I would like to write a program that reads all the unused clusters on an NTFS volumne. (I'm looking to recover data from a file that was accidentally truncated).
According to this page I can call SetFilePointer() and ReadFile() on the volume handle to go through each logical cluster on the volume. But how do I know which clusters are being used by files, and which are free?
In order to get the all the unused clusters on an NTFS volume you would have to build a map of all allocations of all the files and streams. It is very complex since you woulrd have to parse exntent lists for non-resident file attibutes. And the MFT.
But you can use IOCTLs or fsutil file queryallocranges on the truncated file and read the last extent and beyond. Compute where the current file ends and you will get the file slack.
That is if the file is not compressed or EFS-encrypted.
A free or commercial data recovery program would be a quicker way here.
FSCTL_GET_VOLUME_BITMAP should be exactly what you're looking for, and should be pretty quick. This is what a lot of components use to try and defrag a single file, say, into a large contiguous space.