDENTIFY DEVICE response to one. HPA is defined as a reserved area for data storage outside the normal operating file system. This area is hidden from the operating system and file system, and is normally used for specialized applications. Systems may wish to store configuration data or save memory to the HDD device in a location that the operating systems cannot change. You can see at M13.1.22 Address Offset Mode feature also. M9.1 Set Max Address This menu item is valid for ATA/SATA hard drive only when the Host Protected Area feature set (bit 10 in word 82) is implemented. Use prohibited when the Removable feature set (bit 2 in word 82) is implemented. First, we have to explain the concept: "Native max address": The native maximum address is the highest address accepted by the device in the factory default condition. The native maximum address is the maximum address that is valid when using the SET MAX ADDRESS command. If the 48-bit Address feature set is supported and the 48-bit native max address is greater than 268,435,455, the READ NATIVE MAX ADDRESS command shall return a maximum value of 268,435,454. "Host Protected Area" (HPA) feature set: A reserved area for data storage outside the normal operating system file system is required for several specialized applications. Systems may wish to store configuration data or save memory to the device in a location that the operating systems cannot change. The optional Host Protected Area feature set allows a portion of the device to be reserved for such an area when the device is initially configured. A device that implements the Host Protected Area feature set shall implement the following minimum set of commands: READ NATIVE MAX ADDRESS SET MAX ADDRESS Page 55 A device that implements the Host Protected Area feature set and supports the 48-bit Address feature set shall implement the following additional set of commands: READ NATIVE MAX ADDRESS EXT SET MAX ADDRESS EXT Devices supporting this feature set shall set bit 10 of word 82 to one in the data returned by the IDENTIFY DEVICE or IDENTIFY PACKET DEVICE command. The READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command allows the host to determine the maximum native address space of the device even when a protected area has been allocated. The SET MAX ADDRESS or SET MAX ADDRESS EXT command allows the host to redefine the maximum address of the user accessible address space. That is, when the SET MAX ADDRESS or SET MAX ADDRESS EXT command is issued with a maximum address less than the native maximum address, the device reduces the user accessible address space to the maximum specified by the command, providing a protected area above that maximum address. The SET MAX ADDRESS or SET MAX ADDRESS EXT command shall be immediately preceded by a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command. After the SET MAX ADDRESS or SET MAX ADDRESS EXT command has been issued, the device shall report only the reduced user address space in response to an IDENTIFY DEVICE command in words 60, 61, 100, 101, 102, and 103. Any read or write command to an address above the maximum address specified by the SET MAX ADDRESS or SET MAX ADDRESS EXT command shall cause command completion with the IDNF bit set to one and ERR set to one, or command aborted. If the SET MAX ADDRESS or SET MAX ADDRESS EXT command is issued with a value that exceeds the native maximum address command aborted shall be returned. A volatility bit in the Sector Count register allows the host to specify if the maximum address set is preserved across power-on or hardware reset cycles. On power-on or hardware reset the device maximum address returns to the last non-volatile address setting regardless of subsequent volatile SET MAX ADDRESS or SET MAX ADDRESS EXT commands. If Value volatile bit is set to one, the device shall preserve the maximum values over power-up or hardware reset. If Value volatile bit is cleared to zero, the device shall revert to the most recent non-volatile maximum address value setting over power-up or hardware reset. Typical use of these commands would be: 1. on reset a) BIOS receives control after a system reset b) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command to find the max capacity of the device c) BIOS issues a SET MAX ADDRESS or SET MAX ADDRESS EXT command to the values returned by READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT d) BIOS read configuration data from the highest area on the disk e) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command