DOCSLIB.ORG

SNIA NVM Programming Model

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
SNIA NVM Programming Model NVM Programming Model (NPM) Version 1.2 Abstract: This SNIA document defines recommended behavior for software supporting Non- Volatile Memory (NVM). This document has been released and approved by the SNIA. The SNIA believes that the ideas, methodologies and technologies described in this document accurately represent the SNIA goals and are appropriate for widespread distribution. Suggestion for revision should be directed to http://www.snia.org/feedback/. SNIA Technical Position June 19, 2017 USAGE The SNIA hereby grants permission for individuals to use this document for personal use only, and for corporations and other business entities to use this document for internal use only (including internal copying, distribution, and display) provided that: 1. Any text, diagram, chart, table or definition reproduced shall be reproduced in its entirety with no alteration, and, 2. Any document, printed or electronic, in which material from this document (or any portion hereof) is reproduced shall acknowledge the SNIA copyright on that material, and shall credit the SNIA for granting permission for its reuse. Other than as explicitly provided above, you may not make any commercial use of this document, sell any or this entire document, or distribute this document to third parties. All rights not explicitly granted are expressly reserved to SNIA. Permission to use this document for purposes other than those enumerated above may be requested by e-mailing [email protected]. Please include the identity of the requesting individual and/or company and a brief description of the purpose, nature, and scope of the requested use. All code fragments, scripts, data tables, and sample code in this SNIA document are made available under the following license: BSD 3-Clause Software License Copyright (c) 2017, The Storage Networking Industry Association. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of The Storage Networking Industry Association (SNIA) nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE NVM Programming Model (NPM) SNIA Technical Position 2 Version 1.12 DISCLAIMER The information contained in this publication is subject to change without notice. The SNIA makes no warranty of any kind with regard to this specification, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The SNIA shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this specification. Suggestions for revisions should be directed to http://www.snia.org/feedback/. Copyright © 2017 SNIA. All rights reserved. All other trademarks or registered trademarks are the property of their respective owners. NVM Programming Model (NPM) SNIA Technical Position 3 Version 1.12 Revision History Changes since version 1: • The former informative Consistency annex is reworded and moved to two places in the specification body: o New section 6.10 Aligned operations on fundamental data types o New section 10.1.1 Applications and PM Consistency in NVM.PM.FILE • A number of editorial fixes to make spelling, terminology, and spacing more consistent Changes from version 1.1 to version 1.2: • The former informative PM error handling annex is elaborated, improved and moved to the following places in the specification body: o New section 10.1.2 PM Error Handling. o New action 10.2.10 NVM.PM.FILE.CHECK_ERROR o New action 10.2.11 NVM.PM.FILE.CLEAR_ERROR o New attribute 10.3.9 NVM.PM.FILE.ERROR_EVENT_MINIMAL_CAPABILITY o New attribute 10.3.10 NVM.PM.FILE.ERROR_EVENT_PRECISE_CAPABILITY o New attribute 10.3.11 NVM.PM.FILE.ERROR_EVENT_ERROR_UNIT_CAPABILITY o New attribute 10.3.12 NVM.PM.FILE.ERROR_EVENT_MAPPED_SUPPORT_CAPABILITY o New attribute 10.3.12 NVM.PM.FILE.ERROR_EVENT_LIVE_SUPPORT_CAPABILITY • The wording in section 10.2.7 NVM.PM.FILE.OPTIMIZED_FLUSH_AND_VERIFY is corrected to make clear that the action does not require verification of the data in the persistence domain, but merely requires reporting of any errors diagnosed during the process of writing the data to the persistence domain. • New section 10.2.8 NVM.PM.FILE.OPTIMIZED_FLUSH_ALLOWED introduces a new action that indicates on a per-file basis whether the application may invoke the OPTIMIZED_FLUSH action or instead is required to call fsync or msync (or the Windows analogs). o Some DAX-capable file systems may require that the application call msync or the Windows equivalent and do not permit the application to call OPTIMIZED_FLUSH in its place, for some subset of the files in the file system. o This situation arises when the file system requires the msync system call in order to force updated file data or metadata to the persistence domain. For example, when a new page is allocated to a sparse file due to a page fault, some DAX filesystems do not eagerly force the allocation metadata to the persistence domain, but instead require an fsync or msync call to guarantee that the metadata is persistent. Similarly, if