Dear StCroixSkipper,
The piece of code on USN journal that you given is very helpfull. Thanks for that.
I have some doubt regarding USN journal records. Please help me out.
I am working on VC++ and trying to get the data cluster chain of deleted files of greater than 4GB in size.
If a file of less than 4GB in size is deleted (lets assumes that the MFT and its data is not overwritten after deleting). We can recover its data by reading the cluster chain of this file from MFT.
But if the file is of greater than 4GB in size an dwe delete it, the cluster chain of the data from its MFT is also got deleted.
So I am trying to get the data cluster chain of this deleted file. As we know that every time when any change happens in NTFS the log is created as a record. I am trying to get the information about this file from $LogFile.
If we follow the approach of creating a USN journal and read the USN record, can we get that cluster chain of a deleted file.
My questions are-
1- Does USN journal helpful in getting my objective?
2- Can we get the listing of deleted files with the help of USN records?
3- How can we get the cluster chain of a deleted file from USN journal.
Thanks
Madan