Notifications

Clear all

New blog post - Contiguous and fragmented

Page 1 / 2 Next

General (Technical, Procedural, Software, Hardware etc.)

Last Post by PaulSanderson 13 years ago

12 Posts

3 Users

0 Reactions

668 Views

RSS

PaulSanderson

(@paulsanderson)

Honorable Member

Joined: 19 years ago

Posts: 651

Topic starter 29/07/2012 2:18 pm

Some of you may have seen this NTFS oddity before - I hadn't…

http//sandersonforensics.com/forum/entry.php?16-Contiguous-and-fragmented!

Quote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

29/07/2012 7:12 pm

Some of you may have seen this NTFS oddity before - I hadn't…

http//sandersonforensics.com/forum/entry.php?16-Contiguous-and-fragmented!

Nice ) .
If you can, it would be interesting to run on the mounted filesystem this tool here
http//www.wd-3.com/archive/luserland.htm
and check what it "sees".

jaclaz

ReplyQuote

PaulSanderson

(@paulsanderson)

Honorable Member

Joined: 19 years ago

Posts: 651

Topic starter 30/07/2012 12:10 am

Nice ) .
If you can, it would be interesting to run on the mounted filesystem this tool here
http//www.wd-3.com/archive/luserland.htm
and check what it "sees".

jaclaz

Thanks

Why would running that be interesting? AFAICS from a quick read it simply lists the LBA's of the file, or a given offset within a file - given that the file cluster/sector run is contiguous I already know that!

ReplyQuote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

30/07/2012 12:57 am

Has the file been compressed or uncompressed at some time.

(It would be nice if the DOS program displayed data in Hex - much easier to understand at this level - and would match a MFT sector directly)

ReplyQuote

PaulSanderson

(@paulsanderson)

Honorable Member

Joined: 19 years ago

Posts: 651

Topic starter 30/07/2012 1:03 am

I would be very surprised if it had been previously compressed. File was in subdir of program data folder I. A friends computer (very non techy home user). Gut feeling is that this may not be that rare but need to modify my code to test this on a complete image - prob later in the week as away from desk for a few days.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

30/07/2012 1:50 am

Why would running that be interesting? AFAICS from a quick read it simply lists the LBA's of the file, or a given offset within a file - given that the file cluster/sector run is contiguous I already know that!

It may list the file in either a "big" contiguous set of addresses or in three sets of addresses (that are contiguous).

jaclaz

ReplyQuote

PaulSanderson

(@paulsanderson)

Honorable Member

Joined: 19 years ago

Posts: 651

Topic starter 30/07/2012 4:54 am

Why would running that be interesting? AFAICS from a quick read it simply lists the LBA's of the file, or a given offset within a file - given that the file cluster/sector run is contiguous I already know that!

It may list the file in either a "big" contiguous set of addresses or in three sets of addresses (that are contiguous).

jaclaz

I'm sorry jaclaz you have lost me,

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

30/07/2012 3:44 pm

I'm sorry jaclaz you have lost me,

It's just an idea ? , I'll show you the output of the thingy for a "normal" fragmented file and for a "normal" contiguous one
C\dummy>MyFragmenter.exe -p 3 test3.rnd MyFragmenter v1.2, 2008 J.C. Kessels


Commandline argument '-p' accepted, parts = 3
Processing test3.rnd

File already exists.

Fragment list (before)

  Extent 1 Lcn=73831301, Vcn=0, NextVcn=250

  250 clusters, 1 fragments.

Fragmenting

  Largest gap 63982648 - 67675903 (3693255 clusters)

  Moving 84 clusters from offset=0 to LCN=65829233

  Largest gap 28378461 - 31051346 (2672885 clusters)

  Moving 84 clusters from offset=84 to LCN=29714861

  Largest gap 31051371 - 33724256 (2672885 clusters)

  Moving 84 clusters from offset=168 to LCN=32387771

Fragment list (after)

  Extent 1 Lcn=65829233, Vcn=0, NextVcn=84

  Extent 2 Lcn=29714861, Vcn=84, NextVcn=168

  Extent 3 Lcn=32387771, Vcn=168, NextVcn=250

  250 clusters, 3 fragments.
Finished, 1 files processed.

C\dummy>getFileExtents.exe test3.rnd File offset 0 LBA 1f63cbc7 Sectors 2a0 File offset 54000 LBA e2b4da7 Sectors 2a0 File offset a8000 LBA f719617 Sectors 290And, once made contiguous with Contig
C\dummy>contig -v -a test3.rnd


Contig v1.55 - Makes files contiguous

Copyright (C) 1998-2007 Mark Russinovich

Sysinternals - www.sysinternals.com
------------------------

Processing C\dummy\test3.rnd

Scanning file...

File size 1024000 bytes

C\dummy\test3.rnd is in 3 fragments

------------------------

Summary

     Number of files processed    1

     Average fragmentation        3 frags/file
C\dummy>contig -v test3.rnd
Contig v1.55 - Makes files contiguous

Copyright (C) 1998-2007 Mark Russinovich

Sysinternals - www.sysinternals.com
------------------------

Processing C\dummy\test3.rnd

Scanning file...

Scanning disk...

File is 250 physical clusters in length.

File is in 3 fragments.
Found a free disk block at 56459806 of length 352 for entire file.

Moving 250 clusters at file offset cluster 0 to disk cluster 56459806

File size 1024000 bytes

Fragments before 3

Fragments after  1

------------------------

Summary

     Number of files processed    1

     Number of files defragmented 1

     Average fragmentation before 3 frags/file

     Average fragmentation after  1 frags/file

C\dummy>getFileExtents.exe test3.rnd File offset 0 LBA 1aec112f Sectors 7d0
In the first example, the programs lists three (non-contiguous) addresses.
In the second (obviously) it lists a single contiguous address.

What I was curious about was if applied to your "queer" file it would list three addresses (second immediately following the first and third immediately following the second) or a single address (as IF the file was a "normal" contiguous file).

jaclaz

ReplyQuote

PaulSanderson

(@paulsanderson)

Honorable Member

Joined: 19 years ago

Posts: 651

Topic starter 30/07/2012 4:00 pm

Ah I see - you are wondering whether this program will show both the fragmented and contiguous nature of this file, essentially you are asking me to to test the program for you as I have access to a fragmented/contiguous file.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

30/07/2012 4:19 pm

Ah I see - you are wondering whether this program will show both the fragmented and contiguous nature of this file, essentially you are asking me to to test the program for you as I have access to a fragmented/contiguous file.

… and because I have no idea oops on how I could possibly replicate a "queer" situation like the one you already have for that particular file…

jaclaz

ReplyQuote

Page 1 / 2 Next

8 Forums
15.7 K Topics
92.3 K Posts
211 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed