-1

In my thesis I'm dealing with Windows NTFS filesystem low level attributes and for this I'm trying to develop a demonstration program reading and displaying NTFS system files and folders like $Extend. Unfortunately with no success so far. Could anyone put me on the right track? Any C or Delphi example would be welcome too. Thank you in advance.

SWeko
  • 30,434
  • 10
  • 71
  • 106
Tim
  • 1
  • 1
  • 5
    Hello and welcome to stackoverflow.com. I would recommend you to first read the [FAQ](http://stackoverflow.com/faq), especially the sections named [" What kind of questions can I ask here?"](http://stackoverflow.com/faq#questions), ["What kind of questions should I not ask here?"](http://stackoverflow.com/faq#dontask) and ["How do I ask questions here?"](http://stackoverflow.com/faq#howtoask). I also recommend you read the sites [What have you tried?](http://mattgemmell.com/2008/12/08/what-have-you-tried/) and http://sscce.org/. – Some programmer dude Dec 14 '12 at 08:55
  • At the very mimiumum you should google your query and see what that throws up before asking the question here. – Toby Allen Dec 14 '12 at 09:09
  • Believe me I've been doing it for days, but the info is really sparse, but thanks for your reply anyway – Tim Dec 14 '12 at 09:30
  • I looked for similar a while ago, the best I came up with was a python script called AnalyzeMFT. I think there's a link to it here: http://www.integriography.com/ my firewall here at work won't let me open the link at the site, so I apologize if it's a dead link. Also, if you are looking for a good reference book on the subject: File System Forensic Analysis by Brian Carrier, ISBN-13: 978-0-321-26817-4 – A Lombardo Dec 14 '12 at 13:50
  • Thank you for your advice. (The new link is https://github.com/dkovar/analyzeMFT) It seems to be a good starting point and the book is brilliant. Thanks again. – Tim Dec 15 '12 at 16:21
  • The link is useless - it doesn't show how I could enumerate and read files and directories. – Brian Cannard Apr 08 '13 at 09:13

1 Answers1

1

Any C or Delpi example would be welcome too

Google: "Linux + NTFS"

AFAIR it had (in order of their development) three implementations:
1) old one, read-only, NTFS
2) NTFS-captive - limited WinNT kernel implementation used as wrapper to push original NTFS.sys into FUSE
3) new read/write NTFS 3rd Generation

#2 is no interest for you.

#3 would be most recent but complex codebase
#1 would be obsolete and feature-limited - but more simple to read and learn

But take both sources for #1 and #3 and compare for yourself

Arioch 'The
  • 15,799
  • 35
  • 62
  • Thank you for your answer. I'll take a look at it immediately – Tim Dec 14 '12 at 09:13
  • Hi Arioch, these are interesting, but the thing is that these are for Linux and I'd like to do it with Windows – Tim Dec 14 '12 at 09:28
  • 4
    if you need *an example* how to find and parse those structures - example that *you* would *read and learn* and then implement yourself - then as long it is C it does not matter what OS is used. However, if you want someone to write complete program for you, then target OS does matter, but then that is wrong site to ask. – Arioch 'The Dec 14 '12 at 10:01