search for: mft

NTFS $MFT file may be fragmented by itself (and actually is in most cases). However, such a situation was not handled. This patch add support for fragmented $MFT file. Signed-off-by: Andy Alex <andy at r-tt.com> --- diff -uprN syslinux-6.02.orig/core/fs/ntfs/ntfs.c syslinux-6.02/core/fs/ntfs/ntfs.c -...

On 03/13/2014 08:04 PM, H. Peter Anvin wrote: > On 02/20/2014 07:56 AM, Andy Alex wrote: >> NTFS $MFT file may be fragmented by itself (and actually is in most cases). >> However, such a situation was not handled. >> This patch add support for fragmented $MFT file. >> >> Signed-off-by: Andy Alex <andy at r-tt.com> > > Hi Andy, > > This patch came across w...

...are +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +# Test the download_inode command. + +set -e + +if [ -n "$SKIP_TEST_DOWNLOAD_INODE_SH" ]; then + echo "$0: test skipped because environment variable is set." + exit 77 +fi + +rm -f test-mft.bin + +# Skip if TSK is not supported by the appliance. +if ! guestfish add /dev/null : run : available "sleuthkit"; then + echo "$0: skipped because TSK is not available in the appliance" + exit 77 +fi + +if [ ! -s ../../test-data/phony-guests/windows.img ]; then + ech...

On 02/20/2014 07:56 AM, Andy Alex wrote: > NTFS $MFT file may be fragmented by itself (and actually is in most cases). > However, such a situation was not handled. > This patch add support for fragmented $MFT file. > > Signed-off-by: Andy Alex <andy at r-tt.com> Hi Andy, This patch came across whitespace-mangled so I can't ap...

"icat" name comes from the employed command line tool which might be replaced later on with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same time I cleaned up a bit the code and improved it's readability and code comments. This

The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same go I cleaned up a bit the code following the standards and improved the API documentation. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (3):

Hi all, - There is a worth thing to note about these changes, which is the handling of $ATTRIBUTE_LIST attribute, that is rare attribute. When there are a lot of attributes and there is no more space in the MFT record, all those attributes that can be made non-resident are moved out the MFT, so this is where the $ATTRIBUTE_LIST comes in. - Most people must have seen the ugly "EDD error" when installing Syslinux in an NTFS partition and then booting it up. So this issue won't occur anymo...

While testing the syslinux-4.06-pre11, I encountered a failure booting Windows Vista using syslinux. Looking at the details of the failing machine, I discovered that the main difference between this machine and the working ones is taht, on this machine, the MFT is fragmented in multiple fragments, and ldlinux.sys is indexed in one of the extended fragments. Does the syslinux NTFS implementation support a fragmented MFT? Regards,Bernardo

Test is based on file signature, it checks whether the extracted file is the $MFT. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- Makefile.am | 1 + configure.ac | 1 + generator/actions.ml | 6 ++++- tests/ntfscat/Makefile.am | 26 +++++++++++++++++++++ tests/ntfscat/test-ntfscat.sh | 53 ++++++++++++++++++++++++...

...e Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +# Test the ntfscat-i command. + +set -e + +if [ -n "$SKIP_TEST_NTFSCAT_SH" ]; then + echo "$0: test skipped because environment variable is set." + exit 77 +fi + +rm -f test-mft.bin + +# Skip if ntfs-3g is not supported by the appliance. +if ! guestfish add /dev/null : run : available "ntfs3g"; then + echo "$0: skipped because ntfs-3g is not supported by the appliance" + exit 77 +fi + +if [ ! -s ../../test-data/phony-guests/windows.img ]; then +...

On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote: > Greetings, > > I'm playing around an idea and I'd like to ask you some questions. > > I'd like to extract the MFT table from a disk image file. The idea > is to employ it to build a sort of reverse lookup table which, given > a cluster, could retrieve the corresponding file with the related > metadata. > > Such table could be used to optimize the analysis of disk snapshots > in order to coll...

Hello everyone! I faced an issue using virt-resize. I have an image with extended -> logical -> pv -> lv -> ext4 (although I think LVM does not matter). And image is 65G virtual size and 1G actualSize. When I call virt-resize to 60G, it blindly copies the extended partition content, but does it non-sparse (resize.ml:1231), irrespective to --no-sparse option. So the destination image

Adding ntfscat_i command for downloading files based on their inode number. This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/ntfs.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 15 +++++++++++++ 2 files changed, 77 insertions(+) diff --git

...+ echo "$0: skipped because windows.img is zero-sized" + exit 77 +fi + +output=$( +guestfish --ro -a ../../test-data/phony-guests/windows.img <<EOF +run +mount /dev/sda2 / +write /test.txt "foobar" +rm /test.txt +umount / +filesystem-walk /dev/sda2 +EOF +) + +# test $MFT is in the list +echo $output | grep -zq "{ tsk_inode: 0 tsk_type: r tsk_size: .* tsk_name: \$MFT tsk_flags: 1 }" +if [ $? != 0 ]; then + echo "$0: \$MFT not found in files list." + echo "File list:" + echo $output + exit 1 +fi + +# test deleted file is in t...

...\ + write /test.txt "foobar" : \ + rm /test.txt : \ + umount / : \ + filesystem-walk /dev/sda2) + +# test $MFT is in the list +echo $output | grep -q "{ tsk_inode: 0 tsk_type: r tsk_size: .* tsk_name: \$MFT tsk_allocated: 1 }" +if [ $? != 0 ]; then + echo "$0: \$MFT not found in files list." + echo "File list:" + echo $output + exit 1 +fi + +# test deleted file is i...

On 02/02/16 21:35, Richard W.M. Jones wrote: > On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote: >> Greetings, >> >> I'm playing around an idea and I'd like to ask you some questions. >> >> I'd like to extract the MFT table from a disk image file. The idea >> is to employ it to build a sort of reverse lookup table which, given >> a cluster, could retrieve the corresponding file with the related >> metadata. >> >> Such table could be used to optimize the analysis of disk snapshots &g...

...: \ > + umount / : \ > + filesystem-walk /dev/sda2) This is a bit unreadable, a better approach is to read commands from stdin; see for example fish/test-copy.sh. > + > +# test $MFT is in the list > +echo $output | grep -q "{ tsk_inode: 0 tsk_type: r tsk_size: .* tsk_name: \$MFT tsk_allocated: 1 }" Hmm are you sure this works when tracing is disabled? The default output in guestfish for structs is each field in a single line. Unless you compare the whole output...

The Sleuth Kit is a filesystem forensic tool for accessing disk volumes and extracting digital evidence from. http://www.sleuthkit.org/ The icat API allows to download a file from a device given its metadata number (inode). It supports multiple filesystem types. The icat command allows to access to otherwise unreachable files such as filesystem data structures and deleted files which content is

...and I didn't find any documentation about it. I'll take a look at these ones. > > One problem with writing the test (indeed, with the general idea) is > how do you discover which inode numbers can be downloaded? Does NTFS > have some standard inode numbers for things like the MFT? The $MFT file has alway 0 as index number. > > Rich. > >> --- >> daemon/ntfs.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ >> generator/actions.ml | 15 +++++++++++++ >> 2 files changed, 77 insertions(+) >> >> diff --git a/daem...

I have a Windows 2000 domU running in an LVM partition. I need to move it to another host, but none of my other xen servers have lvm or free space to create an lvm. So I''d like to convert it to a sparse img file. The file system in the domU is ntfs. Can anyone suggest how to do this? Thanks, James _______________________________________________ Xen-users mailing list