Prev: Formatting a hard disk and handling of suspicious bad sectors
Next: 256GB SSD SLC in 2.5" size?
From: Rod Speed on 18 Feb 2010 19:03 sobriquet wrote > Jonathan de Boyne Pollard <J.deBoynePollard-newsgro...(a)NTLWorld.COM> wrote >> http://img237.imageshack.us/img237/2852/passportdiscrepancy.jpg >> I have two identical WD 1tb passport usb drives filled with identical data. [...] >> ... but not necessarily identical metadata. That 28KiB difference is >> a mere 28 deleted MFT records, for example. Or it could be journal >> entries, security descriptor records, or quite a number of other things. >> But isn't this the kind of meta data that is supposed >> to disappear when the recyclebin is emptied? >> Put simply: No. Deleted MFT records are nothing to do with files in >> the recycle bin, for example. >> Is there any other way to clear any superfluous data somehow? >> Put simply: Short of drastic measures such as reformatting the >> volume, no. The MFT doesn't shrink in normal operation, for example. >> And the security descriptor stream is only compacted bychkdsk. (See >> MSKB 919241.) >> we're talking about two identical drives and identical data that is supposed to be stored on the drive. >> No, we're not. As I said, the metadata are not necessarily identical. > I see. Could a virus or malware somehow gain access to this space > where this metadata is stored to hide a copy of itself there? Yes, it might be able to hide a copy of itself, but there is no way to get it executed from there. > Can I use a diskeditor like HxD or DiskExplorer for > NTFS to view this metadata somehow? Yes, anything that can dump the contents of sectors you specify can do that. Interpreting what you see tho is much harder. Quite a bit of the detail of NTFS structures have never been formally documented.
First
|
Prev
|
Pages: 1 2 Prev: Formatting a hard disk and handling of suspicious bad sectors Next: 256GB SSD SLC in 2.5" size? |