ftkimager ewf logical vs physical time difference

[Ben Fino-Radin]

Hi all,

Another ewf question.

Using the OS X CLI version of ftkimager, I noticed today that creating a physical image of a drive takes several times longer than a logical image of one volume on that drive – this despite the fact that this is the only volume on the drive, so in theory there should be no difference in size. The resultant images are more or less the same filesize.

What could the reason for this be?

Best,

Ben

[Kam Woods]

Simple example: 10GB drive, 1GB data. Logical image will only require reading the allocated blocks (~1GB of blocks). Physical image will read all blocks, even the unallocated ones.

So the physical image read will take much longer. In the end, both EWF images are compressed, and since long sequences of zero blocks can be compressed very efficiently, the images are about the same size.

This example assumes that the remaining ~9GB of unallocated blocks are all or mostly zero'd out. The EWF image of the complete physical drive would be much larger if they had been *previously* used (either by a previous file system or allocated and subsequently deallocated).

Hope this helps...

Kam

--
You received this message because you are subscribed to the Google Groups "Digital Curation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to digital-curation+unsubscribe@googlegroups.com.
To post to this group, send email to digital-curation@googlegroups.com.
Visit this group at https://groups.google.com/group/digital-curation.
For more options, visit https://groups.google.com/d/optout.

[Kam Woods]

Clarification: this example assumes there is a single 10GB volume on the 10GB disk, but only 1GB of data has been written to that volume. The logical image will only read the allocated blocks (those associated with existing file system structure and files within that file system), ignoring any unused blocks.