I've been working on a command line program that allows me to do quick searches directly accessing the MFT and copy files avoiding the limitations of the OS. There are already some programs that do it but:
- Some have ceased to be free.
- Some are very large in size and slow.
- I want to learn seriously the architecture of the MFT.
- I want to learn c#.
- Just for fun.
The method I have used to speed things up is to create a dictionary using the enumeration of the MFT with FSCTL_ENUM_USN_DATA and including the offset of the MFT records in it.
This process, in an old system with a partition of 400 Gb with 300k objects, takes 5 seconds on average. This initial process is necessary because the MFT is often fragmented and when I process an ATTRIBUTE_LIST I find references to MFT entries that have not yet been examined but to which access is required to extract names and dates from ATTRIBUTE_FILE_NAME.
Finally I have also added the option to copy files avoiding the restrictions of the OS, which is very convenient because you can copy restricted or protected files like MFT or UsnJrnl.
The methods used are obtained from KERNEL32.DLL library: GetVolumeInformationByHandleW, ReadFile, CreateFile, SetFilePointerEx, GetFileInformationByHandle, DeviceIoControl.
No comments:
Post a Comment