Joep
Thu Jun 29 17:01:12 CDT 2006
"Jonathan de Boyne Pollard" <J.deBoynePollard-newsgroups@NTLWorld.COM> wrote
in message news:c1.01.31TSNR$5AJ@J.de.Boyne.Pollard.localhost...
>W> So I assume what I need to do is locate the mft block in the volume,
> W> then walk through the block, printing every file that doesn't have
> W> clusters. Is this wright?
>
If you open the drive by drive letter the offset of the volume is
irrelevant. If you open a physical device you detremine your offset by
parsing and interpreting the partition tables or the LDM.
Offset to the MFT start can be found in the boot sector. It is a cluster
value so yout offset is cluster no * sectors per cluster * 512.
The MFT is not per se 1 block. As it is treated as a file it may be
fragmented (rare, but can be. I have seen that and can at least force it to
fragment).
Parsing and interpreting the MFT is possible but not that easy. MS did not
release free and public NTFS documentation so you will have to reverse
engineer or consult open source documentation (Linux NTFS Documentation
Project).
What is your goal anyway? Why do you want to have a list of files that have
no clusters allocated, delete them? There may be files that have no clusters
allocated that are still valid files: If the data stream of a file fits the
FRS, the entire file is stored in the MFT.
For example the boot.ini often is small enough to be entirely in the MFT,
you still do not want to delete it.
--
Joep
http://www.diydatarecovery.nl