EWF Disk Overlays and Power Loss
Another topic that seems to be making the rounds in the newsgroups lately has to do with how EWF Disk Overlays perform when the power goes out. This is an interesting scenario, so here's a brief article discussing the issue.
As you know, Enhanced Write Filter is a component that allows you to protect one or more hard drive partitions from being written to. It literally intercepts all write operations to the protected partition and puts them somewhere else - either a specialized disk partition known as the EWF volume, or to RAM. These situations are known as RAM and Disk overlays, respectively. In a RAM overlay, there are no writes done to the disk at all - everything is stored in memory. This has the disadvantage of being limited to the physical RAM in the machine - as the amount of data in the overlay increases, the amount of RAM available to the system decreases. Also, any writes are lost as soon as the machine is turned off unless you specifically commit those changes to the protected partition first.
On the other hand, a Disk overlay allows you to retain all the write operations between boots, in multiple layers if you so desire, and you can commit these changes to your protected partition. Also, the size of your overlay is only limited by the free space on your hard drive, and you specify the desired overlay size at design time. This makes the Disk overlay much more attractive to customers who want their EWF systems to run for long periods of time and retain incoming data, while at the same time allowing them to easily revert to their original image at any time.
So where does power loss come into play? The first thing that happens when a hard drive loses power is for the read/write heads to swing back to their "parked" position. Unfortunately, if those heads are writing data at the time, they'll continue to write even while the heads are moving erratically, causing any amount of bad data to suddenly appear all over the hard drive. This could literally affect any part of the drive, including the master boot record - some hard drives "crash" in power-loss scenarios because they wrote a bad bit or two to the MBR or the partition table.
I've seen a number of recent messages in the newsgroups lately indicating that people believe EWF Disk Overlays will protect their boot partitions from damage in power-loss situations. Unfortunately, this is not guaranteed - as I mentioned, if any data is being written anywhere on the hard drive when it loses power, there's no telling what might happen to the drive overall. When the power goes out, there is no EWF - the operating system actually loses its power before the hard drive does, so there's no more software control over the hard drive at all.
In a best-case scenario, power loss will result in just an incomplete file in the overlay, which would later be tagged by CHKDSK or another utility as a bad file entry. There could also be other residual corruption in the overlay, but if you're lucky, the corruption will be limited to the overlay and will not affect any other part of the drive. In this case, you could simply discard the overlay and start over, but you will need to detect these situations yourself - EWF does not have any built-in validation. (In a worst-case scenario, this corruption can span the entire hard drive, or even mess up the MBR, because the heads were still writing bits when they scanned across that part of the drive.)
Again, it's virtually impossible to predict what will happen in a loss of power, but there are some steps you can take to minimize the chances of corruption:
- If you don't expect to be writing much data, and you don't need to save that data between boots, consider using a RAM or RAM-REG overlay. This will keep the system from writing to the hard drive at all.
- If you do need to keep the data between boots, try to optimize your system to minimize the amount of data being written, and to minimize the frequency at which it is written. Do all of your writes at once if possible.
- If your Embedded system is going to be in an environment where the power is likely to go out frequently, you might consider putting it on a UPS or other power stabilization system, so that the system can remain running and/or shut down safely. This will generally also increase the system's protection against power spikes and harmful interference.
Check out the following articles on EWF for more information:
- Matt