COLLECTED hard drive usage after XP NTFS

"MEB" meb@not wrote in message
...
| Jeff responded to the above with (my response inline):

| /I'm off to the Indycar racing, so just talk amongst yourselves for a
while.

| Have fun, wish I was there... zooooooommmmm....

He'll run you OVER, if you go there, MEB!

"PCR" wrote in message
...
| "MEB" meb@not wrote in message
| ...
| | Jeff responded to the above with (my response inline):
|
| | /I'm off to the Indycar racing, so just talk amongst yourselves for a
| while.
|
| | Have fun, wish I was there... zooooooommmmm....
|
| He'll run you OVER, if you go there, MEB!
|

AAAAAWWW, he would not,, or would he? He's a driver?

--
MEB
_______________

"MEB" meb@not wrote in message
...
|
|
|
| "PCR" wrote in message
| ...
| | "MEB" meb@not wrote in message
| | ...
| | | Jeff responded to the above with (my response inline):
| |
| | | /I'm off to the Indycar racing, so just talk amongst yourselves
for a
| | while.
| |
| | | Have fun, wish I was there... zooooooommmmm....
| |
| | He'll run you OVER, if you go there, MEB!
| |
|
| AAAAAWWW, he would not,, or would he? He's a driver?
|
| --
| MEB
| _______________

He DOES drive, but his license was revoked five times now! Don't be the
6th reason why!

BTW Jeff, I reposted this under the other repost with inline reply.. (in
case you didn't notice..)

Looks like I may be headed out for awhile, so I may not get to respond for
awhile.. Catch ya then..

--
MEB
http://peoplescounsel.orgfree.com/
BLOG http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"

"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Or to put it another way:
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________

"Jeff Richards" wrote in message
...
| "MEB" meb@not wrote in message
| ...
| snip
|
| Hmm, what program are you using to search the disk?
| The verify tool I indicated - disk look program which compares each sector
| to sector zero.
|
| snip
| There are several ways for the disk to return the exact same "drive
| space".
| The CHS changes might have included a Cylinder or other change [LBA
| returns
| the same size though different CHS]. So you've said the CHS did not
change
| at all when you say " reported the same configuration", correct?
| The number of cylinders, heads and sectors reported under both CHS and LBA
| was identical before and after.
|
| snip
| How would any NTFS file structures be placed if the drive has been
zeroed
| and NTFS has been removed?
| Nothing would exist other than a blank partition, supposedly, if your
test
| has wiped the disk.
| If the drive has been zeroed then a blank partition does NOT exist.
| Partitioning the drive will replace the NTFS structures and the drive
would
| no longer be zeroed. Any test would not be able to distinguish between
| data left over from the original installation and data installed by the
| partitioning procedure, thus invalidating the results.
|
| So running sdelete from DOS on a blank disk would fill the empty space,
| overwriting nothing, if it worked at all.
| SDelete will not work with an unpartitioned drive.
|
| SDelete works on Windows 95, 98, NT 4.0 and Win2K per it's info.
| Yes. It is not a utility for examining a blank drive.
|
| snip
|
| BTW, you indicated you would first remove the partition by fdisking
before
| running the Maxtor tool, did you (or did I overlook that)?
|
| Where did I indicate that? What would be the point? The write zeroes
| function overwrites the partition data, and I have made it quite clear
that
| FDISK removes partitions and does NOT remove data (which is how come data
| recovery tools can still work on a drive that has been fdisked).
|
| As for tools to test with:
|
| Let's see, first tool, HDAT2 to check SMART and disk.
| hdat2all_4_51.zip http://www.hdat2.com/ and the PDF
| Create the diskette, do not write protect it. Restart the computer, set
| for
| floppy boot, start with disk in the floppy drive.
| First screen choose the disk, note LBA number and size.
| MAIN MENU choose S.M.A.R.T. Menu, choose Read Attribute Data.
| Make notes of (Threshold, Value, and Worst, might also note raw values
| (raw
| data and flags)):
| Raw Read Error Rate
| Reallocated Sector Count (should be none if this was a new disk)
| Read Channel Margin
| Calibration Retry Count
| Ultra DMA CRC Error Rate
| (anything else of interest)
| I'm not interested in looking at SMART. It was disabled throughout the
test
| and could not have played any part in the results. What you are
discussing
| here is a completely different test (and I don't even know what is being
| tested).
|
| TESTDISK second, use as DOS tool. Create or use a startup disk with
| TESTDISK on it (suggest FREEDOS (32bit) startup disk). Startup using the
| disk. Type testdisk at command prompt
| Second screen should show CHS and MB/MiB; in Analyse (third screen) then
| [Search!] (extended search fifth screen), making notes of what each
screen
| presents. (The second screen does not write the Intel code, it just
| indicates what the disk formatting might be or have been)
| MB/MiB is 122/114, which is what I would expect. CHS is 14947/255/63
which
| again agrees. Options were changed to not force whole cylinder, in order
to
| ensure all sectors were examined. No partition information was found in
| standard or deep search for either an existing (assumed) partition or a
| blank disk Proposed partition is the full disk, as per above CHS figures.
|
| Third tool, WINHEX
| Download the demo version (if you don't have it). Not sure what is
| available in that version. Install in XP (does not support 98).
| XP should not be able to access disk as it is not fdisked or formatted.
| This assumption invalidates the test and makes everything subsequent
| irrelevant. The very point you were making is that XP is doing something
to
| the disk at such a low level that it doesn't need a partition or a format.
| That's why we used a disk zeroing utility and not a data overwriting
utility
| (such as MEANDISK) to demonstrate that XP can be fully removed from the
| disk.
|
| I'm off to the Indycar racing, so just talk amongst yourselves for a
while.
| --
| Jeff Richards
| MS MVP (Windows - Shell/User)
|
|

ELECTIONS are now over {looks like I won't have anything to do here
(hopefully)}, time to return to the issues of this discussion.

Well, Jeff never responded to the request for S.M.A.R.T. data, and for
tools he would cross verify the integrity/wipe of the disk with. Ah well,
perhaps he had to put it into service.

He did leave those issues unanswered; and appeared to indicate the disk
would return NTFS information if partitioned.

-----

A MASSIVE ONE [Bet you thought this was done]::

I suppose it's now time for more related material {or further indications
of XP and its NTFS} based upon an indication I previously presented
regarding finding a "table" / boot sector far beyond the end of the supposed
disk. Here are some essential aspects of hard drives.

For information regarding the possible aspects of this "finding" we revert
to:

HDAT2en_451.pdf excerpts [rights to this material remain under control of
the original creator] :

M7. Device Configuration Overlay Menu
ATA/ATAPI Device Configuration Overlay (DCO)

DCO allows systems to modify the apparent features provided by a hard disk
drive device. It provides a set of commands that allow a utility program to
modify some of the commands, modes, and feature sets reported as supported
by the hard disk drive. It can be used to hide a portion of the hard disk
drive's capacity from being viewed by the operating system and the file
system.
The optional Device Configuration Overlay feature set allows a utility
program to modify some of the optional commands, modes, and feature sets
that a device reports as supported in the IDENTIFY DEVICE or IDENTIFY PACKET
DEVICE command data as well as the capacity reported.

Commands of Device Configuration Overlay feature set:

DEVICE CONFIGURATION FREEZE LOCK
DEVICE CONFIGURATION IDENTIFY
DEVICE CONFIGURATION RESTORE
DEVICE CONFIGURATION SET


M8. Security Menu

This menu item is available only for drive, which support Security Mode
feature set (bit 1 of word 82). Next features are described in word 128.
Maximum password length is 32 characters.

Drive Lock is based on the industry standard ATA-3 specification. The
standard uses a dual password structure featuring a User and Master password
and defines two security modes, High and Maximum.
Under High mode, the Master password can be used to unlock a protected hard
drive and reset the User password.
By contrast, in Maximum mode the Master password can only be used to
reformat the hard drive and reset security options for the newly formatted
drive.

In the Maximum mode, the Master password cannot be used to change the User
password without first reformatting the hard drive. This protects against
unauthorized access to hard drive by the owner of the Master password. In
both security modes, if both passwords are lost, the hard drive is rendered
permanently unusable. The decision to implement only the High mode was made
to eliminate risk of data loss in the event only the User password is lost.

In High security mode, one can unlock the disk with either the user or
master password by using the "SECURITY UNLOCK DEVICE" ATA command.

