The logic for determining where the actions SetIndexEntryVcnRoot and
SetIndexEntryVcnAllocation had to insert a new vcn was unclear and was
wrong in some situations. This is to fix the logic as determined by new
evidence.
When a file is partially truncated, the highest_vcn has to be recomputed
before the file size is adjusted. As a consequence the unmapped run
inserted at the end of runlist to match the file size should not be taken
into account when determining the higest_vcn.
When the fast restart mode of Windows 8 (or later) is activated, the
log file format is different (version 2.0 instead of 1.1), having 32
temporaty blocks instead of 2. This patch upgrades ntfsrecover to take
the new format into account.
When using option --ignore-fs-check in ntfsclone, doubly allocated cluster
still lead to aborting the process. Bypassing the error is useful for
creating a metadata image intended for debugging, for example when the
partition was not closed properly and the logfile has to be applied to
restore the integrity of metadata.
The computing of replacement bytes for overwriting undeletable files
uses random values and standard ones instead of the values provided in
option --bytes. Fix the mixup between both logics, mention the difference
in the documentation and reject defining both options --bytes and --undel.
The license for using the boot loader which used to be inserted by mkntfs
is unclear, so remove it, and only keep the boot sector restricted to
what is needed for having it recognized as such. The space for a loader
is still reserved so that an operating system being installed can insert
its own loader.
The bad cluster list may be updated in ntfsresize and ntfsfix. Though
technically it is organized as a sparse file, Windows does not set
the sparse flags. Do the same to avoid problems with third-party
packages.
The new ntfsrecover option --kill-fast-restart can be used to delete
the Windows fast-restart indication before playing the log. This can
lead to data loss, but is needed before mounting a partition improperly
unmounted from Windows when remounting on Windows is inconvenient.
ntfsrecover -f -v <log file> receives a SIGSEGV because of trying to
read memory outside allocated buffer because of no sanity checks on
restart page header values. This happens on an empty $LogFile because
of no basic checks present. Attached patch adds basic checks similar
to those inside logfile library and allows tool to exit with more
suitable message.
(contributed by Rakesh Pandit)
These tools were originally developed for running on Windows and later
ported to libntfs-3g. This patch makes them similar to other ntfsprogs
tools, dropping the native Windows interfaces and using libntfs-3g on
all platforms.
There is no change in usage or supported features, only the command
names have changed.
These tools were developped before the ntfsprogs were merged into ntfs-3g,
redesigning them like the ntfsprogs make the code simpler.
Note : at this stage secaudit and usermap cannot be built any more.
Prepare merging ntfsrecover.h into logfile.h by adding a usn field to
RESTART_PAGE_HEADER. As this changes the record size, ignore the new
field in existing code.
Usually, only a few pages of the Windows log file are saved in an
ntfsclone image. This is inappropriate for building reference images
for recovering the log, and the --full-logfile option serves that
purpose.
When an INDX or MFT record could not be read while undoing the creation
of this record, there is nothing to do. However if this was undoing the
deletion of the last entry in an index, a new void index block has to be
created.
The previous fix for the warning referred to 'prevbuf' being used
uninitialized and this is also what the compiler says. However
initializing 'prevbuf' doesn't make the warning go away and further
testing revealed that it is really 'savebuf' being possibly used prior
to initialization that is the source of the warning (the incorrect
warning message is probably an optimization-related gcc bug). So replace
previous ineffective fix with explicit initialization of 'savebuf'.
For 64-bit (e.g. x86_64) Linux the 64-bit wide types resolve to long,
not long long as is the case in 32-bit (e.g. i386) Linux. So we need an
explicit cast to long long for 64-bit types since the format string must
specify the 'll' modifier in order to print 64-bit values.
Some compilers issue a warning when a pointer is initialized in
both alternatives of a condition. Force an extra initialization
to avoid such warnings.
Closing the volume is the way to sync the MFT to disk. When not doing
so, the MFT runlists in $DATA and $Bitmap are not synced if they have
been updated in the second resizing stage relative to runlists which
have grown outside their original MFT record.
Unlike in most cases, the bad sector inode has to be closed if it
was updated and required MFT extents (when there are a lot of bad
sectors and some of them were outside the truncated partition).
Not doing so causes the inode to not be fully synced to device.