Request to add some data into ddru_ntfsfindbad logfile

LINUX based utility for use with gnuddrescue to aid with data recovery

Brought to you by: maximus57

Request to add some data into ddru_ntfsfindbad logfile

Forum: Ddrutility General Help and Discussion

Creator: olegkrutov

Created: 2015-02-11

Updated: 2016-08-06

olegkrutov - 2015-02-11

It could be nice to add "deleted" state of file/dir name based on flag in MFT file record because AFAIK deleted files are excluded from bitmap and are in ddru_ntfsfindbad.log as read with errors. And is it possible to print out (maybe optionally) file modification timestamp?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

maximus57 - 2015-02-11

First the deleted files. Hmmmm, ddru_ntfsfindbad is not supposed to process truly deleted files. It will process the ones in the recycle bin as they still exist in recoverable format, and the file path should list them in the recycle bin. I am using flag 0x2000 (not indexed) as the basis for a truly deleted file, and it is not supposed to list those. I did very little testing with deleted files.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

olegkrutov - 2015-02-12

Well, I mean not file attribute flags as "temporary","sparse" etc but MFT file record flags that are at 0x16 offset. These flags are quite simple: (flags && 1) -> record is in use; (flags && 2) -> record is a directory. Then, there are all states:

00 00 deleted file
01 00 file
02 00 deleted dir
03 00 dir

When analyzing ntfsfindbad.log files there are sometimes files without "./" in front of its path i.e. they are not in directory tree currently. If is is because of bad blocks in MFT that files should be recovered. But many of them have flag value 00 00 in its MFT record so they can be just ignored.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

maximus57 - 2015-02-12

I will have to look at that deeper then. I guess my documentation did not include that, or I did not see it. My intention is to not process deleted files in the report log. Will go on the to do list for future version.

PS for some reason I had to approve both your posts on here which I never had to before. I hope it was a glitch and not something that sourceforge has changed. When I had anonymous posting turned on I had to approve them and it messed up the timeline.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

KDEboroda - 2016-08-05

I also find it useful to optionally show deleted files in the ddru_ntfsfindbad log.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

maximus57 - 2016-08-06

To show the deleted files in the output, change line 863 of ddru_ntfsfindbad.c from:

if ((file_attribute.items.Flags & 0x2000) == 0)

to:

if ((file_attribute.items.Flags & 0x0000) == 0)

And then recompile.
Note that the deleted files are non-indexed, meaing they are not in the folder structure and also their space in the bitmap is free so they could have been overwritten.

Last edit: maximus57 2016-08-06
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.