In Maximum security mode, one can not unlock the disk without knowing the
passwords. One way to reuse the disk is to issue the SECURITY ERASE PREPARE
command followed by SECURITY ERASE UNIT. However, The SECURITY ERASE UNIT
command will require the Master password and all data will be erased as a
result.

Security Mode feature set

The optional Security Mode feature set is a password system that restricts
access to user data stored on a device. The system has two passwords, User
and Master, and two security levels, High and Maximum. The security system
is enabled by sending a user password to the device with the SECURITY SET
PASSWORD command. When the security system is enabled, access to user data
on the device is denied after a power cycle until the User password is sent
to the device with the SECURITY UNLOCK command.

A Master password may be set in addition to the User password. The purpose
of the Master password is to allow an administrator to establish a password
that is kept secret from the user, and which may be used to unlock the
device if the User password is lost.
Setting the Master password does not enable the password system.

The security level is set to High or Maximum with the SECURITY SET PASSWORD
command.

The security level determines device behavior when the Master password is
used to unlock the device. When the security level is set to High, the
device requires the SECURITY UNLOCK command and the Master password to
unlock.

When the security level is set to Maximum, the device requires a SECURITY
ERASE PREPARE command and a SECURITY ERASE UNIT command with the Master
password to unlock.

Execution of the SECURITY ERASE UNIT command erases all user data on the
device.

The SECURITY FREEZE LOCK command prevents changes to passwords until a
following power cycle. The purpose of the SECURITY FREEZE LOCK command is to
prevent password setting attacks on the security system. Sometimes this
command will issue

Page 50

system BIOS. If device is locked with SECURITY FREEZE LOCK command, then
program for this device will show a message "!SECURITY: FROZEN".

If device is locked with a password, then program for this device will show
a message "! SECURITY: LOCKED".

A device that implements the Security Mode feature set shall implement the
following minimum set of commands:

SECURITY SET PASSWORD
SECURITY UNLOCK
SECURITY ERASE PREPARE
SECURITY ERASE UNIT
SECURITY FREEZE LOCK
SECURITY DISABLE PASSWORD

Support of the Security Mode feature set is indicated in IDENTIFY DEVICE
word 82 and
word 128.


Security mode initial setting

When the manufacturer ships the device, the state of the Security Mode
feature shall be disabled. The initial Master password value is not defined
by ATA standard.
If the Master Password Revision Code feature is supported, the manufacturer
shall set the Master Password Revision Code to FFFEh.


User password lost

If the User password sent to the device with the SECURITY UNLOCK command
does not match the user password previously set with the SECURITY SET
PASSWORD command, the device shall not allow the user to access data.

If the Security Level was set to High during the last SECURITY SET PASSWORD
command, the device shall unlock if the Master password is received.

If the Security Level was set to Maximum during the last SECURITY SET
PASSWORD command, the device shall not unlock if the Master password is
received.
The SECURITY ERASE UNIT command shall erase all user data and unlock the
device if the Master password matches the last Master password previously
set with the SECURITY SET PASSWORD command.

Attempt limit for SECURITY UNLOCK command

The device shall have an attempt limit counter. The purpose of this counter
is to defeat repeated trial attacks. After each failed User or Master
password SECURITY UNLOCK command, the counter is decremented. When the
counter value reaches zero the EXPIRE bit (bit 4) of word 128 in the
IDENTIFY DEVICE information is set to one, and the SECURITY UNLOCK and
SECURITY UNIT ERASE commands are command aborted until the device is powered
off or hardware reset. The EXPIRE bit shall be cleared to zero after
power-on or hardware reset. The counter shall be set to five after a
power-on or hardware reset.

Page 51

M8.1 SET PASSWORD

This item is for command SECURITY SET PASSWORD to set password identifier
(User, Master), security level (High, Maximum), new password and Master
Password Revision Code for password Master.


M9. SET MAX (HPA) Menu

The Host Protected Area security commands using a single command code and
are differentiated from one another by the value placed in the Features
register. In addition, a device supporting the Host Protected Area feature
set may optionally include the security extensions. Following commands are
defined in this featu
READ MAX ADDRESS/READ MAX ADDRESS EXT
SET MAX ADDRESS/SET MAX ADDRESS EXT
SET MAX SET PASSWORD
SET MAX LOCK
SET MAX FREEZE LOCK
SET MAX UNLOCK

Devices supporting these extensions shall set bit 10 of word 82 and bit 8
of word 83 of the IDENTIFY DEVICE response to one.

HPA is defined as a reserved area for data storage outside the normal
operating file system. This area is hidden from the operating system and
file system, and is normally used for specialized applications. Systems may
wish to store configuration data or save memory to the HDD device in a
location that the operating systems cannot change.

You can see at M13.1.22 Address Offset Mode feature also.


M9.1 Set Max Address
This menu item is valid for ATA/SATA hard drive only when the Host
Protected Area feature set (bit 10 in word 82) is implemented. Use
prohibited when the Removable feature set (bit 2 in word 82) is implemented.

First, we have to explain the concept:

"Native max address": The native maximum address is the highest address
accepted by the device in the factory default condition. The native maximum
address is the maximum address that is valid when using the SET MAX ADDRESS
command.

If the 48-bit Address feature set is supported and the 48-bit native max
address is greater than 268,435,455, the READ NATIVE MAX ADDRESS command
shall return a maximum value of 268,435,454.

"Host Protected Area" (HPA) feature set: A reserved area for data storage
outside the normal operating system file system is required for several
specialized applications.
Systems may wish to store configuration data or save memory to the device
in a location that the operating systems cannot change. The optional Host
Protected Area feature set allows a portion of the device to be reserved for
such an area when the device is initially configured.

A device that implements the Host Protected Area feature set shall
implement the following minimum set of commands:
READ NATIVE MAX ADDRESS
SET MAX ADDRESS

Page 55

A device that implements the Host Protected Area feature set and supports
the 48-bit Address feature set shall implement the following additional set
of commands:
READ NATIVE MAX ADDRESS EXT
SET MAX ADDRESS EXT

Devices supporting this feature set shall set bit 10 of word 82 to one in
the data returned by the IDENTIFY DEVICE or IDENTIFY PACKET DEVICE command.

The READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command allows
the host to determine the maximum native address space of the device even
when a protected area has been allocated.

The SET MAX ADDRESS or SET MAX ADDRESS EXT command allows the host to
redefine the maximum address of the user accessible address space. That is,
when the SET MAX ADDRESS or SET MAX ADDRESS EXT command is issued with a
maximum address less than the native maximum address, the device reduces the
user accessible address space to the maximum specified by the command,
providing a protected area above that maximum address. The SET MAX ADDRESS
or SET MAX ADDRESS EXT command shall be immediately preceded by a READ
NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command.
After the SET MAX ADDRESS or SET MAX ADDRESS EXT command has been issued,
the device shall report only the reduced user address space in response to
an IDENTIFY DEVICE command in words 60, 61, 100, 101, 102, and 103.
Any read or write command to an address above the maximum address specified
by the SET MAX ADDRESS or SET MAX ADDRESS EXT command shall cause command
completion with the IDNF bit set to one and ERR set to one, or command
aborted.

If the SET MAX ADDRESS or SET MAX ADDRESS EXT command is issued with a
value that exceeds the native maximum address command aborted shall be
returned.

A volatility bit in the Sector Count register allows the host to specify if
the maximum address set is preserved across power-on or hardware reset
cycles. On power-on or hardware reset the device maximum address returns to
the last non-volatile address setting regardless of subsequent volatile SET
MAX ADDRESS or SET MAX ADDRESS EXT commands.
If Value volatile bit is set to one, the device shall preserve the maximum
values over power-up or hardware reset. If Value volatile bit is cleared to
zero, the device shall revert to the most recent non-volatile maximum
address value setting over power-up or hardware reset.