followed by a SET MAX ADDRESS or SET MAX ADDRESS EXT command to reset the device to the size of the file system 2. on save to disk a) BIOS receives control prior to shut down Page 56 b) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command to find the max capacity of the device c) BIOS issues a volatile SET MAX ADDRESS or SET MAX ADDRESS EXT command to the values returned by READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT d) Memory is copied to the reserved area e) Shut down completes f) On power-on or hardware reset the device max address returns to the last non-volatile setting These commands are intended for use only by system BIOS or other low-level boot time process. Using these commands outside BIOS controlled boot or shutdown may result in damage to file systems on the device. Devices should return command aborted if a subsequent non-volatile SET MAX ADDRESS or SET MAX ADDRESS EXT command is received after a power-on or hardware reset. SET MAX ADDRESS command shall be aborted if a SET MAX ADDRESS EXT has established a host protected area and vice versa, SET MAX ADDRESS EXT command shall be aborted if a SET MAX ADDRESS has established a host protected area. Hosts shall not issue more than one non-volatile SET MAX ADDRESS or SET MAX ADDRESS EXT command after a power-on or hardware reset. Devices should report an IDNF error upon receiving a second non-volatile SET MAX ADDRESS command after a power-on or hardware reset. M9.2 Set Password The SET MAX SET PASSWORD command allows the host to define the password to be used during the current power-on cycle. The password does not persist over a power cycle but does persist over a hardware or software reset. This password is not related to the password used for the Security Mode Feature set. When the password is set, the device is in the Set Max Unlocked mode. M9.3 Lock The SET MAX LOCK command allows the host to disable the SET MAX commands (except SET MAX UNLOCK) until the next power cycle or the issuance and acceptance of the SET MAX UNLOCK command. When this command is accepted, the device is in the Set max locked mode. M9.4 Unlock The SET MAX UNLOCK command changes the device from the Set Max Locked mode to the Set Max Unlocked mode. M9.5 Freeze Lock The SET MAX FREEZE LOCK command allows the host to disable the SET MAX commands (including Set Max Unlock) until the next power cycle. When this command is accepted, the device is in the Set Max Frozen mode. Page 57 M13.1.22 Address Offset Mode (Reserved Area Boot) This feature is described in "Address Offset Reserved Area Boot", INCITS TR27:2001. Computer systems perform initial code booting by reading from a predefined address on a disk drive. To allow an alternate bootable operating system to exist in a reserved area on disk drive, Address Offset Feature provides a Set Feature function to temporarily offset the drive address space. The offset address space wraps around so that the entire disk drive address space remains addressable in offset mode. The Set Max pointer is set to the end of the reserved area to protect the data in the user area when operating in offset mode. This protection can be removed by a SET MAX ADDRESS / SET MAX ADDRESS EXT command to move the Set Max pointer to the end of the drive. Set Feature Command Subcommand code 09h "ENABLE ADDRESS OFFSET MODE sub command" offsets address LBA 0 (Cylinder 0, Head 0, Sector 1) to the start of a non-volatile reserved area established using the SET MAX ADDRESS / SET MAX ADDRESS EXT command. The offset condition is cleared by SET FEATURE command Subcommand 89h "DISABLE ADDRESS OFFSET MODE", Software Reset, Hardware Reset or Power on Reset. Upon entering offset mode, the capacity of the drive returned in the IDENTIFY DEVICE data is the size of the former reserved area. A subsequent SET MAX ADDRESS / SET MAX ADDRESS EXT command using the address returned by READ MAX ADDRESS / READ MAX ADDRESS EXT command allows access to the entire drive. Addresses wrap so the entire drive remains addressable. If a non-volatile reserved area has not been established before the device receives a SET FEATURES ENABLE ADDRESS OFFSET MODE sub command, the command fails with Abort error status. Disable Address Offset Mode removes the address offset and sets the size of the drive reported by the IDENTIFY DEVICE command back to the size specified in the last non-volatile SET MAX ADDRESS / SET MAX ADDRESS EXT command. IDENTIFY DEVICE Word 83 bit 7 indicates the device supports the Set Features Address Offset Mode. IDENTIFY DEVICE Word 86 bit 7 indicates the device is in address offset mode. Before Enable Address Offset Mode A reserved area has been created using a non-volatile SET MAX ADDRESS command or SET MAX ADDRESS EXT command. User Accessible Area Reserved Area LBA=0____________LBA=R________LBA=M After Enable Address Offset Mode The former reserved area is now the user accessible area. The former user accessible area is now the reserved area. User Accessible Area Reserved Area _____________LBA=0(former Reserved Area)LBA=M-R(former User Accessible Area)LBA=M Page 67 After SET MAX ADDRESS/SET MAX ADDRESS EXT command Using the Value Returned by READ MAX ADDRESS/READ MAX ADDRESS EXT command User Accessible Area ________________LBA=0___________________________LB A=M Set Feature Disable Address Offset Mode, hardware or Power on Reset returns the device to Address Offset Mode Disabled. Software reset returns the device to Address Offset Mode Disable if Set Features Disable Reverting to Power On Defaults has not been set. M13.1.23 SET MAX security extension If this feature is enabled then with command SET MAX SET PASSWORD was enabled SET MAX security extension on device (device is locked). M13.1.26 Device Configuration Overlay feature set The optional Device Configuration Overlay feature set allows a utility program to modify some of the optional commands, modes, and feature sets that a device reports as supported in the IDENTIFY DEVICE or IDENTIFY PACKET DEVICE command response as well as the capacity reported. (See detailed info) [above at M7] ++++++++END excerpts+++++ Reviewing the found "table" beyond the supposed end of the Maxtor disk, and applying a "template" for boot sector/ partition table entries, I find that this contains three 'partitions' (there might be more but my template only shows the four normally available areas - remember partition tables are 'chained' together)[hence the issue c_quirke referenced, and I referred to]. Both disks [Samsung and Maxtor] supported ATA3 specifications which include DCO, reserved boot sector, and other 'commands' / features. Two of those "partitions" are not NTFS, but appear to be fat12. Hence, these are apparently the BIOSreserved sectors reserved area boot - first called areas. Two other (or more) other filing systems may also be using this reserved area boot extension / commands: EXT3 and Reiser4+[FS] (possibly HFS+ as well) These are also difficult to remove completely. As this referencing is done in the bios booting area, and radically changes how the disk is accessed, eg, the 'extra sectors become the MBR, partition information and user area' while some of the normal used areas, becomes 'reserved' until OS start after software reset. {Forming what amounts to a DCO} Furthermore, wiping out the 'normal' disk does nothing to remove the BIOS reserved access 'protected areas'. As stated before; placing this as the normal boot sector [MBR] extends the disk far beyond its stated capacity and well into the reserved sectors area. [At least CHS and sector numbering wise] However, if the reserved sectors are used (as shown previously with WinHex ) with the disk "wrapped" and under BIOSXP control, perhaps would be no problems. To explain the non-NTFS "partitions", a simplified exploration of how NTFS must be started and some of its components and requirements [correct me if I'm wrong or if other factors need addressed]. NTFS is generally used within a networked environment and is under control of a "master server" or servers [locally or external]. Such as: When logon is addressed at "workstation" or sub-server startup, it must access various 'servers' to obtain the "rights" necessary for the network logon. Mind, that the system has NOT started yet [many 'control items' and/or files and settings might be necessary from the master servers {locally and external}, so the NT OS isn't available yet. {Check within NTLDR and the other 'base' files of XP/NT for the coding and calls used at startup.