the filesystem is performing compression or encryption, it will require an fsync or msync to persist the data. • New section 10.2.9 NVM.PM.FILE.DEEP_FLUSH introduces a new action that provides improved reliability when persisting data but at a potentially higher latency cost. The intent of this new action is to enable DAX file systems and applications to limit the loss of data when normal persistence fails. NVM Programming Model (NPM) SNIA Technical Position 4 Version 1.12 o ADR persistence is only probabilistic; thermal conditions or other unforeseen conditions may increase the time needed to flush data in the power-protected domain to the persistent media beyond the hold-up time of the power supply. In such an event, we would like to limit the scope of the damage to less than all the data on the persistent memory devices. o For example, if there are multiple file systems on the persistent memory devices, and some of them are not mounted when ADR fails, then the data in those file systems is not corrupted and can be preserved across the persistence failure. Similarly if a file is not open when ADR fails, and all of the data and file system metadata needed to access the file has been persisted, then the file is not corrupted and can be preserved across the persistence failure. The DEEP_FLUSH action provides the tool needed by file systems to force data and metadata to a more reliable persistence domain, so that upon recovery the file system can detect whether it had been mounted, and, if mounted, whether the it's metadata is intact. Applications can then use DEEP_FLUSH to preserve data that upon recovery after a persistence failure would allow the application to determine whether the file had been open, and thus potentially corrupted, or closed, and thus can be preserved. o Attribute 10.3.8 NVM.PM.FILE.DEEP_FLUSH_CAPABLE enables an application to determine if the DEEP_FLUSH action is supported. • A number of editorial fixes to make spelling, terminology, and spacing more consistent NVM Programming Model (NPM) SNIA Technical Position 5 Version 1.12 Table of Contents FOREWORD ........................................................................................................................... 10 1 SCOPE .............................................................................................................................. 11 2 REFERENCES .................................................................................................................. 12 3 DEFINITIONS, ABBREVIATIONS, AND CONVENTIONS ............................................... 13 3.1 DEFINITIONS .................................................................................................................. 13 3.2 KEYWORDS .................................................................................................................... 14 3.3 ABBREVIATIONS ............................................................................................................. 14 3.4 CONVENTIONS ............................................................................................................... 15 4 OVERVIEW OF THE NVM PROGRAMMING MODEL (INFORMATIVE) ......................... 16 4.1 HOW TO READ AND USE THIS SPECIFICATION ....................................................................
Load more

Recommended publications
  • Backing up Linux and Other Unix(- Like) Systems
    BACKING UP LINUX AND OTHER UNIX(- LIKE) SYSTEMS There are two kinds of people: those who do regular backups and those who never had a hard drive failure — Unknown. 1. Introduction The topic of doing backups of a (live) Un*x (mostly Linux) system regularly comes up on Linux mailing lists and forums and invariably the advice to simply do tar cvfz backup.tgz /bin /boot /etc ... is given. Unfortunately, a good backup takes more effort than that. In this article I will outline a great deal (but not necessarily all) of the pitfalls and details you will have to be watchful of when making backups. Note that this is not an application how-to, so you should not use the given examples verbatim, nor does it give an exhaustive list of backup programs and examples. It also doesn't give step-by-step instructions. It is meant to create awareness for people who already have a general understanding of Un*x systems. Reading all of the documentation of the tool itself is and remains important, for it may make you think of things you wouldn't otherwise have considered. Also note that this article mostly describes the process of making backups to an external device or location. If data protection is important to you, I also highly recommend using RAID. While RAID offers no protection against fires, earthquakes, data corruption or humans, it does offer protection against failing disks. It has saved me more than once. Additionally, I'd advice you to consider using a UPS. Although my personal experience is limited to Linux, the issues I'll discuss should (could) work as well on all or most Un*x systems.
