Does anyone know of any software that can extract the $bitmap file from NTFS images?
Or does anyone know of any site that documents NTFS enough so that I can code this myself?
(I want to read the $bitmap so I can identify what clusters are not in use, so they can be removed from the images.)
There's one short paragraph in this early publication by a talented person:
I answered this one in a different place, but on a live Windows machine the best answer is probably to use FSCTL_GET_VOLUME_BITMAP. This will reflect any changes the FS knows about that aren't on the disk.
There is also "Forensic File Systems" by Brian Carrier. It does explain NTFS in detail. ntfs.org also is helpful.
Since $Bitmap is a system file, you can't open it up and read it. Also beware that if the disk is in use, it can change.
翻译