} To many variables are involved in the NTFS file system for normal DOS access. From Data Recovery E-Book V1.5 Copyright © 2006 CHENGDU YIWO Tech Development Co.' Ltd. All Right Reserved High-level features of NTFS 1. Multi-data streams 2. Name based on Unicode 3. General index mechanism 4. The dynamic bad cluster reprints maps 5. Supports POSIX 6. File compression 7. File encrypts 8. Disk quota 9. Hard link and soft link 10. Link tracks 11. Log records 12. Fragmentation 2.NTFS file system terminology LCN: Logical Cluster Number VCN: Virtual Cluster Number BPB: BIOS Parameter Block FSD: File System Driver SCB: System Control Block FCB: File Control Block EFS: Encrypt File System MFT: Master File Table MFT Mirror: Master File Table Mirror Metadata: It's data stored in volume, supporting file system management. It cannot be visit by application program, just provides service for the system. [page 72, 73] The MFT contains: Number Metadata Function 0 $MFT MFT itself 1 $MFTMirr Part image of MFT 2 $LogFile Log file 3 $Volume volume file 4 $AttrDef Attribute definition list 5 $Root root directory 6 $Bitmap Bitmap file 7 $Boot boot file 8 $BadClus Bad cluster file 9 $Secure Secure file 10 $UpCase Capitalized file 11 $Extended metadata directory Extended Metadata directory 12 $Extend\$Reparse Reparse Points file 13 $Extend\$UsnJrnl Log changing file 14 $Extend\$Quota Quota management file 15 $Extend\$ObjId Object ID file 16~23 Reserved 24~ User files and directories [page 79] First, when NTFS visits a volume, it must be "loading" this volume: NTFS will check the boot file (file defined by $Boot Metadata file), and find physical disk address of MFT. Then, it can obtain mapping information from VCN to LCN in data attribute of file records, and save it in memory. This mapping information locates where MFT runs in disk. Then next, NTFS opens MFT records of several Metadata files, and then opens these files. If it is necessary, NTFS will start to execute file system recovery operation. After opening the leavings Metadata file in NTFS, users can visit this volume. 7. Files and folders of NTFS partition NTFS treats files as a unit of attribute/attribute value. That is the differences between NTFS and other file system. File data is attribute value without names. Other file attributes includes file name, file owner and file time mark, etc. [page 81] [END EXCERPTS] In fact, NTFS uses streams for its files and processes. Therefore, there is no argument that NTFS is not far more complex than the old DOS. One of those two 'non-NTFS' partitions in the found table appears to be a small "networking" 'partition' about the size of a floppy. NTFS can not be read/used by the OS until the file system / server [several files] is 'started' so another non-NTFS 'partition' is apparently required to START the system /server, also about the size of a floppy. Ssssso, this found "table" beyond the stated end of the disk is under 'reserved area boot control' [M13.1.22 Address Offset Mode (Reserved Area Boot)], or, it is a "lost mirror". Though for this to occur, the disk would have had to be configured beyond its normal capacity when XP was installed [which it wasn't prior to installation]. This would also help to explain WHY continued fdisking and formatting would decrease the available disk space. Each time this was done, the program used the 'hard and soft modified' BIOS controlled hard drive data for size; and size reduction results. {Remember the BIOS access area may contain restricted un-writable areas and other coding.] Even using this found table, and trying to "modify" it to work, still ends up with a smaller disk [and one to which an OS can not be installed] and areas which can not be removed. SMART replacement sectors are now used up, but the areas are not BAD SECTORS, just unusable / can not be overwritten. This also helps to explain WHY repeated wiping DOES NOT remove the XP NTFS files. Another issue is that CHS and LBA addressing is not much of a factor in XP, as it uses 'HAL' [hardware application layer] access, which is defined by, controlled by, and within the OS. Here is where hard disk access is controlled; not the BIOS [unless the drive is not recognized / fdisked / formatted] or init13 extensions, after the OS takes control. They just place the heads wherever told. The problem is: The extended/reserved boot sector BIOS info can not be erased or changed with any of the tools I have (or at least safely with the information I presently have), if this is what has occurred. Anyone else find this table yet? Anyone looked into the coding beyond the 'end' of the normal disk structure? Anyone know what has to be changed in that coding and how? Anyone know of what commands (bit changes) and tool(s) to use to remove this issue? You will have to look beyond the supposed end of the disk at the "extra sectors", "reserved sectors" and beyond those, for the full impact and import [ew, look at all the pretty coding, what the heck does it all mean]. Most people will not even run across this issue, as S.M.A.R.T. WILL replace these areas (until it no longer can) if the disk or area is no longer controlled by the OS, as in a re-use of the drive for a non-NT(5) system, when scandisked and defragged or the system attempts to write to those areas. XP/NT may be able [I have not tested this] to re-use these areas if it is re-installed {OS recognized by the BIOS coding, OS recognizes the areas.