|
From: Szakacsits S. <sz...@si...> - 2003-08-23 16:46:28
|
On Fri, 22 Aug 2003, Gregory C. Johnson wrote: > Actually, I think the sectors clusters (unless your cluster size == sector size). > contain leading forward-chaining meta-data, no? ordinary data? unless they are resident, no. your file was over 500 MB so it couldn't be resident. > Any way this plays out, I figure I'll need to walk the MFT in order to > at least get the FILE record and bitmap info and play around with it a I can't see why you need to walk MFT. But you indeed need the bitmap (if i understood you correctly, you want to recover some data from the unused space). clone_ntfs() in ntfsclone does just the opposite you want: it saves only the used clusters. With minimal change you could save/examine the unused clusters. ntfsclone source is in BK and on the snapshot web page in the ntfs-devel-<latest-date> package. If you don't want to go C then mounting ntfs with option show_sys_file you can access $Bitmap and do your scripting to save the relevant clusters. > little. Before I go re-inventing the wheel, is there a "mftdump"? Is I have ntfsmeta at http://mlf.linux.rulez.org/mlf/ezaz/ntfsmeta.gz > this a quick description of "ntfsdiskedit"? Why are the "ntdump" and > "ntdir" utilities in BitKeeper no longer included? Do they just need > updating? I don't know what are those. I guess that's the original ntfs tools that didn't support several things and/or they were broken. Here everyting got rewritten, kernel driver, user space libntfs, utils using this libntfs, etc. Szaka |
