Home

This function is used when a disk has been repartitioned, possibly with a different operating system.  It can be possible to scan the disk to detect a file structure from the previous partitioning.  An example may be if a FAT32 has been reformatted as an NTFS disk.

The basic tool for recovery is the Partition scan function.  This is a function that scans each sector of the drive and determines if it is a possible start of a partition.  This logic is different for each type of partition.#

NTFS partitions

There are two main ways to detect the start of a NTFS partition.  This can be to find the partition boot sector, or to find the start of the $MFT file.  One problem with both of these approaches is that many false positives can be found.  Thus verification is required.

For a BPB, it is important that the cluster address in offset 0x30 must point to a $MFT sector.  If the BPB does not point to a $MFT file, then this potential partition boot sector is ignored.

The second approach is to search for all MFT entries.  These are then parsed to detect the start of an $MFT.  An $MFT entry has a pointer to itself, and from there the location of the partition start can be determined.  Knowing this value, the 5th entry in the $MFT file can be read and the location of the '.' root directory index file found.  This location is tested to see if it does start with INDX.  If it is correct, then the possible partition start sector can be set.  If INDX  is not found, the $MFT is treated as a false positive, and hence ignored.