}. "MEB" meb@not wrote in message ... Jeff responded to the above with (my response inline): [also, find the originating discussion post at the bottom to remind everyone what this discussion is for] From: "Jeff Richards" References: Subject: COLLECTED hard drive usage after XP NTFS Date: Tue, 17 Oct 2006 20:36:47 +1000 Newsgroups: microsoft.public.win98.gen_discussion Path: TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl Xref: TK2MSFTNGP01.phx.gbl microsoft.public.win98.gen_discussion:816442 No reply - NOT ANSWERED "MEB" meb@not wrote in message ... SYNOPSIS: This is a collected discussion concerning XP hard drive re-use, in which I have personally participated, per [there may be others which I have missed]: " IBM T22 and Win 98se"; " New post, ms Everest report"; " Hangs on POST screen"; " win 98 installation" " Updates for Win9X's & reason/logic" " No hard drive?" " Unable to install Win98 SE" " PC100 v PC133 ram" GENERAL REFERENCE and SEARCH TERMS: XP NTFS hard drives, tools used to test and/or recover hard drives, NTFS recovery tools, forensic tools for analysis of hard drives, securely deleting hard drives, removing XP NTFS from hard drives. Present participants in this technical discussion: Ron Badour, MS MVP for W98; Jeff Richards MS MVP (Windows - Shell/User); Gary S. Terhune MS MVP Shell/User PCR; Franc Zabkar; and myself - Maurice Edward, Brahier; others who may wish to participate. BACKGROUND: I have presented apparent issues with the re-use of former XP NTFS hard drives for other use or re-use. Tools and techniques normally used for fdisking and formatting, wiping and other activities, apparently do not completely remove XP NTFS from hard drives. Disks used for testing: Samsung (no longer an issue as it is toast, completely un-accessible) Maxtor 87000AB - Hard Disk Family DiamondMax 1750A (per Everest) originally used for XP NTFS testing purposes (the OS), fully configured, idled as a firewall only. After Samsung loss, normal "old" removal techniques used to re-use the drive as 32bit, then additional testing. [clipped Tools tested so far: hd-util [Samsung]; SH-diag [Samsung]; Sutil [Samsung]; Meandisk; DBan; Wipe; Zap; HDAT2; AEFDISK; GDISK (Symantec); Killdisk; BootitNG; MBRWork; PowerMax [Maxtor]; Maxtor MaxBlast; Super FDisk; MHDD; OnTrack Data Advisor; Seagate SeaTools; Eraser; Testdisk; WinHex. (may already have used several others) Microsoft tools used: CHKDISK (and its autochkdsk - XP versions); Recovery Console; Delpart; fdisk; format; ISSUES: There are hundreds (thousands) of web pages which appear to claim XP NTFS is capable of being removed via old techniques and tools. My testing (to date) shows this in not true. Several hundred megabytes of hard drive space (on these small hard drives, who knows how much on larger drives) still contain files and folders from an XP NTFS installation after its removal. My personal testing shows that initially, and in particular after continually trying to remove the XP NTFS, the disk will be reduced in size. The Maxtor (a 7 gig) now has 5.6 gigabytes of usable space available. Each attempt to remove XP has added some amount to the original total of unusable space (less some sensitive data manually removed via disk editor (so I don't inadvertently place it on the eventual web pages)). MBR has been replaced several times, drive has been "hardware" reset, and dozens of other like activities have been tried unsuccessfully. This has been verified NTFS recovery tools for DOS, Windows and Linux; and disk editors/viewers of varying quality and ability. These hidden/restricted areas are ignored or marked as bad sectors by most tools. These areas may cause potential severe errors to occur when disk scanning software is used on the disk, depending on its abilities and/or configuration. PRESENT ACTIVITIES IN THREADS WITH REPLY FROM MEB: IBM T22 and Win 98se "Franc Zabkar" wrote in message ... MEB "Ron Badour" wrote in message ... "MEB" meb@not wrote in message ... - Franc Zabkar -- IBM T22 and Win 98se "Jeff Richards" wrote in message ... Jeff Richards MS MVP (Windows - Shell/User) "Ron Badour" wrote in message ... -- Regards Ron Badour, MS MVP for W98 -- MEB -- MEB http://peoplescounsel.orgfree.com/ BLOG http://peoplescounsel.spaces.live.com/ Public Notice or the "real world" "Most people, sometime in their lives, stumble across truth. Most jump up, brush themselves off, and hurry on about their business as if nothing had happen." Winston Churchill Or to put it another way: Morpheus can offer you the two pills; but only you can choose whether you take the red pill or the blue one. _______________ |
