Re: [Libguestfs] extract NTFS Master File Table for analysis

On 02/02/16 21:35, Richard W.M. Jones wrote: I played around a bit and I need to confess I am impressed on how easy is to add functionalities to libguestfs. I could easily extract the Master File Table using the download API and parse it with third party tools. I'd like to extract as well the Update Sequence Number Journal ($UsnJrnl) but it seems unaccessible via it's path (C:\$Extend\$UsnJrnl). I tried on a real disk and it seems to be a limitation of the NTFS-3g driver: it can extract C:\$MTF and C:\$LogFile, it can list C:\$Extend content but it cannot access those files. Curiously enough, stat() syscall on C:\$Extend\$UsnJrnl seems to work and returns the correct inode number. Yet the size is wrong as it reports 0 while the real one is > 9Mb. The next step I tried was to use ntfscat command in the following manner: ntfscat -i <UsnJrnl inode number> /dev/sdXX and it worked flawlessly. So I proceeded adding such API to libguestfs and I could extract the journal without any issue. The UsnJrnl file is very handy to check what changes were made on disk. Not only it's faster than using virt-diff on two different snapshots but it also shows much more relevant information. I could for example track down temporary files created and deleted within the two snapshots. All of this to say I'd like to add the possibility of extracting files via their inode. This functionality has the advantage of not requiring the FS to be mounted. Would libguestfs benefit from this? If so how should I proceed? Which API names to use? Most straightforward would be something like: ntfsicat(device, inode) or ntfsidownload(device, inode) I guess also linux guest disks would benefit from this but this requires a bit more research.