General NTFS Recovery

 		Previous Topic  Next Topic 

Home



There are several common problems with NTFS disks.  Most are related to failed sectors in the boot area, or at the start of the MFT.  All can be recovered from, often with a high degree of success.  If there are more than a few bad sectors, it is always worth imaging the disk first.


Stage 1 - NTFS Recovery options


To start recovery, in the main menu select Recover and the NTFS menu will be displayed, as below.



It is important to review the values that have been filled in.  The display above is for 4 partitions, but many disks are just a single partition, in which case only the first of the 8 boxes will be non zero.


The most important values to enter are the Cluster size, and the MFT start cluster, which can be used to create the MFT start sector.  One way to fill these in is to run the Analyse Disk function that will scan the disk to find the first long run of MFTs.


The number of MFT entries is not critical, so can be set to a reasonable size number, eg 64000 or 0x10000. 


If the above values are wrong, no damage will be done to the disk drive, but data may not be extracted, or not recovered correctly.



Stage 2


The next step, once the parameters have been set is to determine the recovery mode.  There is no correct answer, but the two main options are Full Recovery or Recover from file entries.  The Full recovery is normally used when the file system is intact. In this mode, the recovery  program emulates the operating system, and will follow the directory tree. A common error that is displayed when using this mode is a message that the INDX is not found.  The solution for this is to use Recover from file entries.


If Recover from file entries is used, there are then two useful options. 

Scan all MFT entries.  This is a mode where the whole disk will be scanned for MFTs.  This can be slow and if it is canceled part way through, the entries that have been found can be used.


Select MFT Range. This option has two uses.  Firstly, if it is known that the file has an MFT within a certain range, it is not necessary to read th whole disk.  Secondly, a limited range for recovery can be selected.  This could be after the program has a problem, hangs etc trying to recover from a particular MFT.  If for instance thee is a problem when recovering a file with an MFT of about 1,000, the a new attempt could be made starting at say 1050.  The option can also be used when it has been necessary to cancel part way through a recovery.  Recovery can then be started where it was terminated.


Stage 3 - options


For each recovery mode, there are several options that may be applied.  The most popular will be Recover deleted files. NTFS marks a MFT with a flag to indicate that the file has been deleted.  It does not guarantee that the data is still available, as the data area may have been overwritten, but it does retain the location and details of the file.  CnW software will place all such recovered files into a directory call Deleted, but the directory structure will remain intact.