Dump Extents

 Uncategorized  Add comments
Mar 152014
 

This is a simple GUI to FSCTL_GET_RETRIEVAL_POINTERS Microsoft API.

The idea is to read all clusters belonging to a file, then map these clusters on the logical drive where this file is located, and from there re assemble all clusters and save them to a new destination file.

Thanks to this method, one can save/copy a file which is in use since we « raw » read clusters from a logical drive.

This has been tested with success on \boot\bcd and \windows\system32\config\sam, files which you cannot copy in a « normal » mode.

Beware that using this method, you could end up with a corrupted dump since the file could be modified while you are reading it.

Get it on github here.

extents

 Posted by at 16 h 15 min

  2 Responses to “Dump Extents”

  1. Don says:
    8 mars 2016 at 21 h 20 min

    Dump Extents doesn’t seem to work correctly on my SSD hardware, it either stalls or goes on endlessly.

    Répondre

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.