Hi Markus, SF Markus Elfring wrote: >> I you showed the output of "ls -ladi /windows/E" I could be >> sure you are accessing the root of the file system. > > 5 drwxr-xr-x 1 root users 4096 Feb 1 10:20 /windows/E
This is indeed the root (inode 5), not a junction. >> Get the total size of reachable files by "du -s /Windows/E" >> and check whether you get near 199GB. > > 104G /windows/E Actually, the value to be expected was about 170GB, because du does not take the metadata into account, but 104GB is strange. >> Check what is in the directory "$RECYCLE.BIN", which is >> the Windows trash bin. This might be difficult to interpret, >> but check its size "du -s '/windows/E/$RECYCLE.BIN'" > > 1.0K /windows/E/$RECYCLE.BIN > > >> If you find evidence of unreachable files, and they are >> important to you, some forensic analysis is possible, >> you would have to extract the metadata and send them. > > How should the needed meta-data portion be extracted for my open issue? ntfsclone does it (as root and device not mounted) 1) ntfsclone -m -t -O E.metadata /dev/sda6 (skip option -t if you have an old version) this creates a sparse file E.metadata with no user data. This appears as a big file. To make it a normal file, you can use tar with option -S or run ntfsclone again to build a special file : 2a) tar -Scf E.metadata.tar E.metadata 2b) ntfsclone -s -O E.metadata.img E.metadata This will result in a 20GB to 30GB file. Compress it (prefer bz2 or xz), and put it on a server where I can fetch it (and send its location in a private email). Regards Jean-Pierre ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ ntfs-3g-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
