Add a few updates to documentation.#10
Conversation
Welcome to Codecov 🎉Once merged to your default branch, Codecov will compare your coverage reports and display the results in this comment. Thanks for integrating Codecov - We've got you covered ☂️ |
|
thanks I'll have a look when time permits |
|
Can you clarify a couple of things in the mean time: "I was able to get a hold of ReFS images with versions 3.1 through 3.9" can you indicate which version specifically given some of these potentially are pre-releases. Given these versions have different versions/features, what do you mean with "I'm now able to parse all of them"? That you are able to handle the containers or other features as well? |
Of course - here are the exact versions I tested: 3.1 (Windows Server 2016, 14393)
I simply mean that I'm able to traverse all the directories and files, and read the file contents from the data runs. I prepared the test images by copying over a large and complex directory tree, then thrashing with some more deletes and writes to create fragmentation. (I'm not able to use any other features of the filesystem beyond reading files and directories.) (To clarify further, I'm not using any of the code in |
|
Thanks for the additional context. If you happy to share the method of creating the test data have a look at https://github.com/dfirlabs/refs-specimens
Yeah did not expect you to, given this project is currently mostly to analyze the format, not "production" ready. If you are using a scripting language be aware that file names are UCS-2 + surrogates not UTF-16 |
2 participants
This adds a few updates and clarifications to this documentation, based on my own recent forensic analysis of several ReFS volumes. I was able to get a hold of ReFS images with versions 3.1 through 3.9, and with the help of this documentation, plus my own investigation, I'm now able to parse all of them.
Let me know if a pull request isn't the right way to contribute, or whether you'd prefer to update the documentation yourself.