1

I have two copies of an ntfs partition on a linux server (old backups). If I mount them as loop device, and compare the content file by file, there is no difference between them. But comparing these images with cmp or vbindiff there are many differences. How can I find out what are these? Possibly the original fs was used in windows (only for reading) between making the two copies, but I don't remember and the "find . -ls" gives the same result on the mounted images, so the file dates/times are looking unchanged. I'd like to delete one of them, but I'd like to be sure if they are containing the same data, and the differences are unnecessary junk.

Zoltán Há
  • 11
  • 2

2 Answers2

1

You shouldn't compare two images directly if the other one hasn't been made as a direct image of the other one.

If you copy files from a read-only image to a new image, the images will be different on the byte-level, because meta-data on the filesystems are generated in a different order.

This happens because files are created in a different order. there might be some deleted files on the volume. When files are deleted, only the filesystem metadata is updated so that the files' blocks are marked as free, but they will still contain the data of the files.

The only valid comparison is to compare file system contents is via file-level comparison. One good tool for such purpose is rsync with the --dry-run option, which only shows what rsync would do in case differences are found.

Another useful tool for finding differences is diff.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Both copies are image backups (dd if=/dev/sdxx of=/Backup/sdxx.img...). After making the first backup, but before destroying the old disk, I've checked that, if they are the same. I found, the image differs from the original partition, so I created a new copy of it with the same dd. It was about a year ago, I have no more memories what happend then. – Zoltán Há Sep 07 '17 at 10:14
  • Please elaborate in your question the exact process how the images were made and in which point of time they were made. – Tero Kilkanen Sep 07 '17 at 10:16
  • O.K. It was the data partition on a notebook. I booted a live linux and backed up this partition to an external hdd: dd if=/dev/sdxx of=/Backup/sdxx.img Several hours or a day later, I checked if the backup is identical to the original partition. It was different. I've created a new backup: dd if=/dev/sdxx of=/Backup/sdxx_v2.img then cleared the hdd and used for another purposes. Between the to backups I possible booted the original windows system on the laptop, but I'm sure, that I didn't touch that partition. – Zoltán Há Sep 07 '17 at 10:23
  • Even booting up Windows will cause differences on the file system contents. For example, swap file contents change, temporary files get created and deleted etc. File-level comparison is the only reliable indicator of possible changes. – Tero Kilkanen Sep 07 '17 at 10:26
  • It was a data partition, it was used only when I've manually started some software. There were no place temporary files or swap or anything like these. When I destroyed that Windows, I suspected, the system was infected by an unknown malware... – Zoltán Há Sep 07 '17 at 10:32
  • It is more interesting, than I thought. I backed up the boot partition of that notebook too, and the two copies of that partition are differs, but the content isn't. It is impossible if the windows was booted between making the two images (Because Windows writes some entries to event log at least...) I have remind only one idea: the partitions was mounted r/w instead of r/o, but... I wonder if only mounting an ntfs on linux will made so much changes on the mounted fs... – Zoltán Há Sep 07 '17 at 10:50
0

I think, I have found a possible solution. There are some tools in the package ntfs-3g: ntfscmp, ntfsinfo, ntfscat etc.

With ntfscmp I could compare the ntfs images and it shows the different inodes.

With ntfsinfo -i image_name I could determine the type of that inodes and many other information about them. The inodes with different content are named as "$LogFile" - this is the ntfs's own journal AFAIK.

The solution: there are no real differences between images, perhaps I've mounted them as r/w and ... and I don't know what other happened to them, but the content is the same on both images.

Zoltán Há
  • 11
  • 2