EWF and hard disk, protected?

[Guest]

Hi

When using EWF on a hard disk, is the disk totally protected from corruption even if there is a power failure? I see that changes made persist from boot to boot so the changes are in fact being written to the hidden partition. Could an unexpected shut down physically damage the disk if in the middle of the write? Can we tell customers that EWF absolutely protects the system or is that only possible when using EWF with RAM? (Data is also written at times to logical drive D that is on the same physical disk.

Regards, dg

 

[Slobodan Brcin \(eMVP\)]

Unfortunately total protection does not exist.
When you have power failure HDD can become physically damaged (and then you
must replace it, or you might have bad blocks).

From pure software point of view.
If Disk overlay becomes corrupted, you can use option provided by ntldr.
that will allow you to discard corrupted overlay data.

EWF RAM will provide greater protection, since data is not written to disk
Unfortunately EWF protect only partitions that you select, but disk driver
is not protected, so virus could destroy your data or make changes to your
disk content.

Regards,
Slobodan

Hi,

When using EWF on a hard disk, is the disk totally protected from

corruption even if there is a power failure? I see that changes made
persist from boot to boot so the changes are in fact being written to the
hidden partition. Could an unexpected shut down physically damage the disk
if in the middle of the write? Can we tell customers that EWF absolutely
protects the system or is that only possible when using EWF with RAM? (Data
is also written at times to logical drive D that is on the same physical
disk.)

 

[Guest]

Hi Slobodan

Thanks for your answer

Regards, d


----- Slobodan Brcin (eMVP) wrote: ----

Unfortunately total protection does not exist
When you have power failure HDD can become physically damaged (and then yo
must replace it, or you might have bad blocks)

From pure software point of view
If Disk overlay becomes corrupted, you can use option provided by ntldr
that will allow you to discard corrupted overlay data

EWF RAM will provide greater protection, since data is not written to dis
Unfortunately EWF protect only partitions that you select, but disk drive
is not protected, so virus could destroy your data or make changes to you
disk content

Regards
Sloboda

Hi

corruption even if there is a power failure? I see that changes mad
persist from boot to boot so the changes are in fact being written to th
hidden partition. Could an unexpected shut down physically damage the dis
if in the middle of the write? Can we tell customers that EWF absolutel
protects the system or is that only possible when using EWF with RAM? (Dat
is also written at times to logical drive D that is on the same physica
disk.

 

[Troy Shaw[MS]]

It isn't clear to me why EWF RAM would be safer in this case than EWF disk,
since you can always restore from NTLDR to remove a corrupted overlay.
Unless you are saying that it is safer, because the drive is never asked to
write which reduces the total number of disk accesses. And, by reducing the
total number of disk accesses you reduce the chances of a drive crashing due
to loss of power.

Slobodan is right that Ewf does not guarantee that all writes will be
caught. Ewf catches writes that go through the volume stack (all normal
writes), but that it is possible to bypass the volume stack and go directly
through the disk driver. However, at that level they have no file system
and have to do raw disk I/O at the sector level from within a driver. Which
means that they had to have administrative access to install the "driver
virus."

 

[Slobodan Brcin \(eMVP\)]

1. Because storage medium is never asked to write anything it is logical to
assume that it is safer. And restoring from ntldr. is probably not a thing
meant for 99% of users to do without technical support.

2. Unfortunately if we use minlogon build we run under system account that
by default have more enabled privileges than Admin account.

Regards,
Slobodan