@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Windows Server 2019 and Dedupe

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

There is a great article called “Windows Server Data Dedupliction and Forensic Analysis”.
If you are interested in the Dedupliction feature, I recommend that you read it first.

---

I used Windows Server 2019 and enabled the Data Deduplication function on volume F :.
Day 0 is set so that deduplication is performed immediately.

f:id:hideakii:20191123103135p:plain

 Two folders were created and several JPEG files were placed in each folder. I copied the same JPEG file, so these files should be deduplicated. 

f:id:hideakii:20191123103954p:plain

 f:id:hideakii:20191123104025p:plain

 Check the deduplication status. None of the files have been deduplicated yet.

f:id:hideakii:20191123104442p:plain

Use the Start-DedupJob command to execute deduplication. 

Start-DedupJob -Type Optimization -Volume F: -Memory 100 -Cores 100 -Priority High

f:id:hideakii:20191123104806p:plain

Ten files have been deduplicated.

f:id:hideakii:20191123104813p:plain

f:id:hideakii:20191123110309p:plain

 Use Windows Explorer to display the file properties. You can see that the size on the disk is zero. 

f:id:hideakii:20191123105314p:plain

The file attribute is "AL". “L” means Reparse Point. By looking at the “size on disk” or “attribute” in Windows Explorer, I can find a deduplicated file.

f:id:hideakii:20191123105531p:plain

Let's check the attributes of the FILE record using Autopsy 4.13.0.

f:id:hideakii:20191123111253p:plain

The staring address of $DATA attribute is “X” and "Sparse". The length is 980.

Check the FILE record of the JPEG file using FTK Imager. The value of DataRun is “02E003”. 0x03E0 ⇒ 992

Why doesn't the length match the Autopsy result?

f:id:hideakii:20191123130203p:plain

Check "$REPARSE_POINT (0xC0)". This attribute is Non-Resident, and the attribute data is stored in cluster number 49662.

f:id:hideakii:20191123131919p:plain

Refer to cluster number 49662. The first 4 bytes are “Reparse Type” and the value of “IO_REPARSE_TAG_DEDUP” is “0x80000013”.

f:id:hideakii:20191123132450p:plain

 Unfortunately, I couldn't find any information about the structure of IO_REPARSE_TAG_DEDUP.

 

Let's check the USN Journal using another file.
I prepared two images and deduplicated them.

f:id:hideakii:20191123160018p:plain

Parse $J. And I discover that I misspelled "Koala" :-)

f:id:hideakii:20191123160738p:plain

Finally, delete one of the deduplicated files.

f:id:hideakii:20191123161451p:plain

Check the attributes in the FILE record of the deleted file.

f:id:hideakii:20191123161843p:plain

Try to deduplicate the “Koala” image again.

f:id:hideakii:20191123162015p:plain

f:id:hideakii:20191123162212p:plain

f:id:hideakii:20191123162425p:plain

There was no change in the deduplication status of "Koala".

 

Verification environment: Windows Server 2019 1809.

f:id:hideakii:20191123101408p:plain

 

Reference URL:

 

blog.1234n6.com

docs.microsoft.com

 

f:id:hideakii:20191123101227j:plain