NTFS recovery software to recover files from deleted, corrupted or reformatted drives

CnW data recovery software for NTFS disks

CnW NTFS data recovery software may be the only means to extract and recover files and data from a corrupted hard drive. The program will work even when the boot sector has been lost, or when the drive has been repartitioned, or had the operating system reloaded. Deleted files, overwritten operating systems can all be processed and otherwise lost files recovered. Failing disks can be recovered even when critical sectors are missing. It will process disks that have used software compression. .NTFS disks are the basis of most current PCs running Windows XP, Vista and Windows 7. Examples can also be found on removable optical disks, and occasionally memory sticks. Free demo download

The quality and numbers of files recovers is exceptionally high, and often far better than many competing programs.

To recover an NTFS with manual options shown below, rather than using the wizard, select the green Recover Icon (once the relevant drive has been selected from the combo box in the main tool bar).

If the disk has multiple partitions, the first screen displayed will be a list of partitions. At this stage enable the relevant partitions to be recovered. It is therefore possible to select just a single partition for recovery, or multiple partitions. It should be noted that some computers are shipped with a main NTFS disk, and a small boot, or recovery FAT partition. User data is not stored in the FAT partition, and so can be ignored.

The screen above is displayed with several options on how data may be recovered.

The lower part of the box displays parameters on the disk for up to 8 partitions. These parameters may be changed (with caution) to override to determined values

There are two basic modes for recovery and restoration of all files

Full Recovery

This is a mode where the data recovery program emulates the normal operating system. The major difference is that is very fault tolerant, and will also examine and use values from the mirror MFT found on the hard drive.

From file entries

This mode can be the most useful. The program will analyse each MFT (Master File Table) entry, and restore the file associated with it. The directory structure is retained where possible, but when key directory structure files are missing, the program will continue recovering files, sometimes placing them into ‘dummy’ directories called lost_dir_xxxx where xxx is a unique number for each unrecognised directory parent.. In a second mode of this function ‘Scan all MFT entries’ can be selected, so the whole disk is scanned for possible MFTs. This is useful on disks that have had the operating system reloaded, and lost all original files.

At the start of this function, a new dialog box is displayed that lets the user select a range of MFTs. This can be to examine just a section of the disk, or to overcome a problem where it has been determined that for instance there are problems around MFT 23,450 possibly due to bad, or very corrupted sectors.

If when using this mode, the master $MFT sector is not found, the process will start again with the Scan for all MFTs set.

Recover deleted files

NTFS system deletes files by marking the MFT to indicate the file has been deleted. It does retain the location of the file, and often the first several fragments of a fragmented file. If nothing has been written to the since since deletion, or removal from the recycle bin, then a very high level of recovery should be expected. The recovery is done in two passes, the first pass recovers all standard files, and the second pass the recovers deleted files. With this two pass procedure, it is possible to detect when a file has potentially been overwritten by a newer file. A final stage in this recovery mode is to select Recover Unused Space. This will then examine all sectors that have not been read, and determine if they contain file starts as described in the raw recovery notes. Using these modes it is possible to recover known good files, as well as known lost files and files with no directory or file structure at all.

Scan all MFT entries

When this option is selected, the complete disk will be scanned for valid MFTs. A common reason to use this function is when a disk has been reformatted, or had the operating system reloaded. Often there will be MFTs, outside of the recognised MFT file. Some will point to spurious data, but others will point to old files, which may still be intact. Quite often, such MFTs may not have a valid directory path, so dummy directories will be created. This option can take a long time to run, as it does try and scan the complete disk - ie every possible sector to detect any rouge MFT entries.. However, if Cancel is pressed in the middle, it has the option to continue with MFTs found so far.

Recover Unused space

Recovery of unused space will recover sectors that are not allocated to files. They will be scanned for file signatures and named accordingly. The number of valid files that will be recovered is very varied, but it is an important aspect of any forensic investigation of a disk.

Recover slack space

Slack space on an NTFS disk is made up of two sections. One is the space at the end of each file as it is used to fill the compete cluster. the other slack space is the space at the end of an MFT directory record. Short files are stored in the MFT record, and so valuable information may be left there for forensic analysis. This a forensic option only.

Cluster slack space is stored in a file called Slack_clust.slk. Each fragment is enclosed by tags with the structure

<<clust:ssss-cccc>>.......................................<</clust>>

where sss is the first sector in the clsuter, and cccc is the logical cluster number

For NTFS, short data files (less than approx 500 bytes) are stored in the directory. This area second area of slack is at the end of each MFT. Thus MFTs can contain more than just directory information. If the recover slack option is selected, all slack space from directories is stored in a file called Slack_Dir.slk, and placed in the output directory. Each entry is prefixed by the string

<<mft:mmmm-xxxxxx>>...........................................<</mft>>

where mmmm is the MFT number and xxxxx is the sector number of the MFT. The data entry is terminated by <<\mft>>.

Disk analysis

Disk analysis is an extremely useful option when the parameters of the disk are not detected automatically. This functions by going to the Search for MFT routine that will search the physical disk for runs of MFTs. From this information, it is often possible to reconstruct details of partition start, MFT start cluster and sector numbers, and cluster size. This is the information normally stored in the BIOS parameter block which in the first sector of the logical partition. It is a common cause of data loss when this sector gets corrupted, or fails. By running this analysis routine, all useful information can be recreated, and there is no need to write back to the disk.

search MTFs with NTFS data recovery software

Summary

Using these tools a very high percentage of files will be recovered even after very drastic corruption, or partial reformatting. The comprehensive log can be exported to a .csv file for further examination. The optional forensic report monitors many elements of corruption detected on the disk.

[CnW Recovery] [Downloads] [Purchase Now] [User Manual] [Wizard] [Main menu] [Partitions] [Logs] [Hard drive recovery] [NTFS data recovery] [FAT data recovery] [exFAT] [CD ROM data recovery] [Data carving] [Photo Recovery] [Damaged disks] [Fragm'ted Files] [File Filter] [Deduplication] [Camcorder Disk] [File validation] [Deleted file recovery] [Macintosh] [Unix Recovery] [MTF .BKF] [CD and DVD output] [What will it do?] [Product Details] [Forensic DR] [FAQ & Links] [Case Studies] [Technical Notes] [Demo videos] [Updates] [Development] [Testimonials] [Site Map] [Contact Us]