The ntfsprogs package provides a nice set of tools for performing operations on NTFS file systems from non-Windows environments. There are many uses for these, and I’ve found them helpful in virtualized environments when dealing with virtual disk images. In particular, they allow for the easy restoration of individual files from NTFS virtual disks from the host OS. These tools however, are only capable of operating on entire devices, and in many cases the individual partitions of virtual disk images are not exposed as block devices by the operating system, preventing these tools from working.
As a workaround for this, I’ve created a patch against ntfsprogs 2.0.0 that adds an
--offset option to most of the tools, allowing a partition offset, in bytes from the start of the device, to be specified.
These patches were tested on OpenSolaris, but should work with other systems as well. They include a Solaris patch to fix compilation issues on Solaris. They are available in the following forms:
- ntfsprogs-2.0.0-offset.patch.gz – A patch against the ntfsprogs-2.0.0 source.
- ntfsprogs-2.0.0-offset.tar.gz – The full ntfsprogs-2.0.0 source with the patch applied.
- lspart.py – A script that parses the MBR of the device and displays the partitions and their offsets.
Compiling the tools can be done with:
$ wget http://www.edplese.com/files/ntfsprogs-2.0.0-offset.tar.gz $ gzcat ntfsprogs-2.0.0-offset.tar.gz | tar -xf - $ cd ntfsprogs-2.0.0-offset $ ./configure && make
Once compiled, the tools can be installed with
make install, or run in place from the
ntfsprogs-2.0.0-offset/ntfsprogs directory without having to install them.
The following example demonstrates the tools operating on a snapshot of an NTFS volume stored on a ZFS zvol block device.
# lspart.py /dev/zvol/dsk/rpool/xvm/win2k8@installed Start Offset Size Type 1048576 100.0M 07 Windows NTFS 105906176 15.9G 07 Windows NTFS 0 0.0B 00 Empty 0 0.0B 00 Empty # ntfsls /dev/zvol/dsk/rpool/xvm/win2k8@installed Failed to startup volume: Invalid argument. Failed to mount '/dev/zvol/dsk/rpool/xvm/win2k8': Invalid argument. The device '/dev/zvol/dsk/rpool/xvm/win2k8' doesn't have a valid NTFS. Maybe you selected the wrong device? Or the whole disk instead of a partition (e.g. /dev/hda, not /dev/hda1)? Or the other way around? # ntfsls --offset 1048576 /dev/zvol/dsk/rpool/xvm/win2k8@installed Boot bootmgr BOOTSECT.BAK System Volume Information # ntfsls --offset 105906176 /dev/zvol/dsk/rpool/xvm/win2k8@installed $Recycle.Bin Documents and Settings pagefile.sys PerfLogs Program Files Program Files (x86) ProgramData Recovery System Volume Information Users Windows # ntfscat --offset 105906176 /dev/zvol/dsk/rpool/xvm/win2k8@installed \ Windows/System32/notepad.exe > notepad.exe