获取磁盘/集群号上的文件偏移量 [英] Get file offset on disk/cluster number
问题描述
我需要获得有关文件在NTFS磁盘上物理位置的信息。绝对偏移量,群集ID ..什么的。
我需要扫描磁盘两次,一次获得分配的文件和一次,我将需要直接在RAW模式下打开分区,并尝试找到其余的数据(从删除的文件)。我需要一种方法来理解,我发现的数据和我之前作为文件处理过的数据是一样的。当我在原始模式下扫描磁盘时,我发现的数据的偏移量可以以某种方式转换为文件的偏移量(具有关于磁盘几何的信息)。有没有办法做到这一点?其他解决方案也被接受。
现在我正在玩FSCTL_GET_NTFS_FILE_RECORD,但目前无法使其正常工作,我不确定这会有什么帮助。
UPDATE
我发现以下函数
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364952(v = vs.85) .aspx
它返回包含nFileIndexHigh和nFileIndexLow变量的结构。
文档说明
存储在nFileIndexHigh和nFileIndexLow成员中的标识符称为文件标识符。对文件ID的支持是文件系统特定的。文件ID不能保证是唯一的,因为文件系统可以自由地重用它们。在某些情况下,文件的文件ID可能会随着时间而改变。
我不太明白这是什么意思。我无法将其连接到文件的物理位置。是否有可能以后从MFT中提取这个文件ID?
更新
找到这个:
这个标识符和卷序列号唯一标识一个文件。这个数字可以在系统重新启动或打开文件时改变。
这不符合我的要求,因为我是打开文件,ID可能改变的事实不会让我开心。
有什么想法?
使用碎片整理IOCTL 。例如, FSCTL_GET_RETRIEVAL_POINTERS 会告诉你包含文件数据的盘区。
I need to get any information about where the file is physically located on the NTFS disk. Absolute offset, cluster ID..anything. I need to scan the disk twice, once to get allocated files and one more time I'll need to open partition directly in RAW mode and try to find the rest of data (from deleted files). I need a way to understand that the data I found is the same as the data I've already handled previously as file. As I'm scanning disk in raw mode, the offset of the data I found can be somehow converted to the offset of the file (having information about disk geometry). Is there any way to do this? Other solutions are accepted as well. Now I'm playing with FSCTL_GET_NTFS_FILE_RECORD, but can't make it work at the moment and I'm not really sure it will help.
UPDATE
I found the following function http://msdn.microsoft.com/en-us/library/windows/desktop/aa364952(v=vs.85).aspx It returns structure that contains nFileIndexHigh and nFileIndexLow variables. Documentation says
The identifier that is stored in the nFileIndexHigh and nFileIndexLow members is called the file ID. Support for file IDs is file system-specific. File IDs are not guaranteed to be unique over time, because file systems are free to reuse them. In some cases, the file ID for a file can change over time.
I don't really understand what is this. I can't connect it to the physical location of file. Is it possible later to extract this file ID from MFT?
UPDATE
Found this:
This identifier and the volume serial number uniquely identify a file. This number can change when the system is restarted or when the file is opened.
This doesn't satisfy my requirements, because I'm going to open the file and the fact that ID might change doesn't make me happy.
Any ideas?
Use the Defragmentation IOCTLs. For example, FSCTL_GET_RETRIEVAL_POINTERS will tell you the extents which contain file data.
这篇关于获取磁盘/集群号上的文件偏移量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
