mysterious discrepancy in the reported free space on two ?identical usb drives
in [Storage]
|
Prev: mysterious discrepancy in the reported free space on two identicalusb drives
Next: mysterious discrepancy in the reported free space on two ?identicalusb drives
From: Arno on 18 Feb 2010 18:04 In comp.sys.ibm.pc.hardware.storage sobriquet <dohduhdah(a)yahoo.com> wrote: > On 18 feb, 21:17, Jonathan de Boyne Pollard <J.deBoynePollard- > newsgro...(a)NTLWorld.COM> wrote: >> http://img237.imageshack.us/img237/2852/passportdiscrepancy.jpg >> I have two identical WD 1tb passport usb drives filled with identical data. [...] >> >> >> >> ... but not necessarily identical metadata.? That 28KiB difference is a mere 28 deleted MFT records, for example.? Or it could be journal entries, security descriptor records, or quite a number of other things. >> >> >> >> But isn't this the kind of meta data that is supposed to disappear when the recyclebin is emptied? >> >> >> >> Put simply: No.? Deleted MFT records are nothing to do with files in the recycle bin, for example. >> >> >> >> Is there any other way to clear any superfluous data somehow? >> >> >> >> Put simply: Short of drastic measures such as reformatting the volume, no.? The MFT doesn't shrink in normal operation, for example.? And the security descriptor stream is only compacted bychkdsk.? (See MSKB 919241.) >> >> >> >> we're talking about two identical drives and identical data that is supposed to be stored on the drive. >> >> >> >> No, we're not.? As I said, the metadata are not necessarily identical. >> >> > I see. Could a virus or malware somehow gain access to this space > where this metadata is stored to hide a copy of itself there? > Can I use a diskeditor like HxD or DiskExplorer for NTFS to view this > metadata somehow? Very, very unlikely as this is only possible if the malware has a very good unsderstanding of NTFS. This would be hard to do and make the malware large, hence easy to detect. Malware can hide in other places thogh, for example the partially used clusters at file ends or brazenly in seemingly unused space. This is almost certainly not malware. Also the extra space may well be used with the emtadata just being a bit more compact on the one drive. As I said, don't worry about this, a bit of uncertainity in metadata size is expected in modern filesystems. If you look at the actual size difference, you can understand why nobody invested a lot of effort to optimize this. It is just not worth the effort. If you really want to make both drives the same size, the only way I see is to format them and then put all files on both using exactly the same procedure. This may still not work, as the metadata is always slightly different, for example in the timestamps. If you really want to look at the metadata, good luck. I expect analyzing these drives manually in detail might take more than a month of time, possible much more. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno(a)wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
From: Arno on 19 Feb 2010 09:38
In comp.sys.ibm.pc.hardware.storage Yousuf Khan <bbbl67(a)spammenot.yahoo.com> wrote: > Arno wrote: >> If you really want to make both drives the same size, the >> only way I see is to format them and then put all files >> on both using exactly the same procedure. This may still >> not work, as the metadata is always slightly different, >> for example in the timestamps. > Something like a RAID-based mirroring system which copies data at a much > lower level than the filesystem. Yes. Or making a copy with a sector imager. Don't use both drives at the same time aftert this, as the GUIDs will allso have been copied. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno(a)wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans |