Thread: is my C drive dying?
View Single Post
  #12  
Old September 10th 16, 04:59 PM posted to alt.windows7.general,comp.sys.ibm.pc.hardware.storage
Paul[_28_]
external usenet poster
  
Posts: 1,467
Default is my C drive dying?
Linea Recta wrote:


Thanks for the crash course!
But VirusTotal gives 2 hits for this file... so I haven't installed it yet.

BTW could you explain (briefly) the difference between cloning and
restoring a drive?

Another thing: I also have 2 external USB hard drives. One tested OK,
but the other (Maxtor onetouch) isn't even detected by Crystal diskinfo.
(it's still working ok though)

I compared the SHA256 on my 2009 copy of hdtune_255.exe with
a fresh download version, and they're the same. It's the same
value as listed on virustotal.

4256abb5b5583aeb5c61937415555657a5ae3b76fcc59657ed fcb3bce792f958

My guess would be, a false positive.

Here's a description of Trojan-Clicker.

https://www.microsoft.com/security/p...:Win32/Agent.O

I would not expect the second detection to be locatable in
Google.

I have HDTune 255 installed on just about every C:
drive I've got. I sure hope it isn't infected :-)

You would need an AV with known-good heuristic detection
capabilities, to catch it in time. Seeing as the major AV
products do not identify that as malware via its signature
alone. Windows Defender hasn't flagged it, but then,
WD isn't exactly bulletproof either.

*******

"Clone" copies the content to a new disk. Windows assigns drive letters
as they arise. Once the drive on the right-hand-side is booted by
itself, it will become a C: drive.

+-----+----+-----------------+ Clone +-----+----+-----------------+
| MBR | C: | System Reserved | --- | MBR | D: | System Reserved |
+-----+----+-----------------+ +-----+----+-----------------+

Backup and restore, keeps a copy on an external disk for safe keeping.
The restoration can be made to the disk of your choosing, by booting
the Macrium CD and doing the restore from the external USB hard drive
to the internal drive. In other words, the destination disk can be
completely blank, and you can still restore to the destination disk.
No OS is needed, because the OS is on the Macrium CD. That's why
you always burn the emergency boot CD in Macrium, for this scenario
of restoration.
backup.MRIMG
/ \
backup / \ restore
/ v
+-----+----+-----------------+ +-----+----+-----------------+
| MBR | C: | System Reserved | | MBR | C: | System Reserved |
+-----+----+-----------------+ +-----+----+-----------------+

Both clone and backup/restore record...

1) MBR (partition table and boot code)
(partition table modified, if partitions are resized)
The boot code in the MBR is the thing that gets fixed if you "fixmbr".

2) Track 0 (i.e. the sectors next to the MBR, used by Linux)

3) Partitions, both hidden, foreign, and native/visible.
Truly foreign partitions are transferred sector by sector.
Recognized partitions, only the logical info is transferred,
and the "white space" on the partition is not copied. The
software knows which clusters contain actual live data.

The boot.ini or BCD files (for boot management), may be
edited for best customer flexibility. (No drive should go
"Offline" on you.) If you clone disks with "dd.exe" for example,
after you're finished, the destination drive could have an offline
status.

Modern clones are by no means, "absolutely identical". Far from it.
They are "logically" identical and have the same function. None
of your files get lost. There are no guarantees about any other
aspect. Most modern cloning or backup/restore software is not
good enough for usage in a Court Of Law. For that, you need
proper forensic tools.

4) PBR. The partition boot stuff is copied as a part of (3).
If the partition is resized, perhaps that requires modifying
the file system header, but the PBR would be preserved.
PBR is the thing that gets fixed if you "fixboot". Generally
the PBR is in the partition with the "Active" flag set. So
if System Reserved has the Active (boot) flag set, the PBR would
be there.

What I'm trying to say here, is they do surgical copying.
Also known as a "smart" copy. They only copy things that
absolutely need to be copied. Any white space not containing
your files, that part is not copied. If you have a 500GB partition
containing 20GB of files, then approximately 20GB of reads
and 20GB of writes will be involved. The other 480GB of
white space, will not be defined. This is why the backup or
clone takes ten minutes, and not two hours.

Backup/restore is not a good way to "wipe" a disk. If you
want a forensically clean destination drive, use DiskPart
and do a "clean all" to erase each sector on the destination
disk first. After the restore of the 20GB of files, the other
480GB will be in an all-zeros state, and no old stale files
can be recovered with Recuva or Photorec.

*******

[None of the above, touches a Host Protected Area. Those
need special treatment, if you happen to be using such a thing.
An HPA is not part of any users normal work flow... It's an
annoyance when writing up articles about disks :-) ]

HTH,
Paul