Hello everybody,
I have some questions.
I have already created file on physical disk drive. All data was written
but it wasn’t written by File System Driver /FSD/ and FSD doesn’t know
about this file yet. How can I force reloading of cached metadata stuctures
from FSD to make this file visible?
I suppose that UNDELETE programs make something similar but I could not
find any example sources. UNDELETE restores previously deleted file. I know
that file data is not physically deleted from the storage, the direntry is
marked as deleted and all file clusters are free for further write usage.
How do these programs exactly work - do they modify on memory structures as
$MFT, $Bitmap and then flush these structures on the nonvolatile memory?
If you know something about this, help me.
Thank you in advance.
Regards
Kristian Rodriguez