"e01" encase ewf files are sometimes not completely shown.

[MariasStory]

Hi, In some .E01 encase files (and direct disk access) I cannot see $MFT file, while Encase imager shows it without problems. Can you please check this one? Maybe you need to update the libewf library or there is something else?

I am using TestDisk 7.1-WIP from April 2018.

[cgsecurity]

It's not related to E01 files. In src/ntfs_dir.c, there is code to hide special files:

  if (MREF(mref) < FILE_first_user && filename[0] == '$')       /* Hide system file */
      goto freefn;

If it's really a feature you want, it may be possible to add some code to not hide them when in expert mode.

[MariasStory]

Hi @cgsecurity . Yes, I need this function badly. Please make the feature to unhide the files.

I was considering this possibility. But, I was sure that I did see the $MFT entry before. Additionally, in current view I see the "$Recycle.Bin" and "$WINDOWS.~BT". This does not make sense.

In practice I would not hide any files in testdisk. If someone uses this utility, this means that he knows about system files. At the end it is easy to delete a partition, so what is wrong with deleting system file?

I guess that this change is easy to implement and I look forward to see this change in the next WIP release.

Thank you so much for the cool tool!!!

[MariasStory]

Hi. Do you plan to fix the system files issue? Maybe you can hide it behind an option?

[MariasStory]

Hi @cgsecurity it seems that you have done some change: https://github.com/cgsecurity/testdisk/commit/2d36e835ba016468e3e59f7bd02716a2bb30948d

I did not test it yet.

[cgsecurity]

You are welcome to compile from source and test it ;-) Enable the Expert mode in Options to be able to list the system files. Note that you will not be able to copy them.

[MariasStory]

Hi @cgsecurity I did not compile testdisk 7.1-WIP, just got the latest version with modification date 28.06.2018. The Expert mode does nothing on my hard drive. I don't see $MFT any way.

Also, the idea was to be able to copy the system files not just see them. Is it possible that all functionality will be activated?