NTFS data recovery

CnW data recovery software for NTFS disks


CnW NTFS data recovery software may be the only means to extract and recover files and data from a corrupted hard drive. The program will work even when the boot sector has been lost, or when the drive has been repartitioned, or had the operating system reloaded. Deleted files, overwritten operating systems can all be processed and otherwise lost files recovered. Failing disks can be recovered even when critical sectors are missing. It will process disks that have used software compression. NTFS disks are the basis of most current PCs running Windows XP, Vista and Windows 7 - Windows 10. Examples can also be found on removable optical disks, and occasionally memory sticks. Free demo
download

The quality and numbers of files recovered is exceptionally high, and often far better than many competing programs.

To recover an NTFS with manual options shown below, rather than using the wizard, select the green Recover Icon (once the relevant drive has been selected from the combo box in the main tool bar).

If the disk has multiple partitions, the first screen displayed will be a list of partitions. At this stage enable the relevant partitions to be recovered. It is therefore possible to select just a single partition for recovery, or multiple partitions. It should be noted that some computers are shipped with a main NTFS disk, and a small boot, or recovery FAT partition. User data is not stored in the FAT partition, and so can be ignored.



The screen above is displayed with several options on how data may be recovered.

The lower part of the box displays parameters on the disk for up to 8 partitions. These parameters may be changed (with caution) to override to determined values

There are two basic modes for recovery and restoration of all files

Full Recovery
This is a mode where the data recovery program emulates the normal operating system. The major difference is that is very fault tolerant, and will also examine and use values from the mirror MFT found on the hard drive.

From file entries
This mode can be the most useful. The program will analyse each MFT (Master File Table) entry, and restore the file associated with it. The directory structure is retained where possible, but when key directory structure files are missing, the program will continue recovering files, sometimes placing them into ‘dummy’ directories called lost_dir_xxxx where xxx is a unique number for each unrecognised directory parent.. In a second mode of this function ‘Scan all MFT entries’ can be selected, so the whole disk is scanned for possible MFTs. This is useful on disks that have had the operating system reloaded, and lost all original files.

At the start of this function, a new dialog box is displayed that lets the user select a range of MFTs. This can be to examine just a section of the disk, or to overcome a problem where it has been determined that for instance there are problems around MFT 23,450 possibly due to bad, or very corrupted sectors.

If when using this mode, the master $MFT sector is not found, the process will start again with the Scan for all MFTs set.

Recover deleted files
NTFS system deletes files by marking the MFT to indicate the file has been deleted. It does retain the location of the file, and often the first several fragments of a fragmented file. If nothing has been written to the since since deletion, or removal from the recycle bin, then a very high level of recovery should be expected. The recovery is done in two passes, the first pass recovers all standard files, and the second pass the recovers deleted files. With this two pass procedure, it is possible to detect when a file has potentially been overwritten by a newer file. A final stage in this recovery mode is to select Recover Unused Space. This will then examine all sectors that have not been read, and determine if they contain file starts as described in the raw recovery notes. Using these modes it is possible to recover known good files, as well as known lost files and files with no directory or file structure at all.

Scan all MFT entries
When this option is selected, the complete disk will be scanned for valid MFTs. A common reason to use this function is when a disk has been reformatted, or had the operating system reloaded. Often there will be MFTs, outside of the recognised MFT file. Some will point to spurious data, but others will point to old files, which may still be intact. Quite often, such MFTs may not have a valid directory path, so dummy directories will be created. This option can take a long time to run, as it does try and scan the complete disk - ie every possible sector to detect any rouge MFT entries.. However, if Cancel is pressed in the middle, it has the option to continue with MFTs found so far.

Recover Unused space
Recovery of unused space will recover sectors that are not allocated to files. They will be scanned for file signatures and named accordingly. The number of valid files that will be recovered is very varied, but it is an important aspect of any forensic investigation of a disk.

Recover slack space
Slack space on an NTFS disk is made up of two sections. One is the space at the end of each file as it is used to fill the compete cluster. the other slack space is the space at the end of an MFT directory record. Short files are stored in the MFT record, and so valuable information may be left there for forensic analysis. This a forensic option only.
Cluster slack space is stored in a file called Slack_clust.slk. Each fragment is enclosed by tags with the structure

<<clust:ssss-cccc>>.......................................<</clust>>

where sss is the first sector in the clsuter, and cccc is the logical cluster number

For NTFS, short data files (less than approx 500 bytes) are stored in the directory. This area second area of slack is at the end of each MFT. Thus MFTs can contain more than just directory information. If the recover slack option is selected, all slack space from directories is stored in a file called Slack_Dir.slk, and placed in the output directory. Each entry is prefixed by the string

<<mft:mmmm-xxxxxx>>...........................................<</mft>>

where mmmm is the MFT number and xxxxx is the sector number of the MFT. The data entry is terminated by

<<\mft>>.

