|
From: Anton A. <ai...@ca...> - 2002-07-12 15:55:29
|
On Fri, 12 Jul 2002, Szakacsits Szabolcs wrote: > On Tue, 9 Jul 2002, Anton Altaparmakov wrote: > > > Can you tell me what records you found other than file? I have > > seen CHKD (check disk), BAAD (corrupt mft record), and from the > > windows ntfs driver source I know that HOLE is a valid record but > > I haven't seen it in the wild yet and I was too lazy to figure out > > what it meant by reverse engineering it... > > Hmm, not much reference (1 at the definition) to HOLE however > apparently there are some RSTR (probably meaning 'restore' especially > their occurances are around CHKD). RSTR = ReSTaRt area. There are two such records at the beginning of $LogFile/$DATA attribute. Are you saying that you found a RSTR record in the $MFT/$DATA attribute? If yes, that would be a very interesting finding! Definitely something that would make me get fire up IDA Pro and search around the windows ntfs driver... Best regards, Anton -- Anton Altaparmakov <aia21 at cantab.net> (replace at with @) Linux NTFS maintainer / IRC: #ntfs on irc.openprojects.net WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/ |
