|
From: Gregory C. J. <Mai...@Gr...> - 2003-08-22 16:44:42
|
Hello all.=20 I'm sure you've never heard this before, but I've got "a little = situation at the moment..." The short version is - W2K munched my Outlook mailstore during a crash. = The ~500MB file was truncated, leading me to believe that the problem = occurred during an (extended?) FILE record write. This was some months = ago, so it may well have occurred as a result of the write... Wait, I'm = starting to remember it was the result of a hard-reboot due to a system = freeze.=20 Regardless, I now have an NTFS 3.0 partition with 6 months of mail = scattered across it - just out of reach.=20 Worst case, the SMTP timestamps will help re-order the clusters, but to = get at them I need to crunch on the bitmap file and decode MFT FILE = records and their runs. With any luck the balance of the file is marked = as used and I can just take the set difference and then (simplifying) dd = (1) each sector to an eponymous file, grep(1) for date strings feed it = all to sort(1) then let cat(1) re-build everything. Actually, I think the sectors contain leading forward-chaining = meta-data, no? No huge deal, makes a nice consistency check and the = catenation is simple in C. If this is the case I may be able to simply = "mend the break". Any way this plays out, I figure I'll need to walk the MFT in order to = at least get the FILE record and bitmap info and play around with it a = little. Before I go re-inventing the wheel, is there a "mftdump"? Is = this a quick description of "ntfsdiskedit"? Why are the "ntdump" and = "ntdir" utilities in BitKeeper no longer included? Do they just need = updating? -Greg BTW, does anyone know of a multi-platform remotely administrable backup = package that can handle NTx's open registry hives? This problem = wouldn't exist if there were an inexpensive backup solution that could = read/write through NTx's exclusive opens. |