    [Show full text]
  • Freebsd File Formats Manual Libarchive-Formats (5)
    libarchive-formats (5) FreeBSD File Formats Manual libarchive-formats (5) NAME libarchive-formats —archive formats supported by the libarchive library DESCRIPTION The libarchive(3) library reads and writes a variety of streaming archive formats. Generally speaking, all of these archive formats consist of a series of “entries”. Each entry stores a single file system object, such as a file, directory,orsymbolic link. The following provides a brief description of each format supported by libarchive,with some information about recognized extensions or limitations of the current library support. Note that just because a format is supported by libarchive does not imply that a program that uses libarchive will support that format. Applica- tions that use libarchive specify which formats theywish to support, though manyprograms do use libarchive convenience functions to enable all supported formats. TarFormats The libarchive(3) library can read most tar archives. However, itonly writes POSIX-standard “ustar” and “pax interchange” formats. All tar formats store each entry in one or more 512-byte records. The first record is used for file metadata, including filename, timestamp, and mode information, and the file data is stored in subsequent records. Later variants have extended this by either appropriating undefined areas of the header record, extending the header to multiple records, or by storing special entries that modify the interpretation of subsequent entries. gnutar The libarchive(3) library can read GNU-format tar archives. It currently supports the most popular GNU extensions, including modern long filename and linkname support, as well as atime and ctime data. The libarchive library does not support multi-volume archives, nor the old GNU long filename format.
    [Show full text]
  • TAR(5) BSD File Formats Manual TAR(5)
    TAR(5) BSD File Formats Manual TAR(5) NAME tar —format of tape archive files DESCRIPTION The tar archive format collects anynumber of files, directories, and other file system objects (symbolic links, device nodes, etc.) into a single stream of bytes. The format was originally designed to be used with tape drivesthat operate with fixed-size blocks, but is widely used as a general packaging mechanism. General Format A tar archive consists of a series of 512-byte records. Each file system object requires a header record which stores basic metadata (pathname, owner,permissions, etc.) and zero or more records containing any file data. The end of the archive isindicated by tworecords consisting entirely of zero bytes. Forcompatibility with tape drivesthat use fixed block sizes, programs that read or write tar files always read or write a fixed number of records with each I/O operation. These “blocks” are always a multiple of the record size. The maximum block size supported by early implementations was 10240 bytes or 20 records. This is still the default for most implementations although block sizes of 1MiB (2048 records) or larger are commonly used with modern high-speed tape drives. (Note: the terms “block” and “record” here are not entirely standard; this document follows the convention established by John Gilmore in documenting pdtar.) Old-Style Archive Format The original tar archive format has been extended manytimes to include additional information that various implementors found necessary.This section describes the variant implemented by the tar command included in Version 7 AT&T UNIX,which seems to be the earliest widely-used version of the tar program.
    [Show full text]
  • Review NTFS Basics
    Australian Journal of Basic and Applied Sciences, 6(7): 325-338, 2012 ISSN 1991-8178 Review NTFS Basics Behzad Mahjour Shafiei, Farshid Iranmanesh, Fariborz Iranmanesh Bardsir Branch, Islamic Azad University, Bardsir, Iran Abstract: The Windows NT file system (NTFS) provides a combination of performance, reliability, and compatibility not found in the FAT file system. It is designed to quickly perform standard file operations such as read, write, and search - and even advanced operations such as file-system recovery - on very large hard disks. Key words: Format, NTFS, Volume, Fat, Partition INTRODUCTION Formatting a volume with the NTFS file system results in the creation of several system files and the Master File Table (MFT), which contains information about all the files and folders on the NTFS volume. The first information on an NTFS volume is the Partition Boot Sector, which starts at sector 0 and can be up to 16 sectors long. The first file on an NTFS volume is the Master File Table (MFT). The following figure illustrates the layout of an NTFS volume when formatting has finished. Fig. 5-1: Formatted NTFS Volume. This chapter covers information about NTFS. Topics covered are listed below: NTFS Partition Boot Sector NTFS Master File Table (MFT) NTFS File Types NTFS File Attributes NTFS System Files NTFS Multiple Data Streams NTFS Compressed Files NTFS & EFS Encrypted Files . Using EFS . EFS Internals . $EFS Attribute . Issues with EFS NTFS Sparse Files NTFS Data Integrity and Recoverability The NTFS file system includes security features required for file servers and high-end personal computers in a corporate environment.
