EWF Definitions

5/10/2007

The following table shows the terms and definitions that are specific to Enhanced Write Filter (EWF).

Term Definition

Clumps

Clumps are sections of the protected volume. EWF treats the entire protected volume as a collection that is broken into chunks of equal size, called clumps. The clump size is independent of the sector size that the protected volume uses. The default size for a clump is 512 bytes.

Disk Mode

EWF Disk mode stores the EWF overlay in disk or flash ROM. The EWF volume is also stored in disk or flash ROM.

EWF Volume

The EWF volume stores EWF state and configuration information. The EWF volume is a partition of type 0x45 that is not visible or recognized by the operating system. It is composed of the master EWF volume table, a number of overlay stacks, and overlay data for all disk overlays.

Filter Stack

The Filter Stack is the ordering of all filters that are monitoring the I/O operations for a volume.

Master EWF Volume Table

The Master EWF Volume Table is the directory that stores information about the EWF volume.

Original Disk Image

The Original Disk Image is the original protected volume without an EWF overlay applied to it.

Overlay

The Overlay is a collection of disk write operations, that, when applied to a disk image, produce another disk image that represents a later state of the disk after the disk write operations.

Overlay Level

Overlay Levels are multiple overlays that can be independently managed.

Overlay Stack

The Overlay Stack is the mapping of protected volume sectors to EWF volume sectors for all the overlay levels in a single protected volume.

Overlay Volume Store

The Overlay Volume Store is a disk volume that stores EWF configuration settings and the data for disk overlays. Optional for RAM overlays.

Primary Boot Volume

The Primary Boot Volume is the volume that a run-time image boots from. This volume can be a hard disk, flash disk, ROM, or a bootable CD-ROM. On any system, there is exactly one Primary Boot Volume.

Protected Volume

The Protected Volume is the volume that is being protected from write access by the EWF driver. This can be a read/write medium or a bootable CD-ROM.

RAM Mode

EWF RAM mode stores the overlay in RAM, and the EWF volume on disk. EWF RAM mode is limited to one overlay level only.

RAM Reg

Mode RAM Reg mode is similar to RAM mode with the exception that the configuration information that is typically stored in the EWF volume is instead stored in the registry.

Stateless Operation

Stateless operation is a configuration that does not maintain system information between boots. If all disk volumes in a computer are configured to use a RAM overlay, all overlay information is lost when the system is shut down or rebooted. This is called stateless operation because the state of the device is exactly the same each time it is rebooted.

Volume

A volume is a partition of a local disk or a share of a remote disk. EWF does not support remote volumes.

See Also

Other Resources

Enhanced Write Filter
EWF Overview