Typical use of these commands would be:
1. on reset
a) BIOS receives control after a system reset
b) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT
command to find the max capacity of the device
c) BIOS issues a SET MAX ADDRESS or SET MAX ADDRESS EXT command to the
values returned by READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT
d) BIOS read configuration data from the highest area on the disk
e) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT
command followed by a SET MAX ADDRESS or SET MAX ADDRESS EXT command to
reset the device to the size of the file system
2. on save to disk
a) BIOS receives control prior to shut down

Page 56

b) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT
command to find the max capacity of the device
c) BIOS issues a volatile SET MAX ADDRESS or SET MAX ADDRESS EXT command
to the values returned by READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS
EXT
d) Memory is copied to the reserved area
e) Shut down completes
f) On power-on or hardware reset the device max address returns to the
last non-volatile setting

These commands are intended for use only by system BIOS or other low-level
boot time process. Using these commands outside BIOS controlled boot or
shutdown may result in damage to file systems on the device. Devices should
return command aborted if a subsequent non-volatile SET MAX ADDRESS or SET
MAX ADDRESS EXT command is received after a power-on or hardware reset.

SET MAX ADDRESS command shall be aborted if a SET MAX ADDRESS EXT has
established a host protected area and vice versa, SET MAX ADDRESS EXT
command shall be aborted if a SET MAX ADDRESS has established a host
protected area.

Hosts shall not issue more than one non-volatile SET MAX ADDRESS or SET MAX
ADDRESS EXT command after a power-on or hardware reset. Devices should
report an IDNF error upon receiving a second non-volatile SET MAX ADDRESS
command after a power-on or hardware reset.

M9.2 Set Password

The SET MAX SET PASSWORD command allows the host to define the password to
be used during the current power-on cycle. The password does not persist
over a power cycle but does persist over a hardware or software reset. This
password is not related to the password used for the Security Mode Feature
set. When the password is set, the
device is in the Set Max Unlocked mode.

M9.3 Lock
The SET MAX LOCK command allows the host to disable the SET MAX commands
(except SET MAX UNLOCK) until the next power cycle or the issuance and
acceptance of the SET MAX UNLOCK command. When this command is accepted, the
device is in the Set max locked mode.

M9.4 Unlock
The SET MAX UNLOCK command changes the device from the Set Max Locked mode
to the Set Max Unlocked mode.

M9.5 Freeze Lock
The SET MAX FREEZE LOCK command allows the host to disable the SET MAX
commands (including Set Max Unlock) until the next power cycle. When this
command is accepted, the device is in the Set Max Frozen mode.

Page 57


M13.1.22 Address Offset Mode (Reserved Area Boot)

This feature is described in "Address Offset Reserved Area Boot", INCITS
TR27:2001.
Computer systems perform initial code booting by reading from a predefined
address on a disk drive. To allow an alternate bootable operating system to
exist in a reserved area on disk drive, Address Offset Feature provides a
Set Feature function to temporarily offset the drive address space.
The offset address space wraps around so that the entire disk drive address
space remains addressable in offset mode. The Set Max pointer is set to the
end of the reserved area to protect the data in the user area when operating
in offset mode. This protection can be removed by a SET MAX ADDRESS / SET
MAX ADDRESS EXT command to move the Set Max pointer to the end of the drive.
Set Feature Command Subcommand code 09h "ENABLE ADDRESS OFFSET MODE sub
command" offsets address LBA 0 (Cylinder 0, Head 0, Sector 1) to the start
of a non-volatile reserved area established using the SET MAX ADDRESS / SET
MAX ADDRESS EXT command. The offset condition is cleared by SET FEATURE
command Subcommand 89h "DISABLE ADDRESS OFFSET MODE", Software Reset,
Hardware Reset or Power on Reset.
Upon entering offset mode, the capacity of the drive returned in the
IDENTIFY DEVICE data is the size of the former reserved area. A subsequent
SET MAX ADDRESS / SET MAX ADDRESS EXT command using the address returned by
READ MAX ADDRESS / READ MAX ADDRESS EXT command allows access to the entire
drive. Addresses wrap so the entire drive remains addressable.

If a non-volatile reserved area has not been established before the device
receives a SET FEATURES ENABLE ADDRESS OFFSET MODE sub command, the command
fails with Abort error status.

Disable Address Offset Mode removes the address offset and sets the size of
the drive reported by the IDENTIFY DEVICE command back to the size specified
in the last non-volatile SET MAX ADDRESS / SET MAX ADDRESS EXT command.
IDENTIFY DEVICE Word 83 bit 7 indicates the device supports the Set
Features Address Offset Mode. IDENTIFY DEVICE Word 86 bit 7 indicates the
device is in address offset mode.

Before Enable Address Offset Mode

A reserved area has been created using a non-volatile SET MAX ADDRESS
command or SET MAX ADDRESS EXT command.

User Accessible Area Reserved Area
LBA=0____________LBA=R________LBA=M

After Enable Address Offset Mode

The former reserved area is now the user accessible area. The former user
accessible area is now the reserved area.

User Accessible Area
Reserved Area
_____________LBA=0(former Reserved Area)LBA=M-R(former User Accessible
Area)LBA=M

Page 67

After SET MAX ADDRESS/SET MAX ADDRESS EXT command

Using the Value Returned by READ MAX ADDRESS/READ MAX ADDRESS EXT command

User Accessible
Area
________________LBA=0___________________________LB A=M

Set Feature Disable Address Offset Mode, hardware or Power on Reset returns
the device to Address Offset Mode Disabled. Software reset returns the
device to Address Offset Mode Disable if Set Features Disable Reverting to
Power On Defaults has not been set.



M13.1.23 SET MAX security extension

If this feature is enabled then with command SET MAX SET PASSWORD was
enabled SET MAX security extension on device (device is locked).


M13.1.26 Device Configuration Overlay feature set

The optional Device Configuration Overlay feature set allows a utility
program to modify some of the optional commands, modes, and feature sets
that a device reports as supported in the IDENTIFY DEVICE or IDENTIFY PACKET
DEVICE command response as well as the capacity reported. (See detailed
info) [above at M7]

++++++++END excerpts+++++

Reviewing the found "table" beyond the supposed end of the Maxtor disk, and
applying a "template" for boot sector/ partition table entries, I find that
this contains three 'partitions' (there might be more but my template only
shows the four normally available areas - remember partition tables are
'chained' together)[hence the issue c_quirke referenced, and I referred to].
Both disks [Samsung and Maxtor] supported ATA3 specifications which include
DCO, reserved boot sector, and other 'commands' / features.

Two of those "partitions" are not NTFS, but appear to be fat12. Hence,
these
are apparently the BIOSreserved sectors reserved area boot - first
called areas.

Two other (or more) other filing systems may also be using this reserved
area boot extension / commands:
EXT3 and Reiser4+[FS] (possibly HFS+ as well)
These are also difficult to remove completely.

As this referencing is done in the bios booting area, and radically changes
how the disk is accessed, eg, the 'extra sectors become the MBR, partition
information and user area' while some of the normal used areas, becomes
'reserved' until OS start after software reset. {Forming what amounts to a
DCO}
Furthermore, wiping out the 'normal' disk does nothing to remove the BIOS
reserved access 'protected areas'.

As stated before; placing this as the normal boot sector [MBR] extends the
disk far beyond its stated capacity and well into the reserved sectors area.
[At least CHS and sector numbering wise]
However, if the reserved sectors are used (as shown previously with
WinHex )
with the disk "wrapped" and under BIOSXP control, perhaps would be no
problems.

To explain the non-NTFS "partitions", a simplified exploration of how NTFS
must be started and some of its components and requirements [correct me if
I'm wrong or if other factors need addressed].

NTFS is generally used within a networked environment and is under control
of a "master server" or servers [locally or external].

Such as:

When logon is addressed at "workstation" or sub-server startup, it must
access various 'servers' to obtain the "rights" necessary for the network
logon. Mind, that the system has NOT started yet [many 'control items'
and/or files and settings might be necessary from the master servers
{locally and external}, so the NT OS isn't available yet. {Check within
NTLDR and the other 'base' files of XP/NT for the coding and calls used at
startup.} To many variables are involved in the NTFS file system for normal
DOS access.