    [Show full text]
  • Comparing NTFS File System with ETX4 File System
    Comparing NTFS File System with ETX4 File System Valbona Dhjaku Nevila Xoxa Albion Bame Igli Tafa Natural Science Faculty Natural Science Faculty Faculty of Information Polytechnic University Informatics Department Informatics Department Technology of Tirana valbona.dhjaku@banka [email protected] [email protected] [email protected] credins.com Abstract Disk Layout This paper presents a study and analysis of ETX4 file system and data structures comparing them with 2. Related Works the NTFS File System of Windows Operating System. It includes descriptions of ETX4 File With NTFS and ETX4 file system is been done various System Features, ETX4 Disk Layout and ETX4 work and some of them inspired me write this article. extent tree. All the components that we mentioned The information I had about this two file systems after above will be in comparison with the adequate working for almost four years with Windows and Ubuntu features of Windows Operating System that operating system helped me the most. I saw the need to expand my knowledge about this operating systems and corresponds to the Features of ETX4 File System. the file system that both of them use seemed a good Here we will talk about the volum size that support starting point for me to do this. For getting more each of the file system and the speed of each file knwoledges for this file systems i had to read a lot off system including their performance. articles and some of them are listed in references and others not. I have read o lot of information on different Keywords: NTFS, ETX4, performance, cluster, forums to and i do not regret it because it was very helpful iNode, hard drive sector, filesystem, features, to me.
    [Show full text]
  • Exadata ACFS Snapshots & Sparse Clones
    Exadata ACFS Snapshots & Sparse Clones Database Clones for Development and Test April 2021 Database Clones on Exadata • Many organizations use Exadata for Production, DR & Dev/Test • Single solution platform for all production and test/dev databases use cases • Exadata is the best platform to run Oracle Database Test/Dev Use Cases Oracle’s Solution Full End-to-End performance testing Non-Sparse Exadata Identical or comparable system as primary Testing with simple snapshot use cases and Exadata smart Exadata Sparse features Advanced snapshot capabilities similar to third party copy- ACFS Snapshots on Exadata on-write but no Exadata offload features required Copyright © 2021, Oracle and/or its affiliates Comparing Sparse Clones vs. Storage Snapshots Sparse Clone (copy-on-write) Snapshot (preserve prior block versions) The master of a sparse clone is read-only The master of a snapshot is read/write Sparse clones contain changed blocks Snapshots preserve older block versions Blocks accumulate as the clone changes Blocks accumulate as the master changes Data Guard Data Guard Source Source Read-Only Read-Only Read-Only Read/Write Read/Write Read/Write Day 1 Day 2 Day 3 Day 1 Day 2 Day 3 Full Sparse Sparse Sparse Test Test Test Clone Snapshot Snapshot Snapshot Standby Master Master Master Standby 100% 3% 3% 3% 3% 3% 3% 100% Copyright © 2021, Oracle and/or its affiliates Exadata Sparse Clones Integral Part of Exadata • Fully compatible with Exadata storage features (SQL offload, I/O prioritization, etc.) Space Efficient Sparse Clones • Uses copy-on-write
    [Show full text]
  • File Systems (II) (Chapters 39-43,45)
    File Systems (II) (Chapters 39-43,45) CS 4410 Operating Systems [R. Agarwal, L. Alvisi, A. Bracy, M. George, F.B. Schneider, E. Sirer, R. Van Renesse] File System Operations • Create a file • Write to a file • Read from a file • Seek to somewhere in a file • Delete a file • Truncate a file 2 File Storage Layout Options üContiguous allocation All bytes together, in order ü Linked-list Each block points to the next block • Indexed structure (FFS) Index block points to many other blocks • Log structure Sequence of segments, each containing updated blocks 3 Recall … • File System is stored on disks • sector 0 of disk called Master Boot Record (MBR) • end of MBR: partition table (partitions’ start & end addrs) • Remainder of disk divided into partitions. • Each partition starts with a boot block • Boot block loaded by MBR and executed on boot • Remainder of partition stores file system. entire disk PARTITION #1 PARTITION #2 PARTITION #3 PARTITION #4 MBR PARTITION TABLE BOOT BLOCK SUPERBLOCK Free Space Mgmt I-Nodes Root Dir Files & Directories Cost Accounting: Access Index 5 [mid 80’s] Fast File System (FFS) UNIX Fast File System Tree-based, multi-level index 6 FFS Superblock Identifies file system’s key parameters: • type • block size • inode array location and size (or analogous structure for other FSs) • location of free list block number 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 blocks: super i-node Remaining blocks block blocks 7 Inode Array Triple Double Indirect Indirect Indirect Data FFS Inodes Inode Blocks Blocks Blocks Blocks • inode array File Metadata • F: inode nbr à disk location • inode contains Direct Pointer DP - Metadata DP DP - 12 data pointers DP - DP 3 indirect pointers DP DP DP DP DP Direct Pointer Indirect Pointer Dbl.
