Hello,
On some occasions, I’ve got an NTFS journal containing ops which
ntfsrecover ignores since the Redo/Undo pair doesn’t match what ntfsrecover
expects in the distribute_redos function.
Example #1:
Redo op: WriteEndofFileRecordSegment
Actual undo op: Noop
Expected undo op: WriteEndofFileRecordSegment
Example #2:
Redo op: InitializeFileRecordSegment
Actual undo op: DeallocateFileRecordSegment
Expected undo op: Noop
Example #3:
Getting CompensationlogRecord as the undo op, for many different redo ops
(DeleteAttribute, CreateAttribute, DeleteIndexEntryAllocation,
WriteEndOfIndexBuffer etc.).
This seems to happen when the partition is full or nearly full.
What is the reason ntfsrecover ignores such cases, instead of just playing
the operations present in the journal?
Worth noting that all examples occurred on a regular Windows 7 machine,
performing trivial operations against the file system.
I have raw partition files available for inspection.
Thanks,
Maayan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
ntfs-3g-devel mailing list
ntfs-3g-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