From Data Recovery E-Book V1.5 Copyright © 2006 CHENGDU YIWO Tech
Development Co.' Ltd. All Right Reserved

High-level features of NTFS

1. Multi-data streams
2. Name based on Unicode
3. General index mechanism
4. The dynamic bad cluster reprints maps
5. Supports POSIX
6. File compression
7. File encrypts
8. Disk quota
9. Hard link and soft link
10. Link tracks
11. Log records
12. Fragmentation
2.NTFS file system terminology
LCN: Logical Cluster Number
VCN: Virtual Cluster Number
BPB: BIOS Parameter Block
FSD: File System Driver
SCB: System Control Block
FCB: File Control Block
EFS: Encrypt File System
MFT: Master File Table
MFT Mirror: Master File Table Mirror

Metadata: It’s data stored in volume, supporting file system management. It
cannot be visit by application program, just provides service for the
system.
[page 72, 73]

The MFT contains:
Number Metadata Function
0 $MFT MFT itself
1 $MFTMirr Part image of MFT
2 $LogFile Log file
3 $Volume volume file
4 $AttrDef Attribute definition list
5 $Root root directory
6 $Bitmap Bitmap file
7 $Boot boot file
8 $BadClus Bad cluster file
9 $Secure Secure file
10 $UpCase Capitalized file
11 $Extended metadata directory Extended Metadata directory
12 $Extend\$Reparse Reparse Points file
13 $Extend\$UsnJrnl Log changing file
14 $Extend\$Quota Quota management file
15 $Extend\$ObjId Object ID file
16~23 Reserved
24~ User files and directories
[page 79]

First, when NTFS visits a volume, it must be "loading" this volume: NTFS
will check the boot file
(file defined by $Boot Metadata file), and find physical disk address of
MFT.

Then, it can obtain mapping information from VCN to LCN in data attribute of
file records, and
save it in memory. This mapping information locates where MFT runs in disk.

Then next, NTFS opens MFT records of several Metadata files, and then opens
these files. If it is
necessary, NTFS will start to execute file system recovery operation. After
opening the leavings
Metadata file in NTFS, users can visit this volume.

7. Files and folders of NTFS partition

NTFS treats files as a unit of attribute/attribute value. That is the
differences between NTFS and
other file system. File data is attribute value without names. Other file
attributes includes file
name, file owner and file time mark, etc.
[page 81]

[END EXCERPTS]

In fact, NTFS uses streams for its files and processes. Therefore, there is
no argument that NTFS is not far more complex than the old DOS.

One of those two 'non-NTFS' partitions in the found table appears to be a
small "networking" 'partition' about the size of a floppy.

NTFS can not be read/used by the OS until the file system / server [several
files] is 'started' so another non-NTFS 'partition' is apparently required
to START the system /server, also about the size of a floppy.

Ssssso, this found "table" beyond the stated end of the disk is under
'reserved area boot control' [M13.1.22 Address Offset Mode (Reserved
Area Boot)], or, it is a "lost mirror". Though for this to occur, the disk
would have had to be configured beyond its normal capacity when XP was
installed [which it wasn't prior to installation].

This would also help to explain WHY continued fdisking and formatting would
decrease the available disk space.
Each time this was done, the program used the 'hard and soft modified' BIOS
controlled hard drive data for size; and size reduction results. {Remember
the BIOS access area may contain restricted un-writable areas and other
coding.]

Even using this found table, and trying to "modify" it to work, still ends
up with a smaller disk [and one to which an OS can not be installed] and
areas which can not be removed. SMART replacement sectors are now used up,
but the areas are not BAD SECTORS, just unusable / can not be overwritten.
This also helps to explain WHY repeated wiping DOES NOT remove the XP NTFS
files.

Another issue is that CHS and LBA addressing is not much of a factor in XP,
as it uses 'HAL' [hardware application layer] access, which is defined by,
controlled by, and within the OS. Here is where hard disk access is
controlled; not the BIOS [unless the drive is not recognized / fdisked /
formatted] or init13 extensions, after the OS takes control. They just place
the heads wherever told.

The problem is:
The extended/reserved boot sector BIOS info can not be erased or changed
with any of the tools I have (or at least safely with the information I
presently have), if this is what has occurred.

Anyone else find this table yet?
Anyone looked into the coding beyond the 'end' of the normal disk
structure?
Anyone know what has to be changed in that coding and how?
Anyone know of what commands (bit changes) and tool(s) to use to remove
this issue?

You will have to look beyond the supposed end of the disk at the "extra
sectors", "reserved sectors" and beyond those, for the full impact and
import [ew, look at all the pretty coding, what the heck does it all mean].

Most people will not even run across this issue, as S.M.A.R.T. WILL replace
these areas (until it no longer can) if the disk or area is no longer
controlled by the OS, as in a re-use of the drive for a non-NT(5) system,
when scandisked and defragged or the system attempts to write to those
areas. XP/NT may be able [I have not tested this] to re-use these areas if
it is re-installed {OS recognized by the BIOS coding, OS recognizes the
areas.}.

"MEB" meb@not wrote in message
...
| Jeff responded to the above with (my response inline):
| [also, find the originating discussion post at the bottom to remind
everyone
| what this discussion is for]
|
| From: "Jeff Richards"
| References:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Subject: COLLECTED hard drive usage after XP NTFS
| Date: Tue, 17 Oct 2006 20:36:47 +1000
| Newsgroups: microsoft.public.win98.gen_discussion
| Path: TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGP01.phx.gbl microsoft.public.win98.gen_discussion:816442

No reply - NOT ANSWERED

|
|
| | "MEB" meb@not wrote in message
| | ...
| | | SYNOPSIS:
| | |
| | | This is a collected discussion concerning XP hard drive re-use, in
| which
| | I
| | | have personally participated, per [there may be others which I have
| | missed]:
| | |
| | | " IBM T22 and Win 98se";
| | | " New post, ms Everest report";
| | | " Hangs on POST screen";
| | | " win 98 installation"
| | | " Updates for Win9X's & reason/logic"
| | | " No hard drive?"
| | | " Unable to install Win98 SE"
| | | " PC100 v PC133 ram"
| | |
| | | GENERAL REFERENCE and SEARCH TERMS: XP NTFS hard drives, tools used
to
| | test
| | | and/or recover hard drives, NTFS recovery tools, forensic tools for
| | analysis
| | | of hard drives, securely deleting hard drives, removing XP NTFS from
| hard
| | | drives.
| | |
| | | Present participants in this technical discussion:
| | | Ron Badour, MS MVP for W98;
| | | Jeff Richards MS MVP (Windows - Shell/User);
| | | Gary S. Terhune MS MVP Shell/User
| | | PCR;
| | | Franc Zabkar;
| | | and myself - Maurice Edward, Brahier;
| | | others who may wish to participate.
| | |
| | | BACKGROUND:
| | | I have presented apparent issues with the re-use of former XP NTFS
hard
| | | drives for other use or re-use. Tools and techniques normally used for
| | | fdisking and formatting, wiping and other activities, apparently do
not
| | | completely remove XP NTFS from hard drives.
| | |
| | | Disks used for testing:
| | | Samsung (no longer an issue as it is toast, completely un-accessible)
| | | Maxtor 87000AB - Hard Disk Family DiamondMax 1750A (per Everest)
| | | originally used for XP NTFS testing purposes (the OS), fully
configured,
| | | idled as a firewall only. After Samsung loss, normal "old" removal
| | | techniques used to re-use the drive as 32bit, then additional testing.
| | |
[clipped
| | | Tools tested so far:
| | |
| | | hd-util [Samsung];
| | | SH-diag [Samsung];
| | | Sutil [Samsung];
| | | Meandisk;
| | | DBan;
| | | Wipe;
| | | Zap;
| | | HDAT2;
| | | AEFDISK;
| | | GDISK (Symantec);
| | | Killdisk;
| | | BootitNG;
| | | MBRWork;
| | | PowerMax [Maxtor];
| | | Maxtor MaxBlast;
| | | Super FDisk;
| | | MHDD;
| | | OnTrack Data Advisor;
| | | Seagate SeaTools;
| | | Eraser;
| | | Testdisk;
| | | WinHex.
| | | (may already have used several others)
| | |
| | | Microsoft tools used:
| | | CHKDISK (and its autochkdsk - XP versions);
| | | Recovery Console;
| | | Delpart;
| | | fdisk;
| | | format;
| | |
| | | ISSUES:
| | |
| | | There are hundreds (thousands) of web pages which appear to claim XP
| NTFS
| | | is capable of being removed via old techniques and tools.
| | | My testing (to date) shows this in not true. Several hundred megabytes
| of
| | | hard drive space (on these small hard drives, who knows how much on
| larger
| | | drives) still contain files and folders from an XP NTFS installation
| after
| | | its removal.
| | | My personal testing shows that initially, and in particular after
| | | continually trying to remove the XP NTFS, the disk will be reduced in
| | size.
| | | The Maxtor (a 7 gig) now has 5.6 gigabytes of usable space available.
| Each
| | | attempt to remove XP has added some amount to the original total of
| | unusable
| | | space (less some sensitive data manually removed via disk editor (so I
| | don't
| | | inadvertently place it on the eventual web pages)).
| | |
| | | MBR has been replaced several times, drive has been "hardware" reset,
| and
| | | dozens of other like activities have been tried unsuccessfully. This
has
| | | been verified NTFS recovery tools for DOS, Windows and Linux; and disk
| | | editors/viewers of varying quality and ability.
| | |
| | | These hidden/restricted areas are ignored or marked as bad sectors by
| | most
| | | tools. These areas may cause potential severe errors to occur when
disk
| | | scanning software is used on the disk, depending on its abilities
and/or
| | | configuration.
| | |
| | | PRESENT ACTIVITIES IN THREADS WITH REPLY FROM MEB:
| | |
| | | IBM T22 and Win 98se
| | | "Franc Zabkar" wrote in message
| | | ...
| | | | MEB
| | | |
| | | | "Ron Badour" wrote in message
| | | | ...
| | | |
| | | | | "MEB" meb@not wrote in message
| | | | | ...
| | | | - Franc Zabkar
| | | | --
| | |
| | | IBM T22 and Win 98se
| | | "Jeff Richards" wrote in message
| | | ...
| | | | Jeff Richards
| | | | MS MVP (Windows - Shell/User)
| | |
| | | "Ron Badour" wrote in message
| | | ...
| | | | --
| | | | Regards
| | | |
| | | |
| | | | Ron Badour, MS MVP for W98
| | |
| | | --
| | | MEB

