none
Question on Volume bitmap RRS feed

  • Question

  • Hello folks,

    I would like to know if the volume bitmap buffer returned by ZwFsControlFile+FSCTL_GET_VOLUME_BITMAP includes the cluster list of the volume meta Data such as the MFT.

    Thank you.


    • Edited by Weg's Wednesday, April 20, 2016 5:38 AM
    Wednesday, April 20, 2016 2:28 AM

Answers

  • FSCTL_QUERY_RETRIEVAL_POINTERS will only return the mapping info for the page file, as specified here. FSCTL_GET_RETRIEVAL_POINTERS can be used to return the mapping info for other files. As specified here, passing in a handle to the volume will return the mapping info for the $BadClus file, which contains the list of bad clusters on the volume.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, April 20, 2016 5:15 AM
    Moderator
  • Yes, of course. As I wrote earlier, the $MFT file is just another file as far as NTFS is concerned, so the volume bitmap includes it

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by Weg's Wednesday, April 20, 2016 10:51 PM
    Wednesday, April 20, 2016 6:49 PM
    Moderator

All replies

  • No, it will return the pointers for the file:stream specified; if you ask for $Bitmap, that's what you'll get. The MFT is actually a file, so if you want the MFT's retrieval pointers, then you'll have to ask for them for file $MFT

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, April 20, 2016 3:06 AM
    Moderator
  • Hello Brian,

    Thanks for your reply.

    "it will return the pointers for the file:stream specified" The handle that I provided as input is the volume handle so  I expect it to return the LCN pairs of the whole volume. Isn't it?

    Wednesday, April 20, 2016 4:27 AM
  • FSCTL_QUERY_RETRIEVAL_POINTERS will only return the mapping info for the page file, as specified here. FSCTL_GET_RETRIEVAL_POINTERS can be used to return the mapping info for other files. As specified here, passing in a handle to the volume will return the mapping info for the $BadClus file, which contains the list of bad clusters on the volume.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, April 20, 2016 5:15 AM
    Moderator
  • Oh sorry my bad I miss typed  FSCTL_QUERY_RETRIEVAL_POINTERS  what I meant to ask was ZwFsControlFile+FSCTL_GET_VOLUME_BITMAP. I just modified my question.

    Very sorry.

    Wednesday, April 20, 2016 5:38 AM
  • Yes, of course. As I wrote earlier, the $MFT file is just another file as far as NTFS is concerned, so the volume bitmap includes it

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by Weg's Wednesday, April 20, 2016 10:51 PM
    Wednesday, April 20, 2016 6:49 PM
    Moderator