#167
|
|||
|
|||
COLLECTED hard drive usage after XP NTFS
NAH, this was a collected discussion on this news group concerning usage of
hard disks after NT (XP) use, for Win98. "Bill in Co." wrote in message ... | ???? (Doesn't this belong in the XP group, or did I miss something)? | This is a collected discussion concerning XP hard drive re-use, in | which I | have personally participated, per [there may be others which I have | missed]: | | " IBM T22 and Win 98se"; | " New post, ms Everest report"; | " Hangs on POST screen"; | " win 98 installation" | " Updates for Win9X's & reason/logic" | " No hard drive?" | " Unable to install Win98 SE" | " PC100 v PC133 ram" -- MEB http://peoplescounsel.orgfree.com/ BLOG http://peoplescounsel.spaces.live.com/ Public Notice or the "real world" "Most people, sometime in their lives, stumble across truth. Most jump up, brush themselves off, and hurry on about their business as if nothing had happen." Winston Churchill Or to put it another way: Morpheus can offer you the two pills; but only you can choose whether you take the red pill or the blue one. _______________ |
#168
|
|||
|
|||
Recover attempt COLLECTED hard drive usage after XP NTFS
Franc [and others], here's some info for you if your still interested. [Try to remember the reason for this testing, let's keep this civil.] Entering the attempted recover phase!? Which likely is no longer available as SMART is used up. This was created after a "stream" wipe and Gutman 35 pass wipe with DBAN [DBAN saved info files are available]. I've attached a txt file (HDATCOPY.TXT) of the most recent [11-06-06] HDAT2 read-out. There are several errors showing up, such as: 1. The integrity word is bad. 2. Physical/logical sector size is bad. 3. AND in the DPT - the geometry is wrong. The DPT information obviously is of particular interest. Perhaps someone knows where this info is saved upon the disk. A result of this: I have attached another file [project.txt] which shows some of the saved "addressing" of still available information on the disk [after these two 'final' wipes]. 19C430000-19C456FFF - 28 USC text.txt - 19C568000-19C58EFFF- 28USC partV.txt (referencing the project.txt) are representative of the 156kb areas of information on most of the disk [NOTE: projects.txt does NOT contain all the areas]. Note the range(s). Your take on the significance? Need any particular/additional / info / files? {Back in a couple days will check then.} "MEB" meb@not wrote in message ... | ELECTIONS are now over {looks like I won't have anything to do here | (hopefully)}, time to return to the issues of this discussion. | | Well, Jeff never responded to the request for S.M.A.R.T. data, and for | tools he would cross verify the integrity/wipe of the disk with. Ah well, | perhaps he had to put it into service. | | He did leave those issues unanswered; and appeared to indicate the disk | would return NTFS information if partitioned. | | ----- | | A MASSIVE ONE [Bet you thought this was done]:: | | I suppose it's now time for more related material {or further indications | of XP and its NTFS} based upon an indication I previously presented | regarding finding a "table" / boot sector far beyond the end of the supposed | disk. Here are some essential aspects of hard drives. | | For information regarding the possible aspects of this "finding" we revert | to: | | HDAT2en_451.pdf excerpts [rights to this material remain under control of | the original creator] : | | M7. Device Configuration Overlay Menu | ATA/ATAPI Device Configuration Overlay (DCO) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
win 98 installation | rc | General | 21 | September 6th 06 09:04 PM |
registry problem. | Mark Garron | General | 13 | May 18th 05 03:38 PM |
WIN98SE BOOT PROBLEM | R.L. Barnhart | Disk Drives | 2 | May 12th 05 10:25 PM |
hard drive problems | Mark Garron | General | 28 | May 11th 05 04:08 PM |
Operating System not found | Greg Clift | Setup & Installation | 10 | April 24th 05 09:49 PM |