On Fri, 02 Apr 2004 11:39:32 +0100, Alex Nichol
For me, the take-home was to avoid using NTFS for anything I'd ever
want to see again. Certain malware circumstances may force you to
wipe all NTFS volumes, and by the time you do data recovery, the data
may have been lost due to auto-"fixing", rollback and other cleanup.
What it comes down to in the end, is that if data is *really* valuable
you should have a thorough and regular back up system, to backup and
verify, to removable media, kept safely.
Yep. Everyone says "backup, backup, backup" but I'll bet you very few
would accept the challenge if you said: "I'll pay you per clock time
required to restore, if you let me nuke your system. After all,
everything's backed up, right?"
A backup old enough to pre-date the disaster will lose the most recent
work you did. A backup new enough to contain all your data right up
to the present is likely to have suffered the same fate as live data.
Backup limits but does not eradicate the damage of data loss.
Really now disk sizes have grown so much, there should be a review of
file system design, to a system that contains a real level of
redundancy; for example all clusters in a file should contain forward
and backward links so that the file could be reconstructed without any
file system around, back to a 'master file record', of an NTFS style.
That's how PICK's file system used to work; chained data (which is how
overflowing data from pre-allocated file space is integrated) was held
as a doublke-linked list, with prev and next pointers taking up 12
bytes out of every 512-byte data frame.
Advantages: No head travel between the data and some sort of index,
and as it's "atomic", low chance if disconnection between the data and
how it is linked (e.g. the "lost cluster chain" syndrome).
However, several disadvantages suggest themselves.
First, there's no redundancy to sanity-check and detect anomalies,
unless you parallel the embedded linkage with some sort of external
index - which kills much of the advantage of the approach.
Second, it's very hard to get a bird's-eye-view of such a file system.
Third, the embedded nature of these absolute references will bite you
big time in any context that changes raw location, e.g. imaging,
resizing of volumes and so on.
I built by first data recovery skills on a proprietary non-PC file
system that was FAT-like in design, then learned PICK and DOS 3.3 file
systems and recovery thereof at the same time.
The lack of redundany disadvantage of the embedded link approach was
mitigate by PICK's data design, where rnearly everything is stored in
fields that have both a predictive length value and a delimiter. By
seeing which loose frames had delimiters where the length value
predicted, I was able to repair GFEs (Group Format Errors, or as they
say, "Gone For Ever") but fun it was not.
And have there all necessary information to reconstruct its place in the
directory structure.
Redundancy is the key to error detection ans repair, and capacity and
speed aren't the biggest drawbacks. An increase in critical window
period means that adding redundancy can actually add to fragility.
The choice is either non-redundant atomic storage that has a small or
zero critical window, or non-atomic redundancy that breaks if the
operation is interrupted during the longer critical window.
IOW, do you want a system that "never breaks" or that can be fixed
*when* it breaks? In practice, the former is a chimera, given that
nearly every file requires more than one sector to store it and is
thus inherently non-atomic with a significant critical window. Add
delayed file writes, and you can see that even when everything works,
the "bad exit" effect is still going to eat data.
All transaction rollback can do in such cases is avoid having to wash
up the plates afterwards. The food's entirely gone.
Such things are possible - one thing about Apple is that the original
designs its file system are developed from had much of this provision
(SOS system of early 80s). I can remember recreating a master catalog
of a small hard disk on an Apple III when the first track had been
zeroed
I never did Apple, and that's a pity; it sounds as if their file
system would have been fun to play with
-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.