--
MEB
http://peoplescounsel.orgfree.com/
BLOG http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"

"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Or to put it another way:
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________

???? (Doesn't this belong in the XP group, or did I miss something)?

MEB wrote:
ELECTIONS are now over {looks like I won't have anything to do here
(hopefully)}, time to return to the issues of this discussion.

Well, Jeff never responded to the request for S.M.A.R.T. data, and for
tools he would cross verify the integrity/wipe of the disk with. Ah well,
perhaps he had to put it into service.

He did leave those issues unanswered; and appeared to indicate the disk
would return NTFS information if partitioned.

-----

A MASSIVE ONE [Bet you thought this was done]::

I suppose it's now time for more related material {or further indications
of XP and its NTFS} based upon an indication I previously presented
regarding finding a "table" / boot sector far beyond the end of the
supposed
disk. Here are some essential aspects of hard drives.

For information regarding the possible aspects of this "finding" we
revert
to:

HDAT2en_451.pdf excerpts [rights to this material remain under control of
the original creator] :

M7. Device Configuration Overlay Menu
ATA/ATAPI Device Configuration Overlay (DCO)

DCO allows systems to modify the apparent features provided by a hard
disk
drive device. It provides a set of commands that allow a utility program
to
modify some of the commands, modes, and feature sets reported as supported
by the hard disk drive. It can be used to hide a portion of the hard disk
drive's capacity from being viewed by the operating system and the file
system.
The optional Device Configuration Overlay feature set allows a utility
program to modify some of the optional commands, modes, and feature sets
that a device reports as supported in the IDENTIFY DEVICE or IDENTIFY
PACKET
DEVICE command data as well as the capacity reported.

Commands of Device Configuration Overlay feature set:

DEVICE CONFIGURATION FREEZE LOCK
DEVICE CONFIGURATION IDENTIFY
DEVICE CONFIGURATION RESTORE
DEVICE CONFIGURATION SET


M8. Security Menu

This menu item is available only for drive, which support Security Mode
feature set (bit 1 of word 82). Next features are described in word 128.
Maximum password length is 32 characters.

Drive Lock is based on the industry standard ATA-3 specification. The
standard uses a dual password structure featuring a User and Master
password
and defines two security modes, High and Maximum.
Under High mode, the Master password can be used to unlock a protected
hard
drive and reset the User password.
By contrast, in Maximum mode the Master password can only be used to
reformat the hard drive and reset security options for the newly formatted
drive.

In the Maximum mode, the Master password cannot be used to change the
User
password without first reformatting the hard drive. This protects against
unauthorized access to hard drive by the owner of the Master password. In
both security modes, if both passwords are lost, the hard drive is
rendered
permanently unusable. The decision to implement only the High mode was
made
to eliminate risk of data loss in the event only the User password is
lost.

In High security mode, one can unlock the disk with either the user or
master password by using the "SECURITY UNLOCK DEVICE" ATA command.

In Maximum security mode, one can not unlock the disk without knowing the
passwords. One way to reuse the disk is to issue the SECURITY ERASE
PREPARE
command followed by SECURITY ERASE UNIT. However, The SECURITY ERASE UNIT
command will require the Master password and all data will be erased as a
result.

Security Mode feature set

The optional Security Mode feature set is a password system that
restricts
access to user data stored on a device. The system has two passwords, User
and Master, and two security levels, High and Maximum. The security system
is enabled by sending a user password to the device with the SECURITY SET
PASSWORD command. When the security system is enabled, access to user data
on the device is denied after a power cycle until the User password is
sent
to the device with the SECURITY UNLOCK command.

A Master password may be set in addition to the User password. The
purpose
of the Master password is to allow an administrator to establish a
password
that is kept secret from the user, and which may be used to unlock the
device if the User password is lost.
Setting the Master password does not enable the password system.

The security level is set to High or Maximum with the SECURITY SET
PASSWORD
command.

The security level determines device behavior when the Master password is
used to unlock the device. When the security level is set to High, the
device requires the SECURITY UNLOCK command and the Master password to
unlock.

When the security level is set to Maximum, the device requires a
SECURITY
ERASE PREPARE command and a SECURITY ERASE UNIT command with the Master
password to unlock.

Execution of the SECURITY ERASE UNIT command erases all user data on the
device.

The SECURITY FREEZE LOCK command prevents changes to passwords until a
following power cycle. The purpose of the SECURITY FREEZE LOCK command is
to
prevent password setting attacks on the security system. Sometimes this
command will issue

Page 50

system BIOS. If device is locked with SECURITY FREEZE LOCK command, then
program for this device will show a message "!SECURITY: FROZEN".

If device is locked with a password, then program for this device will
show
a message "! SECURITY: LOCKED".

A device that implements the Security Mode feature set shall implement
the
following minimum set of commands:

SECURITY SET PASSWORD
SECURITY UNLOCK
SECURITY ERASE PREPARE
SECURITY ERASE UNIT
SECURITY FREEZE LOCK
SECURITY DISABLE PASSWORD

Support of the Security Mode feature set is indicated in IDENTIFY DEVICE
word 82 and
word 128.


Security mode initial setting

When the manufacturer ships the device, the state of the Security Mode
feature shall be disabled. The initial Master password value is not
defined
by ATA standard.
If the Master Password Revision Code feature is supported, the
manufacturer
shall set the Master Password Revision Code to FFFEh.


User password lost

If the User password sent to the device with the SECURITY UNLOCK command
does not match the user password previously set with the SECURITY SET
PASSWORD command, the device shall not allow the user to access data.

If the Security Level was set to High during the last SECURITY SET
PASSWORD
command, the device shall unlock if the Master password is received.

If the Security Level was set to Maximum during the last SECURITY SET
PASSWORD command, the device shall not unlock if the Master password is
received.
The SECURITY ERASE UNIT command shall erase all user data and unlock the
device if the Master password matches the last Master password previously
set with the SECURITY SET PASSWORD command.

Attempt limit for SECURITY UNLOCK command

The device shall have an attempt limit counter. The purpose of this
counter
is to defeat repeated trial attacks. After each failed User or Master
password SECURITY UNLOCK command, the counter is decremented. When the
counter value reaches zero the EXPIRE bit (bit 4) of word 128 in the
IDENTIFY DEVICE information is set to one, and the SECURITY UNLOCK and
SECURITY UNIT ERASE commands are command aborted until the device is
powered
off or hardware reset. The EXPIRE bit shall be cleared to zero after
power-on or hardware reset. The counter shall be set to five after a
power-on or hardware reset.

Page 51

M8.1 SET PASSWORD

This item is for command SECURITY SET PASSWORD to set password identifier
(User, Master), security level (High, Maximum), new password and Master
Password Revision Code for password Master.


M9. SET MAX (HPA) Menu

The Host Protected Area security commands using a single command code and
are differentiated from one another by the value placed in the Features
register. In addition, a device supporting the Host Protected Area feature
set may optionally include the security extensions. Following commands are
defined in this featu
READ MAX ADDRESS/READ MAX ADDRESS EXT
SET MAX ADDRESS/SET MAX ADDRESS EXT
SET MAX SET PASSWORD
SET MAX LOCK
SET MAX FREEZE LOCK
SET MAX UNLOCK

Devices supporting these extensions shall set bit 10 of word 82 and bit 8
of word 83 of the IDENTIFY DEVICE response to one.

HPA is defined as a reserved area for data storage outside the normal
operating file system. This area is hidden from the operating system and
file system, and is normally used for specialized applications. Systems
may
wish to store configuration data or save memory to the HDD device in a
location that the operating systems cannot change.

You can see at M13.1.22 Address Offset Mode feature also.


M9.1 Set Max Address
This menu item is valid for ATA/SATA hard drive only when the Host
Protected Area feature set (bit 10 in word 82) is implemented. Use
prohibited when the Removable feature set (bit 2 in word 82) is
implemented.

First, we have to explain the concept:

"Native max address": The native maximum address is the highest address
accepted by the device in the factory default condition. The native
maximum
address is the maximum address that is valid when using the SET MAX
ADDRESS
command.

If the 48-bit Address feature set is supported and the 48-bit native max
address is greater than 268,435,455, the READ NATIVE MAX ADDRESS command
shall return a maximum value of 268,435,454.

"Host Protected Area" (HPA) feature set: A reserved area for data storage
outside the normal operating system file system is required for several
specialized applications.
Systems may wish to store configuration data or save memory to the device
in a location that the operating systems cannot change. The optional Host
Protected Area feature set allows a portion of the device to be reserved
for
such an area when the device is initially configured.

A device that implements the Host Protected Area feature set shall
implement the following minimum set of commands:
READ NATIVE MAX ADDRESS
SET MAX ADDRESS

Page 55

A device that implements the Host Protected Area feature set and supports
the 48-bit Address feature set shall implement the following additional
set
of commands:
READ NATIVE MAX ADDRESS EXT
SET MAX ADDRESS EXT

Devices supporting this feature set shall set bit 10 of word 82 to one in
the data returned by the IDENTIFY DEVICE or IDENTIFY PACKET DEVICE
command.

The READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command allows
the host to determine the maximum native address space of the device even
when a protected area has been allocated.

The SET MAX ADDRESS or SET MAX ADDRESS EXT command allows the host to
redefine the maximum address of the user accessible address space. That
is,
when the SET MAX ADDRESS or SET MAX ADDRESS EXT command is issued with a
maximum address less than the native maximum address, the device reduces
the
user accessible address space to the maximum specified by the command,
providing a protected area above that maximum address. The SET MAX ADDRESS
or SET MAX ADDRESS EXT command shall be immediately preceded by a READ
NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT command.
After the SET MAX ADDRESS or SET MAX ADDRESS EXT command has been issued,
the device shall report only the reduced user address space in response to
an IDENTIFY DEVICE command in words 60, 61, 100, 101, 102, and 103.
Any read or write command to an address above the maximum address
specified
by the SET MAX ADDRESS or SET MAX ADDRESS EXT command shall cause command
completion with the IDNF bit set to one and ERR set to one, or command
aborted.

If the SET MAX ADDRESS or SET MAX ADDRESS EXT command is issued with a
value that exceeds the native maximum address command aborted shall be
returned.

A volatility bit in the Sector Count register allows the host to specify
if
the maximum address set is preserved across power-on or hardware reset
cycles. On power-on or hardware reset the device maximum address returns
to
the last non-volatile address setting regardless of subsequent volatile
SET
MAX ADDRESS or SET MAX ADDRESS EXT commands.
If Value volatile bit is set to one, the device shall preserve the
maximum
values over power-up or hardware reset. If Value volatile bit is cleared
to
zero, the device shall revert to the most recent non-volatile maximum
address value setting over power-up or hardware reset.

Typical use of these commands would be:
1. on reset
a) BIOS receives control after a system reset
b) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT
command to find the max capacity of the device
c) BIOS issues a SET MAX ADDRESS or SET MAX ADDRESS EXT command to the
values returned by READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT
d) BIOS read configuration data from the highest area on the disk
e) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT
command followed by a SET MAX ADDRESS or SET MAX ADDRESS EXT command to
reset the device to the size of the file system
2. on save to disk
a) BIOS receives control prior to shut down

Page 56

b) BIOS issues a READ NATIVE MAX ADDRESS or READ NATIVE MAX ADDRESS EXT
command to find the max capacity of the device
c) BIOS issues a volatile SET MAX ADDRESS or SET MAX ADDRESS EXT command
to the values returned by READ NATIVE MAX ADDRESS or READ NATIVE MAX
ADDRESS
EXT
d) Memory is copied to the reserved area
e) Shut down completes
f) On power-on or hardware reset the device max address returns to the
last non-volatile setting

These commands are intended for use only by system BIOS or other
low-level
boot time process. Using these commands outside BIOS controlled boot or
shutdown may result in damage to file systems on the device. Devices
should
return command aborted if a subsequent non-volatile SET MAX ADDRESS or SET
MAX ADDRESS EXT command is received after a power-on or hardware reset.

SET MAX ADDRESS command shall be aborted if a SET MAX ADDRESS EXT has
established a host protected area and vice versa, SET MAX ADDRESS EXT
command shall be aborted if a SET MAX ADDRESS has established a host
protected area.

Hosts shall not issue more than one non-volatile SET MAX ADDRESS or SET
MAX
ADDRESS EXT command after a power-on or hardware reset. Devices should
report an IDNF error upon receiving a second non-volatile SET MAX ADDRESS
command after a power-on or hardware reset.

M9.2 Set Password

The SET MAX SET PASSWORD command allows the host to define the password
to
be used during the current power-on cycle. The password does not persist
over a power cycle but does persist over a hardware or software reset.
This
password is not related to the password used for the Security Mode Feature
set. When the password is set, the
device is in the Set Max Unlocked mode.

M9.3 Lock
The SET MAX LOCK command allows the host to disable the SET MAX commands
(except SET MAX UNLOCK) until the next power cycle or the issuance and
acceptance of the SET MAX UNLOCK command. When this command is accepted,
the
device is in the Set max locked mode.

M9.4 Unlock
The SET MAX UNLOCK command changes the device from the Set Max Locked
mode
to the Set Max Unlocked mode.

M9.5 Freeze Lock
The SET MAX FREEZE LOCK command allows the host to disable the SET MAX
commands (including Set Max Unlock) until the next power cycle. When this
command is accepted, the device is in the Set Max Frozen mode.

Page 57


M13.1.22 Address Offset Mode (Reserved Area Boot)

This feature is described in "Address Offset Reserved Area Boot", INCITS
TR27:2001.
Computer systems perform initial code booting by reading from a
predefined
address on a disk drive. To allow an alternate bootable operating system
to
exist in a reserved area on disk drive, Address Offset Feature provides a
Set Feature function to temporarily offset the drive address space.
The offset address space wraps around so that the entire disk drive
address
space remains addressable in offset mode. The Set Max pointer is set to
the
end of the reserved area to protect the data in the user area when
operating
in offset mode. This protection can be removed by a SET MAX ADDRESS / SET
MAX ADDRESS EXT command to move the Set Max pointer to the end of the
drive.
Set Feature Command Subcommand code 09h "ENABLE ADDRESS OFFSET MODE sub
command" offsets address LBA 0 (Cylinder 0, Head 0, Sector 1) to the start
of a non-volatile reserved area established using the SET MAX ADDRESS /
SET
MAX ADDRESS EXT command. The offset condition is cleared by SET FEATURE
command Subcommand 89h "DISABLE ADDRESS OFFSET MODE", Software Reset,
Hardware Reset or Power on Reset.
Upon entering offset mode, the capacity of the drive returned in the
IDENTIFY DEVICE data is the size of the former reserved area. A subsequent
SET MAX ADDRESS / SET MAX ADDRESS EXT command using the address returned
by
READ MAX ADDRESS / READ MAX ADDRESS EXT command allows access to the
entire
drive. Addresses wrap so the entire drive remains addressable.

