A client wants to know if the hard drive was defragged. Using the Disk Viewer in FTK, is there a simplistic method of determining if the disk defragger was ran, or when the last time it was ran. With the disk viewer, throughout the drive image, there are occasional sectors of blank data. Is my understanding correct that defragging the disk compresses the data together as long as that option is selected? And if it is not, then the sectors where data no longer exists only gets replaced with 0's. And ideas or suggestions? roll
Thank You
Just to get an idea of where you are in your research on the subject, what have you discovered about de-fragmenting a drive so far. Might be helpful to know where you have looked before pointing you in directions that you might have already been down.
If I may, a general point to take into account is the possible need to better to clear the question.
Is it
Has this drive EVER been defragmented?
Is it
Has this drive been defragmented "LATELY"?
(and a definitin of "lately" is needed)
Is it
Has it been defragged by the built-in defragmenting program?
Is it
Has it been defragmented through ANY available method (including offline defragementing with ANY tool available)?
The answer to each of this question (IF found) might be slightly different.
And it also may be different depending on the OS running, on the filesystem on the drive and on a couple other factors that should be taken into account, like manual vs. scheduled runs, and typical use of the PC the drive was in.
jaclaz
The general question from the client is
Q If the volume has been defragmented within a certain time period, due to the litigation of the case, I can't state the specific time. But it's within the past year.
Q Is there a way of stating if the defrag has been ran lately, within the past year?
I assume it is the built in defragmenting program, I found no evidence of an external or "foreign" program being used, downloaded or installed at any time.
I have researched and used the built in defragmenting programs myself. Research hasn't really enlightened me in the area that I need information on, research has only discovered several methods of "defragmenting a hard drive or system volume."
The general question from the client is
Q Is there a way of stating if the defrag has been ran lately, within the past year?
It depends by a number of factors, most of them cited before.
On a Windows NT based system, there may be traces in the logs.
NTFS filesystem may have a timestamp that could be (not evidence but) clue about the time the volume was defragged.
A statistical analisys of the fragmentation and some data in the (deleted from filesystem) sectors not containing all 00's may help.
If the defrag was scheduled, you may find traces of the scheduled job.
Depending on the typical use of the system it may be possible to understand, from the amount of recoverable data and from traces in it, whether defrag was run, and possibly also have an idea of when it was done.
I mean, just as an example, let's say you have an accountant PC, that surfs not the web and downloads not "biggish" files, nor installs often new apps, the "normal" fragmentation on it's hard disk will be very, very low.
If Windows Automatic Updates was enabled, you have an easy form of checking files with a known date, the drive will be largely empty, etc., etc.
If, another example, you have a home/office laptop it is likely that a number of programs, movies and what not have been downloaded to it, and deleted, and the space freed re-filled with new downloads, and the hard disk will be fullish of crap even in the non-included-in filesystem-index sectors (deleted files).
jaclaz
Thanks jaclaz. It's still driving me crazy, but I'm certain that one drive hasn't been ever defragged. There are a few large areas that contain all 0's, others have scrambled data; looking through the disk viewer. All the drives are similar, however one has more area's of all 0's. It's not really an issue if the client has ran the defragger, the issue comes to hand as to when the last defrag, if any, was ran. I'll keep hunting and take your advice in researching more into the log files and such. Thanks again.
I'd be really careful about saying
"but I'm certain that one drive hasn't been ever defragged" that even goes for a drive you get off the shelf.
I know you are experienced and all, but rarely do you see a CF professional state that they are certain of something,
Good Catch armresl! Thank You! I'm speaking to you guys when I say I'm certain, not to the client or in court. I understand and appreciate you looking out. Thank you again.
What steps were taken to arrive at this statement?
"I assume it is the built in defragmenting program, I found no evidence of an external or "foreign" program being used, downloaded or installed at any time. "
Extensive investigation of contents of the hdd image, if I hadn't already combed through this hard drive with a fine tipped needle, not sure how much more there is to go.