    [Show full text]
  • XFS: the Big Storage File System for Linux
    XFs Is a file system that was de- signed from day one for computer systems chRisToph hellwig with large numbers of CPUs and large disk arrays. It focuses on supporting large files XFS: the big and good streaming I/O performance. It also has some interesting administrative features storage file not supported by other Linux file systems. This article gives some background infor- system for Linux mation on why XFS was created and how it Christoph Hellwig is a freelancer providing differs from the familiar Linux file systems. consulting, training, and, last but not least, You may discover that XFS is just what your contract programming for Linux storage and file systems. He has been working on Linux project needs instead of making do with the file systems since 2001 and is one of the most widely known developers in this area. default Linux file system. [email protected] BaCkground and HIsTory For years the standard Linux file system was ext2, a straightforward Berkeley FFS derivative. At the end of the 1990s, several competitors suddenly ap- peared to fill the gap for a file system providing fast crash recovery and transactional integrity for metadata. The clear winner in mainstream Linux is ext3, which added journaling on top of ext2 with- out many additional changes [7]. XFS has been less well known to many average Linux users but has always been the state of the art at the very high end. XFS itself did not originate on Linux but was first released on IRIX, a UNIX vari- ant for SGI workstations and servers, in December 1994, almost 15 years ago.
    [Show full text]
  • Maintaining POSIX Semantics in a Parallel File System
    Striping without Sacrifices: Maintaining POSIX Semantics in a Parallel File System Jan Stender1, Björn Kolbeck1, Felix Hupfeld1 Eugenio Cesario2, Erich Focht3, Matthias Hess3, Jesús Malo4, Jonathan Martí4 1Zuse Institute Berlin (ZIB), Takustr. 7, 14195 Berlin, Germany 2Institute High Performance Computing and Networks of the National Research Council of Italy (ICAR-CNR), DEIS-UNICAL, P. Bucci 41-C, 87036 Rende, CS, Italy 3NEC HPC Europe GmbH, Hessbruehlstr. 21b, 70656 Stuttgart, Germany 4Barcelona Supercomputing Center (BSC), c/ Jordi Girona 31, Barcelona, Spain Abstract Striping is a technique that distributes file content over multiple storage servers and thereby enables parallel ac- cess. In order to be able to provide a consistent view across file data and metadata operations, the file system has to track the layout of the file and know where the file ends and where it contains gaps. In this paper, we present a light-weight protocol for maintaining a consis- tent notion of a file’s layout that provides POSIX seman- tics without restricting concurrent access to the file. In an evaluation, we show that the protocol scales and elicit its corner cases. 1 Introduction Figure 1: In parallel file systems, file data is split into Parallel file systems reach their superior I/O performance chunks which are distributed among a set of storage and decent scalability with the help of striping. Instead servers. of storing a file only on one storage server, a parallel file system splits up the data of a file into chunks and dis- tributes these chunks across multiple storage servers (see to take means to ensure the consistency of the file ab- Fig.
    [Show full text]
  • Forensic Tool to Study and Carve Virtual Machine Hard Disk Files
    TALLINN UNIVERSITY OF TECHNOLOGY School of Information Technologies Raul Ezequiel Jimenez Haro 177233IVCM FORENSIC TOOL TO STUDY AND CARVE VIRTUAL MACHINE HARD DISK FILES Master’s thesis Supervisor: Pavel Laptev Tallinn 2019 TALLINNA TEHNIKAÜLIKOOL Infotehnoloogia teaduskond Raul Ezequiel Jimenez Haro 177233IVCM KOHTUEKSPERTIISI TÖÖRIIST VIRTUAALMASINA KÕVAKETTA FAILIDE UURIMISEKS JA VÄLJAVÕTMISEKS Magistritöö Juhendaja: Pavel Laptev Tallinn 2019 Author’s declaration of originality I hereby certify that I am the sole author of this thesis. All the used materials, references to the literature and the work of others have been referred to. This thesis has not been presented for examination anywhere else. Author: Raul Ezequiel Jimenez Haro 13.05.2019 3 Abstract Virtualization has gained rapid adoption in the last few years across all user levels, from large organizations to end-users. Digital forensic methods to analyse the virtualization platforms have not keep up with that implementation pace. This thesis focuses on hosted virtual machine hard disk sparse files. The aim is to study its structure, develop a tool to help with the understanding of how they work, and evaluate the feasibility of carving them. The research found that it is possible to leverage the structure of the files to carve them, obtain important metadata and extract data contained within the virtual disk. To achieve these results a set of experiments were designed to test the tool and knowledge about the structure of the virtual machine hard disk files. The tool helped to improve the comprehension about the files, evaluate how they can be carved and support the analysis of the files along with its forensic value.