If a non-volatile reserved area has not been established before the
device
receives a SET FEATURES ENABLE ADDRESS OFFSET MODE sub command, the
command
fails with Abort error status.

Disable Address Offset Mode removes the address offset and sets the size
of
the drive reported by the IDENTIFY DEVICE command back to the size
specified
in the last non-volatile SET MAX ADDRESS / SET MAX ADDRESS EXT command.
IDENTIFY DEVICE Word 83 bit 7 indicates the device supports the Set
Features Address Offset Mode. IDENTIFY DEVICE Word 86 bit 7 indicates the
device is in address offset mode.

Before Enable Address Offset Mode

A reserved area has been created using a non-volatile SET MAX ADDRESS
command or SET MAX ADDRESS EXT command.

User Accessible Area Reserved Area
LBA=0____________LBA=R________LBA=M

After Enable Address Offset Mode

The former reserved area is now the user accessible area. The former user
accessible area is now the reserved area.

User Accessible Area
Reserved Area
_____________LBA=0(former Reserved Area)LBA=M-R(former User Accessible
Area)LBA=M

Page 67

After SET MAX ADDRESS/SET MAX ADDRESS EXT command

Using the Value Returned by READ MAX ADDRESS/READ MAX ADDRESS EXT command

User Accessible
Area
________________LBA=0___________________________LB A=M

Set Feature Disable Address Offset Mode, hardware or Power on Reset
returns
the device to Address Offset Mode Disabled. Software reset returns the
device to Address Offset Mode Disable if Set Features Disable Reverting to
Power On Defaults has not been set.



M13.1.23 SET MAX security extension

If this feature is enabled then with command SET MAX SET PASSWORD was
enabled SET MAX security extension on device (device is locked).


M13.1.26 Device Configuration Overlay feature set

The optional Device Configuration Overlay feature set allows a utility
program to modify some of the optional commands, modes, and feature sets
that a device reports as supported in the IDENTIFY DEVICE or IDENTIFY
PACKET
DEVICE command response as well as the capacity reported. (See detailed
info) [above at M7]

++++++++END excerpts+++++

Reviewing the found "table" beyond the supposed end of the Maxtor disk,
and
applying a "template" for boot sector/ partition table entries, I find
that
this contains three 'partitions' (there might be more but my template only
shows the four normally available areas - remember partition tables are
'chained' together)[hence the issue c_quirke referenced, and I referred
to].
Both disks [Samsung and Maxtor] supported ATA3 specifications which
include
DCO, reserved boot sector, and other 'commands' / features.

Two of those "partitions" are not NTFS, but appear to be fat12. Hence,
these
are apparently the BIOSreserved sectors reserved area boot - first
called areas.

Two other (or more) other filing systems may also be using this reserved
area boot extension / commands:
EXT3 and Reiser4+[FS] (possibly HFS+ as well)
These are also difficult to remove completely.

As this referencing is done in the bios booting area, and radically
changes
how the disk is accessed, eg, the 'extra sectors become the MBR,
partition
information and user area' while some of the normal used areas, becomes
'reserved' until OS start after software reset. {Forming what amounts to a
DCO}
Furthermore, wiping out the 'normal' disk does nothing to remove the BIOS
reserved access 'protected areas'.

As stated before; placing this as the normal boot sector [MBR] extends
the
disk far beyond its stated capacity and well into the reserved sectors
area.
[At least CHS and sector numbering wise]
However, if the reserved sectors are used (as shown previously with
WinHex )
with the disk "wrapped" and under BIOSXP control, perhaps would be no
problems.

To explain the non-NTFS "partitions", a simplified exploration of how
NTFS
must be started and some of its components and requirements [correct me if
I'm wrong or if other factors need addressed].

NTFS is generally used within a networked environment and is under
control
of a "master server" or servers [locally or external].

Such as:

When logon is addressed at "workstation" or sub-server startup, it must
access various 'servers' to obtain the "rights" necessary for the network
logon. Mind, that the system has NOT started yet [many 'control items'
and/or files and settings might be necessary from the master servers
{locally and external}, so the NT OS isn't available yet. {Check within
NTLDR and the other 'base' files of XP/NT for the coding and calls used at
startup.} To many variables are involved in the NTFS file system for
normal
DOS access.

From Data Recovery E-Book V1.5 Copyright © 2006 CHENGDU YIWO Tech
Development Co.' Ltd. All Right Reserved

High-level features of NTFS

1. Multi-data streams
2. Name based on Unicode
3. General index mechanism
4. The dynamic bad cluster reprints maps
5. Supports POSIX
6. File compression
7. File encrypts
8. Disk quota
9. Hard link and soft link
10. Link tracks
11. Log records
12. Fragmentation
2.NTFS file system terminology
LCN: Logical Cluster Number
VCN: Virtual Cluster Number
BPB: BIOS Parameter Block
FSD: File System Driver
SCB: System Control Block
FCB: File Control Block
EFS: Encrypt File System
MFT: Master File Table
MFT Mirror: Master File Table Mirror

Metadata: It's data stored in volume, supporting file system management.
It
cannot be visit by application program, just provides service for the
system.
[page 72, 73]

The MFT contains:
Number Metadata Function
0 $MFT MFT itself
1 $MFTMirr Part image of MFT
2 $LogFile Log file
3 $Volume volume file
4 $AttrDef Attribute definition list
5 $Root root directory
6 $Bitmap Bitmap file
7 $Boot boot file
8 $BadClus Bad cluster file
9 $Secure Secure file
10 $UpCase Capitalized file
11 $Extended metadata directory Extended Metadata directory
12 $Extend\$Reparse Reparse Points file
13 $Extend\$UsnJrnl Log changing file
14 $Extend\$Quota Quota management file
15 $Extend\$ObjId Object ID file
16~23 Reserved
24~ User files and directories
[page 79]

First, when NTFS visits a volume, it must be "loading" this volume: NTFS
will check the boot file
(file defined by $Boot Metadata file), and find physical disk address of
MFT.

Then, it can obtain mapping information from VCN to LCN in data attribute
of
file records, and
save it in memory. This mapping information locates where MFT runs in
disk.

Then next, NTFS opens MFT records of several Metadata files, and then
opens
these files. If it is
necessary, NTFS will start to execute file system recovery operation.
After
opening the leavings
Metadata file in NTFS, users can visit this volume.

7. Files and folders of NTFS partition

NTFS treats files as a unit of attribute/attribute value. That is the
differences between NTFS and
other file system. File data is attribute value without names. Other file
attributes includes file
name, file owner and file time mark, etc.
[page 81]

[END EXCERPTS]

In fact, NTFS uses streams for its files and processes. Therefore, there
is
no argument that NTFS is not far more complex than the old DOS.

One of those two 'non-NTFS' partitions in the found table appears to be a
small "networking" 'partition' about the size of a floppy.

NTFS can not be read/used by the OS until the file system / server
[several
files] is 'started' so another non-NTFS 'partition' is apparently required
to START the system /server, also about the size of a floppy.

Ssssso, this found "table" beyond the stated end of the disk is under
'reserved area boot control' [M13.1.22 Address Offset Mode (Reserved
Area Boot)], or, it is a "lost mirror". Though for this to occur, the disk
would have had to be configured beyond its normal capacity when XP was
installed [which it wasn't prior to installation].

This would also help to explain WHY continued fdisking and formatting
would
decrease the available disk space.
Each time this was done, the program used the 'hard and soft modified'
BIOS
controlled hard drive data for size; and size reduction results. {Remember
the BIOS access area may contain restricted un-writable areas and other
coding.]

Even using this found table, and trying to "modify" it to work, still
ends
up with a smaller disk [and one to which an OS can not be installed] and
areas which can not be removed. SMART replacement sectors are now used up,
but the areas are not BAD SECTORS, just unusable / can not be overwritten.
This also helps to explain WHY repeated wiping DOES NOT remove the XP
NTFS
files.

Another issue is that CHS and LBA addressing is not much of a factor in
XP,
as it uses 'HAL' [hardware application layer] access, which is defined by,
controlled by, and within the OS. Here is where hard disk access is
controlled; not the BIOS [unless the drive is not recognized / fdisked /
formatted] or init13 extensions, after the OS takes control. They just
place
the heads wherever told.

The problem is:
The extended/reserved boot sector BIOS info can not be erased or changed
with any of the tools I have (or at least safely with the information I
presently have), if this is what has occurred.

