[Libguestfs] extract NTFS Master File Table for analysis
Richard W.M. Jones
rjones at redhat.com
Tue Feb 2 19:35:51 UTC 2016
On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote:
> Greetings,
>
> I'm playing around an idea and I'd like to ask you some questions.
>
> I'd like to extract the MFT table from a disk image file. The idea
> is to employ it to build a sort of reverse lookup table which, given
> a cluster, could retrieve the corresponding file with the related
> metadata.
>
> Such table could be used to optimize the analysis of disk snapshots
> in order to collect the changes which happened on the disk. As the
> disk snapshots contains only the new or modified clusters, I could
> avoid exploring the whole FS content and focus on what has really
> changed on disk.
>
> Did you explore the concept anyhow?
No.
> Is there a way I can use libguestfs to locate and extract the MFT
> table from a disk image?
If there's an ntfsprogs command that does this (ntfsinfo --mft maybe?)
then it's really easy to extract the output from that command. You
could hack it together using `debug sh', search this page:
http://libguestfs.org/guestfs-faq.1.html
... but if you wanted to do it "properly" then you could add an API
modelled on one of the `FileOut' APIs, eg:
https://github.com/libguestfs/libguestfs/blob/master/daemon/base64.c#L100
For information on adding APIs, see:
http://libguestfs.org/guestfs-hacking.1.html#adding-a-new-api
This question of how do you find which disk block is associated with a
particular file comes up often enough that I have looked at it various
times on my blog:
https://rwmj.wordpress.com/2014/02/21/use-guestfish-and-nbdkit-to-examine-physical-disk-locations/
https://rwmj.wordpress.com/2014/11/23/mapping-files-to-disk/
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
More information about the Libguestfs
mailing list