ReadLiveNTFS.csproj 1.0.2

.NET Framework 4.8.1

dotnet add package ReadLiveNTFS.csproj --version 1.0.2

NuGet\Install-Package ReadLiveNTFS.csproj -Version 1.0.2

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="ReadLiveNTFS.csproj" Version="1.0.2" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

paket add ReadLiveNTFS.csproj --version 1.0.2

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: ReadLiveNTFS.csproj, 1.0.2"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

// Install ReadLiveNTFS.csproj as a Cake Addin
#addin nuget:?package=ReadLiveNTFS.csproj&version=1.0.2

// Install ReadLiveNTFS.csproj as a Cake Tool
#tool nuget:?package=ReadLiveNTFS.csproj&version=1.0.2

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

RawNtfsAccess Library

A .NET library for accessing locked files and restricted directories in Windows NTFS file systems through raw disk access.

IMPORTANT NOTE

This entire project (~95% at least) was generated by Claude, an LLM offered by Anthropic at https://claude.ai/. I spent some time massaging areas it was having trouble with for various reasons.

While I understand how the project works at a high-level and have reviewed/tested the code in some static use-cases, please be sure to test for your use-case to ensure functionality.

I have done the following to test (examples shown in Program.cs):

Copy traditionally locked files such as C:\Windows\System32\config\SAM using multiple tools including this and compare hashes
Create new files with ADS streams and copy then compare input/output to verify functionality
List directories and verify contents
Test Symbolic Link/Junction resolution using C:\Documents and Settings
Extract ADS from locked System files such as $UsnJrnl:$J

I'm both impressed and horrified by how rapidly LLM coding is progressing.

I did modify some items in Program.cs to perform more readable testing - but Claude could have done that too if I asked I'm sure.

I spent some time fixing code in areas focusing on reading Alternate Data Streams, parsing Sparse files and handling links as the LLM kept trying to use code that it thought 'worked' but clearly didn't.

Other fun things it did:

Attempt to reflectively find appropriate methods/objects/attributes in DiscUtils when it couldn't analyze them well enough to find a solution
Attempt to continuously fake results by just generating synthetic data, even after expressely being told not to multiple times
Attempt to continuously leave 'TODO' style implementations in arbitrary areas - I guess it got lazy

Here is a link to the original Claude chat showing my prompt/conversation with the model: https://claude.ai/share/6198248b-5d0c-4cea-ab1a-bb7bb316fb64

Feel free to submit PRs/Issues and I can attempt to triage, but no promises.

The rest of this README was generated by Claude.

Features

Access Locked Files: Read files that are locked by Windows or other processes
Access Restricted Directories: List contents of directories you don't have permissions for
Efficient Parsing: Only reads what's necessary from the NTFS file system
Sparse File Support: Efficiently handles sparse files by skipping zero blocks
Alternate Data Stream Support: Full support for reading and copying alternate data streams
Symbolic Link Resolution: Handles junction points, symbolic links, and hard links

Requirements

Windows operating system
.NET 8.0 or higher
Administrative privileges (for raw disk access)

Installation

Install the package via NuGet:

Install-Package RawNtfsAccess

Usage Examples

Initialize the Library

// Configure options
var options = new RawNtfsOptions
{
    BufferSize = 4 * 1024 * 1024, // 4MB buffer
    MaxLinkDepth = 10,
    FollowRelativeLinks = true,
    FollowAbsoluteLinks = false
};

// Create an accessor for drive C:
using (var ntfsAccessor = new RawNtfsAccessor('C', options))
{
    // Use the accessor here
}

Copy a Locked File

// Copy a file that's locked by Windows
string sourceFile = @"C:\Windows\System32\config\SOFTWARE";
string destinationFile = @"C:\Temp\SOFTWARE";

using (var ntfsAccessor = new RawNtfsAccessor('C'))
{
    ntfsAccessor.CopyFile(sourceFile, destinationFile, true);
}

List a Restricted Directory

// List files in a directory you don't have permissions for
string restrictedDir = @"C:\Windows\System32\config";

using (var ntfsAccessor = new RawNtfsAccessor('C'))
{
    // Get all files
    foreach (var file in ntfsAccessor.GetFiles(restrictedDir))
    {
        Console.WriteLine($"{file.FullPath} ({file.Size} bytes)");
    }
    
    // Get all subdirectories
    foreach (var dir in ntfsAccessor.GetDirectories(restrictedDir))
    {
        Console.WriteLine($"{dir.FullPath}");
    }
}

Work with Alternate Data Streams

// Access alternate data streams
string filePath = @"C:\path\to\file.txt";

using (var ntfsAccessor = new RawNtfsAccessor('C'))
{
    // Get all alternate data stream names
    var adsNames = ntfsAccessor.GetAlternateDataStreamNames(filePath);
    
    foreach (var adsName in adsNames)
    {
        // Read from a specific alternate data stream
        using (var stream = ntfsAccessor.OpenFile($"{filePath}:{adsName}"))
        using (var reader = new StreamReader(stream))
        {
            string content = reader.ReadToEnd();
            Console.WriteLine($"ADS {adsName}: {content}");
        }
    }
}

Handle Symbolic Links

// Resolve and follow symbolic links
string linkPath = @"C:\Documents and Settings";

using (var ntfsAccessor = new RawNtfsAccessor('C'))
{
    // Get info about the link
    var dirInfo = ntfsAccessor.GetDirectoryInfo(linkPath);
    
    if (dirInfo.IsReparsePoint)
    {
        Console.WriteLine($"Link target: {dirInfo.LinkTarget}");
        
        // Resolve the link to its final destination
        string resolvedPath = ntfsAccessor.ResolveLinkTarget(linkPath);
        Console.WriteLine($"Resolved target: {resolvedPath}");
    }
}

Advanced Configuration

The RawNtfsOptions class provides several configuration options:

var options = new RawNtfsOptions
{
    // Size of the buffer used for reading data (in bytes)
    BufferSize = 4 * 1024 * 1024, // 4MB default
    
    // Maximum depth for resolving symbolic links and junction points
    MaxLinkDepth = 10,
    
    // Whether to follow relative symbolic links
    FollowRelativeLinks = true,
    
    // Whether to follow absolute symbolic links
    FollowAbsoluteLinks = false
};

Performance Considerations

The library reads data in chunks using the specified buffer size. Larger buffers generally improve performance for larger files but use more memory.
For sparse files, the library only reads non-zero blocks, improving performance for large, sparse files.
When copying files with many alternate data streams, each stream is copied individually.

Limitations

Only works with NTFS file systems
Does not support write operations to the raw disk
Does not handle Encrypted File System (EFS) files
Requires administrative privileges to access the raw disk

License

This project is licensed under the MIT License - see the LICENSE file for details.

Product	Compatible and additional computed target framework versions.
.NET Framework	net481 is compatible.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

.NETFramework 4.8.1
- DeviceIOControlLib (>= 0.1.6)
- DiscUtils.Core (>= 0.16.13)
- DiscUtils.Ntfs (>= 0.16.13)
- DiscUtils.Streams (>= 0.16.13)
- RawDiskLib (>= 0.2.1)

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last updated
1.0.2	45	3/11/2025