问题
Does anyone know of any software that can extract the $bitmap file from NTFS images?
Or does anyone know of any site that documents NTFS enough so that I can code this myself?
(I want to read the $bitmap so I can identify what clusters are not in use, so they can be removed from the images.)
回答1:
There's one short paragraph in this early publication by a talented person:
http://www.alex-ionescu.com/NTFS.pdf
回答2:
I answered this one in a different place, but on a live Windows machine the best answer is probably to use FSCTL_GET_VOLUME_BITMAP. This will reflect any changes the FS knows about that aren't on the disk.
回答3:
There is also "Forensic File Systems" by Brian Carrier. It does explain NTFS in detail. ntfs.org also is helpful.
Since $Bitmap is a system file, you can't open it up and read it. Also beware that if the disk is in use, it can change.
来源:https://stackoverflow.com/questions/3081531/extract-bitmap-file-from-ntfs-image