Disk analysis
Disk analysis is an extremely useful option when the parameters of the disk are not detected automatically. This functions by going to the Search for MFT routine that will search the physical disk for runs of MFTs. From this information, it is often possible to reconstruct details of partition start, MFT start cluster and sector numbers, and cluster size. This is the information normally stored in the BIOS parameter block which in the first sector of the logical partition. It is a common cause of data loss when this sector gets corrupted, or fails. By running this analysis routine, all useful information can be recreated, and there is no need to write back to the disk.

NTFS compression

NTFS disks have the option to compress files. This saves disk space, but make recovery of corrupted disks a bit more complex. Fortunately, CnW Recovery Software does have tools to make this a straight forward task and can often restore compressed files that other data recovery packages miss altogether. This can make CnW a very useful forensic tool when searching disks that have had a history of being reformatted.

When a disk is being recovered making use of existing directory structure, or directory stubs (stored in the MFT blocks) then details of compression is known. For raw reading of a disk, each cluster group is analysed to determine if the data is compressed.

How NTFS compresses files
NTFS compresses data on a file by file basis. The compression is a slightly modified LZ77 and is both fast to compress and expand, but is not as efficient as the slower LZW routines such as used by PKZIP. As files have to be random access, even when compressed, the method chosen is to compress in 4K blocks only. Again, this is a trade off between maximum compression and speed with random access of a file. It is generally true that the longer the compression block, the higher the rate of compression as it is more likely to come across a string that has already been seen. Looking at a sector that has been compressed, it will be noted that often the first few words of text do not look compressed as no pattern has been repeated. At the end of the block, data is largely unreadable by eye.
NTFS has several features to ensure that compression does not actually expand the data being written. This can be a problem when attempting to compress data that has already been compressed by an efficient routine. On an NTFS disk, data is stored in clusters, and a cluster is typically 2K, or 4K in size. (512 bytes, 1K, 8K, 16K are all possible, but not common). NTFS will attempt to compress a stream of 16 clusters, up to a maximum of 64K. Thus compression is not possible if the cluster size is greater than 4K, or 8 sectors.

With a 4K cluster, each 4K will be attempted to be compressed. If a 4K block does not compress, it will be marked with a 2 byte header and the data will be left uncompressed. If when all 16 clusters are added up they still take up 16 clusters, the data will be left totally uncompressed. However, if there can be a saving of at least one cluster, this saving is made. Text files, Word files etc often reduce to about 50% of size, while JPEGs only have a very small compression, and this is normally only on the first cluster group. For a 4K cluster the compression will be 16 clusters being a total of 64K. For a 2K cluster, it will still be 16 clusters, giving 32K.

The Cnw View sector function (download here) has an expand button that will expand sectors, as long as the first sector is the start of a compression cluster. The full length of the expanded data is displayed, up to the 64K maximum.

How sectors are expanded on a raw read

It is fairly easy to detect if a cluster does contain compressed data. This can be a mixture of the first few characters, and by following the chain of each cluster through the 16 cluster block. If the data is compressed, then an expanded version is created and the normal raw recovery routines are processed, helping to extract files.
How to recovery compressed NTFS files from unallocated disk space.

There are two ways to extract data, firstly as part of a normal restore, or by using the Image option and selecting file splitting with compression expansion.

Each restore option for files, eg FAT, NTFS has an options for restoring unallocated space. This is normally performed after a standard restore so that sectors that are part of defined file are not re-read.
The other mode is to select the Image Restore function. This is described fully in the raw recovery section

In summary, the user can extract data from a mixed compressed and uncompressed platter without needing to understand anything about compression routines. Cnw Recovery software is a powerful tool to carve NTFS compressed disks.


Summary

Using these tools a very high percentage of files will be recovered even after very drastic corruption, or partial reformatting. The comprehensive log can be exported to a .csv file for further examination. The optional forensic report monitors many elements of corruption detected on the disk.