laura4458 wrote:
What explanations are there for sections of unallocated space being filled with 0xFF's?
The simplest is probably use of one of those tools that wipe free disk space. Which one ... if you look at the description of SDelete (from Sysinternals) you'll find their particular approach documented -- at least at the first glance it seem likely to leave traces in the file system.
Of course, there are usually places where those utilities don't reach ... say, outside the area covered by a volume. If those places are 0xFF-wiped as well, it clearly won't do without some additional explanations.
A more complex one starts from a hard disk that has been wiped completely with 0xFF, on top of which OS has been installed and usual file usage taken place. This kind of approach will produce 0xFF also in normally unreachable places. If you have files with ValidData length set, you may have allocated clusters that are noy really part of the file yet. (You could see these on XP, but I think later versions of NTFS may not allocate them.) If you do, and those clusters are also 0xFF-filled, it would fit. However, the longer this kind of system is used, the more clusters will be overwritten, so it can't be applied everywhere.
Quote::
about the last 80% of the pagefile.sys and hiberfil.sys files are each filled with 0xFF.
How much primary memory in the system? Has it been altered recently? (Just a strange idea: what happens with an existing page file if you add extra memory? Does the page file get resized?)
Just as a safety precaution -- if you haven't run a memory tester on the system, try to do so. You don't want any kind of hardware glitch to surprise you.
↧