Page 1 of 1
NTFS signature is missing
Posted: 20 Jan 2020, 14:09
by mesajflaviu
I have running under debug the code source on Win10 64 bit. Wanting to read deleted file from an NTFS USB stick. And the debugging had stopped here:
Code: Select all
// bootsect.c (from NTFS library)
BOOL ntfs_boot_sector_is_ntfs(NTFS_BOOT_SECTOR *b)
{
u32 i;
BOOL ret = FALSE;
ntfs_log_debug("Beginning bootsector check.\n");
ntfs_log_debug("Checking OEMid, NTFS signature.\n");
if (b->oem_id != const_cpu_to_le64(0x202020205346544eULL)) // "NTFS "
{
ntfs_log_error("NTFS signature is missing.\n"); // <-- here is entered my code
goto not_ntfs;
}
....
How to "translate" this error message ?
NTFS signature is missing
Re: NTFS signature is missing
Posted: 20 Jan 2020, 14:28
by recuperation
Dear mesajflaviu,
this string is an identifier for a NTFS boot sector.
As I told you at least once before, you can't learn the internals of file systems just by looking at the code of Testdisk.
You have to read external sources about it and run disk editors that do interpret data to get an understanding of the relevant file system.
Once you understand how the file system in question works you will understand what Christoph Grenier programmed.
You would be even able to find errors - if there are any.
Re: NTFS signature is missing
Posted: 20 Jan 2020, 15:43
by mesajflaviu
And if this string seem to be missing, what could I understand that ?
Re: NTFS signature is missing
Posted: 20 Jan 2020, 19:08
by recuperation
If this string is missing the sector is either
1. no NTFS boot sector OR
2. a broken NTFS boot sector
Re: NTFS signature is missing
Posted: 21 Jan 2020, 08:46
by mesajflaviu
I guess is the first case, because this is happen in two different USB sticks formatted as EXFAT.
Re: NTFS signature is missing
Posted: 21 Jan 2020, 09:16
by mesajflaviu
I am thinking that this issue is not necessary an error though ... right ?
Re: NTFS signature is missing
Posted: 21 Jan 2020, 09:49
by mesajflaviu
On a test stick, oem_id has 8804685062176 value. Where oem_id is part of:
Code: Select all
typedef struct {
u8 jump[3]; /* Irrelevant (jump to boot up code).*/
le64 oem_id; /* Magic "NTFS ". */
/*0x0b*/BIOS_PARAMETER_BLOCK bpb; /* See BIOS_PARAMETER_BLOCK. */
u8 physical_drive; /* 0x00 floppy, 0x80 hard disk */
u8 current_head; /* zero */
u8 extended_boot_signature; /* 0x80 */
u8 reserved2; /* zero */
/*0x28*/sle64 number_of_sectors; /* Number of sectors in volume. Gives
maximum volume size of 2^63 sectors.
Assuming standard sector size of 512
bytes, the maximum byte size is
approx. 4.7x10^21 bytes. (-; */
sle64 mft_lcn; /* Cluster location of mft data. */
sle64 mftmirr_lcn; /* Cluster location of copy of mft. */
s8 clusters_per_mft_record; /* Mft record size in clusters. */
u8 reserved0[3]; /* zero */
s8 clusters_per_index_record; /* Index block size in clusters. */
u8 reserved1[3]; /* zero */
le64 volume_serial_number; /* Irrelevant (serial number). */
le32 checksum; /* Boot sector checksum. */
/*0x54*/u8 bootstrap[426]; /* Irrelevant (boot up code). */
le16 end_of_sector_marker; /* End of bootsector magic. Always is
0xaa55 in little endian. */
/* sizeof() = 512 (0x200) bytes */
}NTFS_BOOT_SECTOR;
from NTFS library, layout.h file.
Re: NTFS signature is missing
Posted: 21 Jan 2020, 09:59
by mesajflaviu
Plus, going the code by here, I got memory leaks:
Code: Select all
Detected memory leaks!
Dumping objects ->
{26571} normal block at 0x03FB87D0, 65536 bytes long.
Data: < R NTFS > EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00
Object dump complete.