How to get LBA(logical block addressing) of a file from MFT on NTFS file system?

后端 未结 2 719
既然无缘
既然无缘 2021-01-26 06:18

I accessed the $MFT file and extracted file attributes.

Given the file attributes from MFT, how to get a LBA of file from the MFT record on NTFS file system?

To

相关标签:
2条回答
  • 2021-01-26 06:21

    IMHO you should write the code by doing some basic arithmetic rather than using IOCTLs and FSCTLs for everything. You should know the size of your disk and the offset from which a volume starts (or every extent by using IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS) and store those values somewhere. Then just add the LCN times the size of a cluster to the offset of the extent on the disk.

    Most of the time you just have to deal with one extent. When you have multiple extents you can figure out on which extent the cluster is by multiplying the LCN with the size of a cluster and then subtracting the size of each extent returned by the IOCTL in the order they are returned, if the next number to subtract is greater than your current number, that particular LCN is on that extent.

    0 讨论(0)
  • 2021-01-26 06:36

    I'm not entirely sure of your question-- But if you're simply trying to find the logical location on disk of a file, there are various IOCTLs that will achieve this.

    For instance, MFT File records: FSCTL_GET_NTFS_FILE_RECORD http://msdn.microsoft.com/en-us/library/windows/desktop/aa364568(v=vs.85).aspx

    Location on disk of a specific file via HANDLE: FSCTL_GET_RETRIEVAL_POINTERS http://msdn.microsoft.com/en-us/library/windows/desktop/aa364572(v=vs.85).aspx

    If you're trying to parse NTFS on your own, you'll need to follow the $DATA attribute-- Which will always be non-resident data runs (unless it's a small file that can be resident within the MFT). Microsoft's data runs are fairly simply structures of data contained in the first two nibbles, which specify offset and length for the next run of data.

    0 讨论(0)
提交回复
热议问题