Re: [Libguestfs] extract NTFS Master File Table for analysis
On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote:
Greetings,
I'm playing around an idea and I'd like to ask you some questions.
I'd like to extract the MFT table from a disk image file. The idea
is to employ it to build a sort of reverse lookup table which, given
a cluster, could retrieve the corresponding file with the related
metadata.
Such table could be used to optimize the analysis of disk snapshots
in order to collect the changes which happened on the disk. As the
disk snapshots contains only the new or modified clusters, I could
avoid exploring the whole FS content and focus on what has really
changed on disk.
Did you explore the concept anyhow?
No.
Is there a way I can use libguestfs to locate and extract the MFT
table from a disk image?
If there's an ntfsprogs command that does this (ntfsinfo --mft maybe?)
then it's really easy to extract the output from that command. You
could hack it together using `debug sh', search this page:
http://libguestfs.org/guestfs-faq.1.html
... but if you wanted to do it "properly" then you could add an API
modelled on one of the `FileOut' APIs, eg:
https://github.com/libguestfs/libguestfs/blob/master/daemon/base64.c#L100
For information on adding APIs, see:
http://libguestfs.org/guestfs-hacking.1.html#adding-a-new-api
This question of how do you find which disk block is associated with a
particular file comes up often enough that I have looked at it various
times on my blog:
https://rwmj.wordpress.com/2014/02/21/use-guestfish-and-nbdkit-to-examine...
https://rwmj.wordpress.com/2014/11/23/mapping-files-to-disk/
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top