Need help with using the library

[rucat]

Hi! Could you help me with using your libary, please? I wanna to write a simple program to get a list of files of the drive.

This my code:

#include "libfsntfs.h"
typedef intptr_t libcerror_error_t;
int main() {
    libfsntfs_volume_t *volume = 0;
    libcerror_error_t *error = 0;

    libfsntfs_notify_set_verbose(1);
    std::cerr << "libfsntfs_volume_initialize " << libfsntfs_volume_initialize(&volume, &error) << "\n";
    // outpur "libfsntfs_volume_initialize 1" - ok
    std::cerr <<  "libfsntfs_volume_open " << libfsntfs_volume_open(
                      volume,"\\\\.\\D:",
                      LIBFSNTFS_OPEN_READ,
                      &error)  << "\n";
    // outpur "libfsntfs_volume_open 1" - ok

    uint64_t number_of_file_entries;
    libfsntfs_volume_get_number_of_file_entries(volume, &number_of_file_entries, &error);
    std::cerr << "number_of_file_entries = " << number_of_file_entries << "\n";
    // number_of_file_entries is 256 - ok

    for ( uint64_t i =0 ; i < number_of_file_entries; i++) {
        libfsntfs_file_entry_t *file_entry = 0;
        if ( libfsntfs_volume_get_file_entry_by_index(volume, i, &file_entry, &error) == 1 ) {
           if ( libfsntfs_file_entry_is_empty(file_entry, &error) == 0 ) {

               int attribute_index;
               std::cerr << "libfsntfs_file_entry_get_name_attribute_index: " << libfsntfs_file_entry_get_name_attribute_index(file_entry, &attribute_index, &error) << "\n";
               // output - 0 
               // libfsntfs_file_entry_get_utf8_name_size 
               // and 
               //libfsntfs_file_entry_get_utf16_name_size  also return 0
           }
        }
    }
}

How do I get the file name by file_entry?

Is it possible to find out what sectors the file occupies by file_entry? I will be glad to any advice.

Thanks.

[joachimmetz]

If by list of files you mean file system hierarchy have a look at https://github.com/libyal/libfsntfs/blob/master/fsntfstools/info_handle.c#L3474 and https://github.com/libyal/libfsntfs/blob/master/fsntfstools/info_handle.c#L4755

How do I get the file name by file_entry?

Have a look at https://github.com/libyal/libfsntfs/blob/master/fsntfstools/info_handle.c#L3584

Is it possible to find out what sectors the file occupies by file_entry?

Yes https://github.com/libyal/libfsntfs/blob/master/include/libfsntfs.h.in#L976

[rucat]

@joachimmetz Thank you very much, it really helped me.

And one more question:) Is it possible to find out in which cluster (or physical offset) the mft record is located?

Thank you.

[joachimmetz]

Is it possible to find out in which cluster (or physical offset) the mft record is located?

If you mean "physical disk offset" then the answer is no. See the discussion about LBA versus CHS https://en.wikipedia.org/wiki/Cylinder-head-sector

If you actually did not mean physical offset, but the offset of file data relative to the start of volume, the answer is "it depends". Have you looked at libfsntfs_file_entry_get_number_of_extents and libfsntfs_file_entry_get_extent_by_index?

[rucat]

Yes, I mean, offset of the start of volume, aI also looked libfsntfs_file_entry_get_number_of_extents and libfsntfs_file_entry_get_extent_by_index functions, but i want to find offset of MFT record (no file data) by file_entry. What I want to do - print all files with sectors occupied by the file. If file is non-resident, i use libfsntfs_file_entry_get_number_of_extents + libfsntfs_file_entry_get_extent_by_index, but if it resident...

[joachimmetz]

For now you could use libfsntfs_file_entry_get_file_reference to determine the MFT entry; based on the MFT entry (record) size and the extents of the $MFT file you should be able to determine those extents.

[joachimmetz]

No further questions from reporter closing issue.