Tag: ntfs

Hard drive forensics

This one is quite eye-opening. I recently suffered a hard-drive failure and was unable to boot either operating system in a multi-boot environment. The only item not backed up was a large number of photos and movies that I had accumulated and intended to burn to a CD/DVD. Using a ‘Live’ Ubuntu CD, I was able to use the Foremost program to analyze the drive media and locate all JPG and MPG files and copy them to a ‘safe’ location.

What’s frightening here is that these files are not located by their filenames, but by their contents… largely the first few bytes of the file itself when stored on disk. In my experience, Foremost was easily able to parse NTFS and EXT4 partitions.

Word to the wise… this is only possible if you do not use encryption to obscure the data on the drive itself. I’d personally recommend enabling the options provided by your operating system itself if you store sensitive data. Alternately, software like TrueCrypt can be used to hide specific assets.

Happy Recovery!

Windows NTFS Performance

For a very long time I was perplexed as to why my old 900Mhz Pentium-3 server outperformed many of my newer and faster machines, even when they all were running with essentially the same amount of memory and had the same 7200rpm hard-drives.

I recently realized that over the years, I had optimized the WindowsXP NTFS registry settings with a variety of software and manual edits, and thus had essentially changed the way that windows works with the drive itself.

Here are the current settings that these machines utilize, perhaps you can try them for yourselves:

WARNING: You need to be confortable making edits to your registry to do these changes, as such I will not document ‘how’ to open the registry itself, you can easily find that info anyways.  These are all DWORD settings.

HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

  • DisableNTFSLastAccessUpdate  = 1
  • NtfsDisable8dot3NameCreation = 1
  • NtfsDisableLastAccessUpdate = 1
  • NtfsMftZoneReservation = 2

Cheers

Windows Tools for reading NTFS and Linux partitions

I’ve had to do my share of hard-drive recoveries over the years and have found the tools provided by DiskInternals to be invaluable in several occurances.

I’d previously used their NTFS Reader software to recover files from bad partitions after multi-booting to an older Windows operating system drive on the same machine.

Now I’ve found that they offer an EXT2/EXT3 Reader to allow Windows to access Linux partitions.

This is great for less-technical users that experience fatal errors in their operating systems as there’s now a relatively simple way to access the ‘familiar’ Windows tooling to recover files on the ‘bad’ partition. For the power-user, this affords a means for people making the switch to Linux a means in which to access their files in Windows in the off chance that they have to use software not usable under WINE.

Product Pages:

NOTE: Similar tooling exists to read Mac HPFS partitions, that topic saved for a later post!

Cheers!