    [Show full text]
  • APFS No Clever Or Witty Subtitle
    APFS No clever or witty subtitle. Before we start.. If you want to follow along: • Take the time to download: • http://technologeeks.com/tools/fsleuth (or fsleuth.linux for Linux) • Remove that stupid “.dms” extension (if using Safari) • (mv ~/Downloads/fsleuth.dms ~/Downloads/fsleuth) • chmod +x ~/Downloads/fsleuth • ~/Downloads/fsleuth • Open a terminal command prompt • Because GUI is for wusses. About this talk • Just after this was announced, Apple *finally* released the spec.. • (only took them two years) • Nonetheless, the spec looks like Javadoc/doxygen, and is pretty vague • Not anything like TN1150 (HFS+) • Research was reverse engineering, and spec filled in missing pieces • Standing on the shoulders of giants: • APFS research of Kurt H. Hansen & Fergus Toolan (https://www.sciencedirect.com/science/article/pii/S1742287617301408 ) APFS Features The High Level View of APFS APFS timeline • New file system to replace venerable (15+ years) HFS+ • Disappointed many who were expecting Apple to adopt ZFS • Announced in 2016: • Initial MacOS 12 implementation was pretty bad: • Defined as “preview” • Full of incompatibilities with its own subsequent versions • No boot support ( = EFI protocol) • Adopted first in iOS 10.3 • iOS 11.3 moved to snapshot based mounts (more on this later) • Full adoption in MacOS 10.13 • Still evolving in MacOS 14 (notably, supports defragmentation) APFS features • 64-bitness: • Support for ridiculous file sizes you’ll never run into. • For-all-intents-and-purposes infinite number of files (2 64 inodes) • Nanosecond-resolution
    [Show full text]
  • Advanced $Usnjrnl Forensics
    FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA Advanced $UsnJrnl Forensics blueangel [email protected] http://forensic-note.blogspot.kr/ Junghoon Oh 1. $UsnJrnl 2. $UsnJrnl Record Carving 3. NTFS Log Tracker v1.4 4. Conclusion forensicinsight.org Page 2 $UsnJrnl forensicinsight.org Page 3 $UsnJrnl Journal(Change) Log File of NTFS . This file is used to determine whether any change is occurred in a specific file by applications. From Win7, Journal Function is activated by default • In case of deactivation setting(in Win XP), it is possible to activate through “Fsutil”. > fsutil usn [createjournal] m=<MaxSize> a=<AllocationDelta> <VolumePath> • For more information about “Fsutil” : http://technet.microsoft.com/en-us/library/cc788042.aspx . The file is composed of “$Max” attribute and “$J“ attribute • $Max : The meta data of change log is stored. • $J : The actual change log records are stored. Each record has USN(Update Sequence Number) information. The record order is determined with USN. USN = the offset value of a record within $J attribute USN information is also stored in then $STANDARD_INFORMATION attribute of a MFT record forensicinsight.org Page 4 $UsnJrnl Journal(Change) Log File of NTFS(continue…) . Location • The file is located under “$Extend” folder. The size of log data(generally…) • In case of full time use(24 hours/day), the log for 1~2 days are recorded. • In case of regular use(8 hours/day), the log for 4~5 days are recorded. Forensic Readiness • changing log size bigger(more than 1 GB??) . Digital Forensic Profit • The investigator can confirm every NTFS’s events(creation, deletion, modification…) in specific period.
    [Show full text]