Anyone else find this table yet?
Anyone looked into the coding beyond the 'end' of the normal disk
structure?
Anyone know what has to be changed in that coding and how?
Anyone know of what commands (bit changes) and tool(s) to use to remove
this issue?

You will have to look beyond the supposed end of the disk at the "extra
sectors", "reserved sectors" and beyond those, for the full impact and
import [ew, look at all the pretty coding, what the heck does it all
mean].

Most people will not even run across this issue, as S.M.A.R.T. WILL
replace
these areas (until it no longer can) if the disk or area is no longer
controlled by the OS, as in a re-use of the drive for a non-NT(5) system,
when scandisked and defragged or the system attempts to write to those
areas. XP/NT may be able [I have not tested this] to re-use these areas if
it is re-installed {OS recognized by the BIOS coding, OS recognizes the
areas.}.

"MEB" meb@not wrote in message
...
Jeff responded to the above with (my response inline):
[also, find the originating discussion post at the bottom to remind
everyone
what this discussion is for]

From: "Jeff Richards"
References:























Subject: COLLECTED hard drive usage after XP NTFS
Date: Tue, 17 Oct 2006 20:36:47 +1000
Newsgroups: microsoft.public.win98.gen_discussion
Path: TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGP01.phx.gbl microsoft.public.win98.gen_discussion:816442

No reply - NOT ANSWERED



"MEB" meb@not wrote in message
...
SYNOPSIS:

This is a collected discussion concerning XP hard drive re-use, in
which I
have personally participated, per [there may be others which I have
missed]:

" IBM T22 and Win 98se";
" New post, ms Everest report";
" Hangs on POST screen";
" win 98 installation"
" Updates for Win9X's & reason/logic"
" No hard drive?"
" Unable to install Win98 SE"
" PC100 v PC133 ram"

GENERAL REFERENCE and SEARCH TERMS: XP NTFS hard drives, tools used to
test and/or recover hard drives, NTFS recovery tools, forensic tools
for
analysis of hard drives, securely deleting hard drives, removing XP
NTFS
from hard drives.

Present participants in this technical discussion:
Ron Badour, MS MVP for W98;
Jeff Richards MS MVP (Windows - Shell/User);
Gary S. Terhune MS MVP Shell/User
PCR;
Franc Zabkar;
and myself - Maurice Edward, Brahier;
others who may wish to participate.

BACKGROUND:
I have presented apparent issues with the re-use of former XP NTFS
hard
drives for other use or re-use. Tools and techniques normally used for
fdisking and formatting, wiping and other activities, apparently do not
completely remove XP NTFS from hard drives.

Disks used for testing:
Samsung (no longer an issue as it is toast, completely un-accessible)
Maxtor 87000AB - Hard Disk Family DiamondMax 1750A (per Everest)
originally used for XP NTFS testing purposes (the OS), fully
configured,
idled as a firewall only. After Samsung loss, normal "old" removal
techniques used to re-use the drive as 32bit, then additional testing.

[clipped
Tools tested so far:

hd-util [Samsung];
SH-diag [Samsung];
Sutil [Samsung];
Meandisk;
DBan;
Wipe;
Zap;
HDAT2;
AEFDISK;
GDISK (Symantec);
Killdisk;
BootitNG;
MBRWork;
PowerMax [Maxtor];
Maxtor MaxBlast;
Super FDisk;
MHDD;
OnTrack Data Advisor;
Seagate SeaTools;
Eraser;
Testdisk;
WinHex.
(may already have used several others)

Microsoft tools used:
CHKDISK (and its autochkdsk - XP versions);
Recovery Console;
Delpart;
fdisk;
format;

ISSUES:

There are hundreds (thousands) of web pages which appear to claim XP
NTFS
is capable of being removed via old techniques and tools.
My testing (to date) shows this in not true. Several hundred megabytes
of
hard drive space (on these small hard drives, who knows how much on
larger
drives) still contain files and folders from an XP NTFS installation
after
its removal.
My personal testing shows that initially, and in particular after
continually trying to remove the XP NTFS, the disk will be reduced in
size.
The Maxtor (a 7 gig) now has 5.6 gigabytes of usable space available.
Each
attempt to remove XP has added some amount to the original total of
unusable space (less some sensitive data manually removed via disk
editor
(so I don't inadvertently place it on the eventual web pages)).

MBR has been replaced several times, drive has been "hardware" reset,
and
dozens of other like activities have been tried unsuccessfully. This
has
been verified NTFS recovery tools for DOS, Windows and Linux; and disk
editors/viewers of varying quality and ability.

These hidden/restricted areas are ignored or marked as bad sectors by
most
tools. These areas may cause potential severe errors to occur when disk
scanning software is used on the disk, depending on its abilities
and/or
configuration.

PRESENT ACTIVITIES IN THREADS WITH REPLY FROM MEB:

IBM T22 and Win 98se
"Franc Zabkar" wrote in message
...
MEB

"Ron Badour" wrote in message
...

"MEB" meb@not wrote in message
...
- Franc Zabkar
--

IBM T22 and Win 98se
"Jeff Richards" wrote in message
...
Jeff Richards
MS MVP (Windows - Shell/User)

"Ron Badour" wrote in message
...
--
Regards


Ron Badour, MS MVP for W98

--
MEB

--
MEB
http://peoplescounsel.orgfree.com/
BLOG http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"

"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as
if
nothing had happen." Winston Churchill
Or to put it another way:
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________

NAH, this was a collected discussion on this news group concerning usage of
hard disks after NT (XP) use, for Win98.


"Bill in Co." wrote in message
...
| ???? (Doesn't this belong in the XP group, or did I miss something)?

| This is a collected discussion concerning XP hard drive re-use, in
| which I
| have personally participated, per [there may be others which I have
| missed]:
|
| " IBM T22 and Win 98se";
| " New post, ms Everest report";
| " Hangs on POST screen";
| " win 98 installation"
| " Updates for Win9X's & reason/logic"
| " No hard drive?"
| " Unable to install Win98 SE"
| " PC100 v PC133 ram"

--
MEB
http://peoplescounsel.orgfree.com/
BLOG http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"

"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Or to put it another way:
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________

Franc [and others], here's some info for you if your still interested.
[Try to remember the reason for this testing, let's keep this civil.]

Entering the attempted recover phase!? Which likely is no longer available
as SMART is used up.

This was created after a "stream" wipe and Gutman 35 pass wipe with DBAN
[DBAN saved info files are available].

I've attached a txt file (HDATCOPY.TXT) of the most recent [11-06-06] HDAT2
read-out.

There are several errors showing up, such as:

1. The integrity word is bad.

2. Physical/logical sector size is bad.

3. AND in the DPT - the geometry is wrong.

The DPT information obviously is of particular interest.
Perhaps someone knows where this info is saved upon the disk.

A result of this:

I have attached another file [project.txt] which shows some of the saved
"addressing" of still available information on the disk [after these two
'final' wipes].
19C430000-19C456FFF - 28 USC text.txt - 19C568000-19C58EFFF- 28USC partV.txt
(referencing the project.txt) are representative of the 156kb areas of
information on most of the disk [NOTE: projects.txt does NOT contain all the
areas]. Note the range(s).

Your take on the significance? Need any particular/additional / info /
files? {Back in a couple days will check then.}


"MEB" meb@not wrote in message
...
| ELECTIONS are now over {looks like I won't have anything to do here
| (hopefully)}, time to return to the issues of this discussion.
|
| Well, Jeff never responded to the request for S.M.A.R.T. data, and for
| tools he would cross verify the integrity/wipe of the disk with. Ah well,
| perhaps he had to put it into service.
|
| He did leave those issues unanswered; and appeared to indicate the disk
| would return NTFS information if partitioned.
|
| -----
|
| A MASSIVE ONE [Bet you thought this was done]::
|
| I suppose it's now time for more related material {or further indications
| of XP and its NTFS} based upon an indication I previously presented
| regarding finding a "table" / boot sector far beyond the end of the
supposed
| disk. Here are some essential aspects of hard drives.
|
| For information regarding the possible aspects of this "finding" we
revert
| to:
|
| HDAT2en_451.pdf excerpts [rights to this material remain under control of
| the original creator] :
|
| M7. Device Configuration Overlay Menu
| ATA/ATAPI Device Configuration Overlay (DCO)