[Libguestfs] extract NTFS Master File Table for analysis

Tuesday, 2 February 2016

Greetings,

I'm playing around an idea and I'd like to ask you some questions.

I'd like to extract the MFT table from a disk image file. The idea is to 
employ it to build a sort of reverse lookup table which, given a 
cluster, could retrieve the corresponding file with the related metadata.

Such table could be used to optimize the analysis of disk snapshots in 
order to collect the changes which happened on the disk. As the disk 
snapshots contains only the new or modified clusters, I could avoid 
exploring the whole FS content and focus on what has really changed on disk.

Did you explore the concept anyhow? Is there a way I can use libguestfs 
to locate and extract the MFT table from a disk image?

Thank you.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[Libguestfs] extract NTFS Master File Table for analysis