How to get the path of a deleted directory? [closed]_问答_开发者

How to get the path of a deleted directory? [closed]

开发者 https://www.devze.com 2023-04-11 14:59 出处：网络

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical andcannot be reasonably answered in its current form. For help clari

相关专题：ntfs windows

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center. Closed 11 years ago.

I am using C++ to query the NTFS change journal, and it seems to work alright. The only problem is the change journal does not show up any records for directory delete or modified. Because of which, I am unable to get the path for the deleted files in the subdirectories and subfiles under it.

Does anyone have any insight on this topic?

Edit: Can anyone close this topic? I noticed that the files that were under the deleted directory would come up first as deleted, and the directory delete record would come after all that. Which makes 开发者_开发技巧sense because the files are deleted first and then the directory. Apologies for my lack of foresight.

I'm not expert enough to answer the question straight up.

However, I suggest you look at

http://www.codeproject.com/KB/files/NTFSUndelete.aspx (comes with source code)
testdisk explicitely only lists that it can undelete files on ntfs, not directories (here)
the ntfsundelete utility in ntfsprogs

It contains the following rather ominous sign, though:

if (file->directory) {
    ntfs_log_debug("Found a directory: not recoverable.\n");
    return 0;
}

which does seem to suggest that indeed only individual files can be tracked after deletion.

By design, the change journal has to manage the deletion of an index since it takes at least several filesystem changes:

marking the index's MFT entry available in the header
deallocate the index's clusters
free the MFT entry bitmap(s)

Without knowing how you query the change journal, I would guess that the API is omitting index deletion information. If you are parsing the journal yourself, then I don't know why it is not there.

I wrote some forensic tools for NTFS from 2002-2004 which do recover the contents of deleted directories. But it is not easy. Scanning $MFT for a deleted index is straightforward: just look at the status bits. Unless it has been reused, the directory name and all other information is intact, except the "available" bit. Finding the directory's path is a simple iterative walk up the parent chain until hitting the root directory.