NTFS Recovery
 		Previous Topic  Next Topic 

Home


For NTFS there are several approaches that can be taken to restore files. There is no correct one to use, but they often have different uses depending on how the disk has been damaged, or what type data is being restored.


Notes at the bottom of this page give suggestions of modes to use for different types of failures. There is no practical limit on the size of an NTFS partition, and with an EFI disk header, it can be larger than 2TB.


CnW Recovery software will work with disks having the standard 512 byte sector size (0x200) as well as the 4K sector size (0x1000).




By double clicking on any of the parameter boxes the sector will be displayed.


Full Recovery

In this mode the program tries to restore the file in the same way as the standard operating system.  It is very tolerant of errors, but if for instance the root directory structure is missing, the restoration may fail. In this case, use one of the options below,



Recover from file entries

This often the most useful mode for restoring files from corrupted disks. It does assume a reasonably valid Master File Table (MFT) and it will read each entry bin the table and try and restore the associated file. When selected, a second option will be displayed where the range of MFTs can be entered.  This can be useful if a section of disk is causing the restoration process to hang or crash. In theses cases, it would be possible to start and end the scan in sections. 


An additional option is to Scan all MFT entries, when the whole disk is read testing for possible MFTs. If the Cancel button is pressed in this scan, the scan is stopped, but optionally it is possible to continue with the restore stage.  This if it is known that all MFTs are in the 1,500,000 blocks, the scan can be canceled anytime after that, and restore will continue.


Recovery from MFTs is in two sections.  First, known good MFTs are recovered, and save in the directory specifued by the output path.  The second scan is for MFTs that have otherwise been lost.  These are stored in a subdirectory !recover_mft.


       Select MFT Range

When restoring from MFTs, it is possible to select the range.  If this option is not selected, the all potential MFTs are analysed, and files read.


        Restore deleted files

NTFS marks a file as active or deleted, by using a flag in the MFT.  When restoring the disk and selecting the deleted file option, the MFTs or directory is processed twice.  The first pass, only good files are restored.  The second pass, deleted files will be restored, but as known used sectors can be seen, the file can be marked as overwritten, and stored in a separate directory. Overwritten files may be good, but should be treated with caution as at least some of the file has been detected as overwritten.


Deleted files are stored in a directory !DELETED


  Recover unused space

Recover unused space will do a raw scan of all sectors that have not been used.  The data is saved in a directory call !recover_carving, and as in normal carving, will be in folders for each file type.  On an NTFS disk, the carving will test for compressed NTFS sectors and process as required.


        Recover Slack Space - Forensic option

Slack space on an NTFS volume is found in two areas.  First, the space at the end of each file cluster, due to the fact that disk space is allocated in clusters, of say 2K length, but files are allocated space in bytes.  A file of 13K, would therefore require 14K of disk space, leaving the final 1K as unknown data.  This is slack space, and can be useful within a forensic investigation. For data recovery applications, it is normally ignored.


Cluster slack space is stored in a file called Slack_clust.slk.  Each fragment is enclosed by tags with the structure

        <<clust:ssss-cccc>>.......................................<</clust>>

where sss is the first sector in the clsuter, and cccc is the logical cluster number


The second area of slack is at the end of each MFT.  A short file, normally less than 3K can be stored in an MFT. This MFTs can contain more than just directory information. If the recover slack option is selected, all slack space from directries is stored in a file called Slack_Dir.slk, and placed in the output directory.  Each entry is prefixed by the string

        <<mft:mmmm-xxxxxx>>...........................................<</mft>>


  where mmmm is the MFT number and xxxxx is the sector number of the MFT.  The data entry is terminated by <<\mft>>.


        Display MFTs


On an NTFS disk the sectors for an MFT form part of a file. Typically, all the sectors are contiguous, but on a highly used, or full system, the file can be very fragmented.  When Display MFTs is used, a list of starts and run lengths is displayed, as below



The start locations (absolution on the disk) and run length (in sectors) may be displayed in either decimal or hex.


When the input file is an image file, then it is possible, by using the Add runs to memory image, to scan the selected hard drive and add the relevant sectors to the disk image.


Analyse disk...

This is a function to assist in locating MFTs, and their size.  For full details, see Search for MFTs



Disk parameters

There are 6 parameters, for upto the total of 8 partitions.  It is these values that determine how a disk is read logically.  With a working drive, these will be filled in automatically, and will not need changing.  However, for a failed drive, they may need to be configured, or adjusted.  File can often be recovered from a disk that failed duing partition resizing by setting these values to one of the logical partition sizes for the disk.


Scan start

This is the start of the logical partition.  A typical sector image is shown below, with NTFS in bytes 4 to 7




This value is critical, and for a single partition disk is often 63 (0x3f)


End Scan

This is sector location of the end of the partition. The value is not critical, and so if not known can be set to that of the size of the disk, or slightly larger.


MFT cluster start

The clsuter start is the cluster number within the partition for the first MFT entry.  Shown below is a typical first MFT



The location is worked out from the Start Scan entry, and is typically 0xc0000.  This is the value in bytes 0x30 - 0x33 of the Start scan sector, saves as little endian, hence 00 00 0C 00


An MFT entry always starts with the string FILE0 or FILE* - the difference is due to two versions of NTFS.  The root MFT has the string  $MFT within the sector as this is the (hidden) file name for the MFT file, ie the main NTFS directory details. An MFT entry is always 1024 bytes long, so 2 sectors in length.  So all MFTs will either start on and odd or even sector number.


MFT Start sector

The start sector is the physical sector the first MFT is stored on. This is calculated by the cluster start * cluster size + Start Scan.  For a typcial single partition drive, it is 0x60003f.  The Analyse Disk function will help determine the value for this entry, and the cluster number.


MFT entries

This is the expect number of MFTs.  Most files and directories require a single MFT, though some files with long file names, or very fragmented require multiple entries.  The value in this field is not too important.  If in doubt it should be set to a value too large. A value of 250000 will allow for over 200,000 files and could be a good starting value.  If the value is 0, then set it to a suitable as described earlier.


Cluster size

This is an extremely critical value.  It must be a multiple of 2, eg 2, 4, 8  and for most disks above a few GBs in size, the value is 8


Alternate Data Streams (ADS)


The very large majority of PC users will never be aware of alternate data streams.  They are a hidden part of a file that will not be seen with any standard DOS or windows tool.  However, they are part of a file, and nornmally stripped off on recovery.  However, with the correct tools these files can be used to hide data on a drive, and so CnW Recovery will extract these data forks.


CnW will produce a file for each data stream.  For alternate streams, the file name will be appended with the string -#-xxxxx  where xxxx is the stream name.




How to recover after different modes of failure


When operating system has been reloaded, and all data files lost