Re: [ntfs-3g-devel] Redo/Undo pair mismatch

Sun, 08 Oct 2017 01:37:12 -0700 

Hi,

Maayan Hanin wrote:

Hello,

On some occasions, I’ve got an NTFS journal containing ops which
ntfsrecover ignores since the Redo/Undo pair doesn’t match what
ntfsrecover expects in the distribute_redosfunction.


First of all, please retry with the latest version,
either from the repository on sourceforge or from my
site (http://jp-andre.pagesperso-orange.fr/advanced-ntfs-3g.html)
A few fixed were applied a few months ago.



Example #1:

Redo op: WriteEndofFileRecordSegment

Actual undo op: Noop

Expected undo op: WriteEndofFileRecordSegment

Example #2:

Redo op: InitializeFileRecordSegment

Actual undo op: DeallocateFileRecordSegment

Expected undo op: Noop

Example #3:

Getting CompensationlogRecord as the undo op, for many different redoops
(DeleteAttribute, CreateAttribute, DeleteIndexEntryAllocation,
WriteEndOfIndexBuffer etc.).

This seems to happen when the partition is full or nearly full.

What is the reason ntfsrecover ignores such cases, instead of just
playing the operations present in the journal?


ntfsrecover usually has to ignore actions when the
actual situation does not match the expected one,
because there is an uncertainty over what was updated
before the crash and some actions are not repeatable.

However it is quite possible you met unusual situations
when the partition is nearly full.



Worth noting that all examples occurred on a regular Windows 7 machine,
performing trivial operations against the file system.

I have raw partition files available for inspection.


Please make them available, since I will probably not
be able to reproduce them.

Only the metadata is needed, however ntfsclone will not
extract it if it finds inconsistencies. You must use
options --ignore-fs-check and --full-logfile to ignore
them :
ntfsclone --ignore-fs-check --full-logfile -mst device - | gzip > metadata.gz 

There is a recent fix to ntfsclone to avoid aborting on
a specific kind of inconsistency.

Jean-Pierre



Thanks,

Maayan




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
ntfs-3g-devel mailing list
ntfs-3g-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel

Reply via email to