tags:

views:

90

answers:

3
Q: 

Extract $bitmap file from NTFS Image

Does anyone know of any software that can extract the $bitmap file from NTFS images?

Or does anyone know of any site that documents NTFS enough so that I can code this myself?

(I want to read the $bitmap so I can identify what clusters are not in use, so they can be removed from the images)

+1  A: 

There's one short paragraph in this early publication by a talented person:

http://www.alex-ionescu.com/NTFS.pdf

Windows programmer  2010-06-21 00:57:06
I also found this: data.linux-ntfs.org/ntfsdoc.pdf which should be enough info to do it myself.
kiasecto  2010-06-21 01:25:34
A: 

There is also "Forensic File systems " by Brian Carrier. It does explain NTFS in detail. ntfs.org also is helful

Since $Bitmap is a system file, you can't open it up and read it. Also beware that if the disk is in use, it can change.

Dominik Weber  2010-08-25 18:19:57
A: 

I answered this one in a different place, but on a live Windows machine the best answer is probably to use FSCTL_GET_VOLUME_BITMAP. This will reflect any changes the FS knows about that aren't on the disk.

jrtipton  2010-08-27 14:07:17

related questions

'NT AUTHORITY\NETWORK SERVICE' not inheritting local group permissions?
Windows XP vs Vista: NTFS Junction points
How to safely update a file that has many readers and one writer?
IIS6 FTP ignores NTFS file permissions?
Best file system to transfer 5+GB files between OS X and Windows on removable media
Why is my mounted MacFUSE NTFS vol read-only?
What is the best way to check for reparse point in .net (c#)?
Create discrepancy between size on disk and actual size in NTFS
What technology to get NTFS access rights in C ?
Directory Traversal in C#
Does Windows XP use the NTFS filesystem function calls to read-from/write-to a pagefile (pagefile.sys)?
SQL Server 2000 Page size and the NTFS page size
How do you reduce the size of a folder's index file in NTFS?
Limit file access to specific users in IIS
Maximum Filename Length in NTFS (XP and Vista)?
Change journal operations in .NET?
Would NTFS allocation blocks of 16KB or 32KB make compile time faster in comparison to the default 4KB?
Any way to ignore files coming from the repository for NTFS?
NTFS performance and large volumes of files and directories
is there something like alternate data streams on any linux filesystem?
Understanding IIS6 permissions, ACL, and identity--how can I restrict access?
Mounting NTFS filesystem on CentOS 5.2
How do you deal with lots of small files?
How can I view the allocation unit size of a NTFS partition in Vista?
How to see if a subfile of a directory has changed