NTFS data recovery

CnW data recovery software for NTFS disks

CnW NTFS data recovery software may be the only means to extract and recover files and data from a corrupted hard drive. The program will work even when the boot sector has been lost, or when the drive has been repartitioned, or had the operating system reloaded.  Deleted files, overwritten operating systems can all be processed and otherwise lost files recovered. Failing disks can be recovered even when critical sectors are missing. It will process disks that have used software compression. .NTFS disks are the basis of most current PCs running Windows XP, Vista and Windows 7. Examples can also be found on removable optical disks, and occasionally memory sticks.  Free demo download

The quality and numbers of files recovers is exceptionally high, and often far better than many competing programs.

To recover an NTFS with manual options shown below, rather than using the wizard, select the green Recover Icon (once the relevant drive has been selected from the combo box in the main tool bar).

If the disk has multiple partitions, the first screen displayed will be a list of partitions. At this stage enable the relevant partitions to be recovered. It is therefore possible to select just a single partition for recovery, or multiple partitions. It should be noted that some computers are shipped with a main NTFS disk, and a small boot, or recovery FAT partition. User data is not stored in the FAT partition, and so can be ignored.

NTFS recovery software

 

The screen above is displayed with several options on how data may be recovered.

The lower part of the box displays parameters on the disk for up to 8 partitions.  These parameters may be changed (with caution) to override to determined values

There are two basic modes for recovery and restoration of all  files

Full Recovery

    This is a mode where the data recovery program emulates the normal operating system. The major difference is that is very fault tolerant, and will also examine and use values from the mirror MFT found on the hard drive.

From file entries

    This mode can be the most useful. The program will analyse each MFT (Master File Table) entry, and restore the file associated with it. The directory structure is retained where possible, but when key directory structure files are missing, the program will continue recovering files, sometimes placing them into ‘dummy’ directories called lost_dir_xxxx  where xxx is a unique number for each unrecognised directory parent..  In a second mode of this function ‘Scan all MFT entries’ can be selected, so the whole disk is scanned for possible MFTs. This is useful on disks that have had the operating system reloaded, and lost all original files.

    At the start of this function, a new dialog box is displayed that lets the user select a range of MFTs.  This can be to examine just a section of the disk, or to overcome a problem where it has been determined that for instance there are problems around MFT 23,450 possibly due to bad, or very corrupted sectors.

    If when using this mode, the master $MFT sector is not found, the process will start again with the Scan for all MFTs set.

Recover deleted files

    NTFS system deletes files by marking the MFT to indicate the file has been deleted. It does retain the location of the file, and often the first several fragments of a fragmented file. If nothing has been written to the since since deletion, or removal from the recycle bin, then a very high level of recovery should be expected. The recovery is done in two passes, the first pass recovers all standard files, and the second pass the recovers deleted files. With this two pass procedure, it is possible to detect when a file has potentially been overwritten by a newer file. A final stage in this recovery mode is to select Recover Unused Space. This will then examine all sectors that have not been read, and determine if they contain file starts as described in the raw recovery notes. Using these modes it is possible to recover known good files, as well as known lost files and files with no directory or file structure at all.

Scan all MFT entries

    When this option is selected, the complete disk will be scanned for valid MFTs.  A common reason to use this function is when a disk has been reformatted, or had the operating system reloaded.  Often there will be MFTs, outside of the recognised MFT file.  Some will point to spurious data, but others will point to old files, which may still be intact.  Quite often, such MFTs may not have a valid directory path, so dummy directories will be created. This option can take a long time to run, as it does try and scan the complete disk - ie every possible sector to detect any rouge MFT entries..  However, if Cancel is pressed in the middle, it has the option to continue with MFTs found so far.

Recover Unused space

    Recovery of unused space will recover sectors that are not allocated to files.  They will be scanned for file signatures and named accordingly.  The number of valid files that will be recovered is very varied, but it is an important aspect of any forensic investigation of a disk.

Recover slack space

    Slack space on an NTFS disk is made up of two sections.  One is the space at the end of each file as it is used to fill the compete cluster. the other slack space is the space at the end of an MFT directory record.  Short files are stored in the MFT record, and so valuable information may be left there for forensic analysis.  This a forensic option only.

    Cluster slack space is stored in a file called Slack_clust.slk. Each fragment is enclosed by tags with the structure

    <<clust:ssss-cccc>>.......................................<</clust>>

    where sss is the first sector in the clsuter, and cccc is the logical cluster number

    For NTFS, short data files (less than approx 500 bytes)  are stored in the directory. This area second area of slack is at the end of each MFT.  Thus MFTs can contain more than just directory information. If the recover slack option is selected, all slack space from directories is stored in a file called Slack_Dir.slk, and placed in the output directory. Each entry is prefixed by the string

    <<mft:mmmm-xxxxxx>>...........................................<</mft>>

    where mmmm is the MFT number and xxxxx is the sector number of the MFT. The data entry is terminated by <<\mft>>.

     

Disk analysis

    Disk analysis is an extremely useful option when the parameters of the disk are not detected automatically.  This functions by going to the Search for MFT routine that will search the physical disk for runs of MFTs.  From this information, it is often possible to reconstruct details of partition start, MFT start cluster and sector numbers, and cluster size.  This is the information normally stored in the BIOS parameter block which in the first sector of the logical partition.  It is a common cause of data loss when this sector gets corrupted, or fails.  By running this analysis routine, all useful information can be recreated, and there is no need to write back to the disk.

    search MTFs with NTFS data recovery software

Summary

    Using these tools a very high percentage of files will be recovered even after very drastic corruption, or partial reformatting.  The comprehensive log can be exported to a .csv file for further examination.  The optional forensic report monitors many elements of corruption detected on the disk.

[CnW Recovery] [Downloads] [Purchase Now] [CnW Wizard] [User Manual] [Main menu] [Partitions] [Logs] [Hard drive recovery] [NTFS data recovery] [FAT data recovery] [Data carving] [exFAT] [CD ROM data recovery] [Photo Recovery] [Damaged disks] [Fragm'ted Files] [File Filter] [Deduplication] [File validation] [Deleted file recovery] [Macintosh] [Unix Recovery] [MTF .BKF] [CD and DVD output] [RAID disks] [Data repair] [Forensic DR] [Video recovery] [Forensic Tools] [What will it do?] [Product Details] [FAQ & Links] [Case Studies] [Technical Notes] [Updates] [Development] [Testimonials] [About us] [Site Map] [Contact Us]