joakims wrote:
Now I think the project has reached a dead end, unless someone else wants to take it further into handling the raw structures of shadow copies..
And then a few more fixes was done, to support MFT record size of 4096 bytes, dumping of timestamps from parent's INDX, as well as fixing an issue with synchronization of $STANDARD_INFORMATION timestamps and those found in the INDX of the parent.
Regarding the latter, it turned out a simple call to NtQueryInformationFile would force Windows to synchronize them.
↧