Disk recovery software for NTFS disks

NTFS data recovery software can sometimes be the only means to extract data from a corrupted hard drive. NTFS disks are now very common on most PCs running Windows XP. Examples can also be found on removable optical disks. CnW Recovery software will automatically handle different sectors sizes of 512 bytes on a PC hard drive, or 1024 bytes on an optical disk. It will also process disks that have used software compression. No user intervention is required. Free demo download

To recover an NTFS with manual options, rather than using the wizard, select the green Recover Icon (once the relevant drive has been selected from the combo box in the main tool bar).

If the disk has multiple partitions, the first screen displayed will be a list of partitions. At this stage enable the relevant partitions to be recovered. It is therefore possible to select just a single partition for recovery, or multiple partitions. It should be noted that some computers are shipped with a main NTFS disk, and a small boot, or recovery FAT partition. User data is not normally stored in the FAT partition, and so can be ignored.

The screen above is displayed with several options on how data may be restored.

The lower part of the box displays parameters on the disk for up to 8 partitions. These parameters may be changed (with caution) to override to determined values

There are three basic modes for recovery and restoration of lost files

Full Recovery

This is a mode where the recovery program emulates the normal operating system. The major difference is that is very fault tolerant, and will also examine and use values from the mirror MFT found on the hard drive.

From file entries

This mode can be the most useful. The program will analyse each MFT (Master File Table) entry, and restore the file associated with it. The directory structure is retained where possible, but when key directory structure files are missing, the program will continue recovering files, sometimes placing them into ‘dummy’ directories called lost_dir_xxxx where xxx is a unique number for each unrecognised directory parent.. In a second mode of this function ‘Scan all MFT entries’ can be selected, so the whole disk is scanned for possible MFTs. This is useful on disks that have had the operating system reloaded, and lost all original files.

At the start of this function, a new dialog box is displayed that lets the user select a range of MFTs. This can be to examine just a section of tehy disk, or to overcome a problem where it has been determined that for instance there are problems around MFT 23,450 possibly due to bad, or very corrupted sectors.

If when using this mode, the master $MFT sector is not found, the process will start again with the Scan for all MFTs set.

Recover deleted files

NTFS system deletes files by marking the MFT to indicate the file has been deleted. It does retain the location of the file, and often the first several fragments of a fragmented file. If nothing has been written to the since since deletion, or removal from the recycle bin, then a very high level of recovery should be expected. The recovery is done in two passes, the first pass recovers all standard files, and the second pass the recovers deleted files. With this two pass procedure, it is possible to detect when a file has potentially been overwritten by a newer file. A final stage in this recovery mode is to select Recover Unused Space. This will then examine all sectors that have not been read, and determine if they contain file starts as described in the raw recovery notes. Using these modes it is possible to recover known good files, as well as known lost files and files with no directory or file structure at all.

Scan all MFT entries

When this option is selected, the complete disk will be scanned for valid MFTs. A common reason to use this function is when a disk has been reformatted, or had the operating system reloaded. Often there will be MFTs, outside of the recognised MFT file. Some will point to spurious data, but others will point to old files, which may still be intact. Quite often, such MFTs may not have a valid directory path, so dummy directories will be created. This option can take a long time to run, as it does try and scna the complete disk. However, if Cancel is pressed in the middle, it has the option to continue with MFTs found so far.

Recover Unused space

Recovery of unused space will recover sectors that are not allocated to files. They will be scanned for file signatures and named accordingly.

Recover slack space

Slack space on an NTFS disk is made up of two sections. One is the space at the end of each file as it is used to fill the compete cluster. the other slack space is the space at the end of an MFT directory record. Short files are stored in the MFT record, and so valuable information may be left there for forensic analysis.

Disk analysis

This is an extremely useful option when the parameters of the disk are not detected automatically. The function by going to the Search for MFT routine that will search the physical disk for runs of MFTs. from this information, it is often possible to reconstruct details of partition start, MFT start cluster and sector numbers, and cluster size. This is the information normally stored in the BIOS parameter block which in the first sector of the logical partition. It is a common cause of data lose when this sector gets corrupted, or fails. By running this analysis routine, all useful information can be recreated, and there is no need to write back to the disk.