Join Us!

New blog post - Con...
 
Notifications
Clear all

New blog post - Contiguous and fragmented  

  RSS
PaulSanderson
(@paulsanderson)
Senior Member

Some of you may have seen this NTFS oddity before - I hadn't…

http//sandersonforensics.com/forum/entry.php?16-Contiguous-and-fragmented!

Quote
Posted : 29/07/2012 2:18 pm
jaclaz
(@jaclaz)
Community Legend

Some of you may have seen this NTFS oddity before - I hadn't…

http//sandersonforensics.com/forum/entry.php?16-Contiguous-and-fragmented!

Nice ) .
If you can, it would be interesting to run on the mounted filesystem this tool here
http//www.wd-3.com/archive/luserland.htm
and check what it "sees".

jaclaz

ReplyQuote
Posted : 29/07/2012 7:12 pm
PaulSanderson
(@paulsanderson)
Senior Member

Nice ) .
If you can, it would be interesting to run on the mounted filesystem this tool here
http//www.wd-3.com/archive/luserland.htm
and check what it "sees".

jaclaz

Thanks

Why would running that be interesting? AFAICS from a quick read it simply lists the LBA's of the file, or a given offset within a file - given that the file cluster/sector run is contiguous I already know that!

ReplyQuote
Posted : 30/07/2012 12:10 am
mscotgrove
(@mscotgrove)
Senior Member

Has the file been compressed or uncompressed at some time.

(It would be nice if the DOS program displayed data in Hex - much easier to understand at this level - and would match a MFT sector directly)

ReplyQuote
Posted : 30/07/2012 12:57 am
PaulSanderson
(@paulsanderson)
Senior Member

I would be very surprised if it had been previously compressed. File was in subdir of program data folder I. A friends computer (very non techy home user). Gut feeling is that this may not be that rare but need to modify my code to test this on a complete image - prob later in the week as away from desk for a few days.

ReplyQuote
Posted : 30/07/2012 1:03 am
jaclaz
(@jaclaz)
Community Legend

Why would running that be interesting? AFAICS from a quick read it simply lists the LBA's of the file, or a given offset within a file - given that the file cluster/sector run is contiguous I already know that!

It may list the file in either a "big" contiguous set of addresses or in three sets of addresses (that are contiguous).

jaclaz

ReplyQuote
Posted : 30/07/2012 1:50 am
PaulSanderson
(@paulsanderson)
Senior Member

Why would running that be interesting? AFAICS from a quick read it simply lists the LBA's of the file, or a given offset within a file - given that the file cluster/sector run is contiguous I already know that!

It may list the file in either a "big" contiguous set of addresses or in three sets of addresses (that are contiguous).

jaclaz

I'm sorry jaclaz you have lost me,

ReplyQuote
Posted : 30/07/2012 4:54 am
jaclaz
(@jaclaz)
Community Legend

I'm sorry jaclaz you have lost me,

It's just an idea ? , I'll show you the output of the thingy for a "normal" fragmented file and for a "normal" contiguous one
C\dummy>MyFragmenter.exe -p 3 test3.rnd
MyFragmenter v1.2, 2008 J.C. Kessels

Commandline argument '-p' accepted, parts = 3

Processing test3.rnd
File already exists.
Fragment list (before)
Extent 1 Lcn=73831301, Vcn=0, NextVcn=250
250 clusters, 1 fragments.
Fragmenting
Largest gap 63982648 - 67675903 (3693255 clusters)
Moving 84 clusters from offset=0 to LCN=65829233
Largest gap 28378461 - 31051346 (2672885 clusters)
Moving 84 clusters from offset=84 to LCN=29714861
Largest gap 31051371 - 33724256 (2672885 clusters)
Moving 84 clusters from offset=168 to LCN=32387771
Fragment list (after)
Extent 1 Lcn=65829233, Vcn=0, NextVcn=84
Extent 2 Lcn=29714861, Vcn=84, NextVcn=168
Extent 3 Lcn=32387771, Vcn=168, NextVcn=250
250 clusters, 3 fragments.

Finished, 1 files processed.

C\dummy>getFileExtents.exe test3.rnd
File offset 0 LBA 1f63cbc7 Sectors 2a0
File offset 54000 LBA e2b4da7 Sectors 2a0
File offset a8000 LBA f719617 Sectors 290
And, once made contiguous with Contig
C\dummy>contig -v -a test3.rnd

Contig v1.55 - Makes files contiguous
Copyright (C) 1998-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------
Processing C\dummy\test3.rnd
Scanning file...
File size 1024000 bytes
C\dummy\test3.rnd is in 3 fragments
------------------------
Summary
Number of files processed 1
Average fragmentation 3 frags/file

C\dummy>contig -v test3.rnd

Contig v1.55 - Makes files contiguous
Copyright (C) 1998-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------
Processing C\dummy\test3.rnd
Scanning file...
Scanning disk...
File is 250 physical clusters in length.
File is in 3 fragments.

Found a free disk block at 56459806 of length 352 for entire file.
Moving 250 clusters at file offset cluster 0 to disk cluster 56459806
File size 1024000 bytes
Fragments before 3
Fragments after 1
------------------------
Summary
Number of files processed 1
Number of files defragmented 1
Average fragmentation before 3 frags/file
Average fragmentation after 1 frags/file

C\dummy>getFileExtents.exe test3.rnd
File offset 0 LBA 1aec112f Sectors 7d0

In the first example, the programs lists three (non-contiguous) addresses.
In the second (obviously) it lists a single contiguous address.

What I was curious about was if applied to your "q***r" file it would list three addresses (second immediately following the first and third immediately following the second) or a single address (as IF the file was a "normal" contiguous file).

jaclaz

ReplyQuote
Posted : 30/07/2012 3:44 pm
PaulSanderson
(@paulsanderson)
Senior Member

Ah I see - you are wondering whether this program will show both the fragmented and contiguous nature of this file, essentially you are asking me to to test the program for you as I have access to a fragmented/contiguous file.

ReplyQuote
Posted : 30/07/2012 4:00 pm
jaclaz
(@jaclaz)
Community Legend

Ah I see - you are wondering whether this program will show both the fragmented and contiguous nature of this file, essentially you are asking me to to test the program for you as I have access to a fragmented/contiguous file.

… and because I have no idea oops on how I could possibly replicate a "q***r" situation like the one you already have for that particular file…

jaclaz

ReplyQuote
Posted : 30/07/2012 4:19 pm
PaulSanderson
(@paulsanderson)
Senior Member

If I get time I'll have a look but I am very time poor at the moment.

ReplyQuote
Posted : 30/07/2012 5:12 pm
PaulSanderson
(@paulsanderson)
Senior Member

I have updated my blog as it seems that this is not that uncommon and there are quite a few occurences on an old image of my C drive. I have modified my program Reconnoitre to display this info and show a screenshot of a number of offending files (there were 65 in all on this disk)

http//sandersonforensics.com/forum/content.php?167-Contiguous-and-fragmented!

ReplyQuote
Posted : 09/08/2012 2:00 am
Share: