Search for MFTs
 		Previous Topic  Next Topic 

Home



Some disks are extremely slow to access. In this case searching for MFTs could take years rather than hours.  The search for MFTs does a faster search looking every possible 512 locations for a possible MFT entry. This does assume that a run of MFTs will be detected, but it is possible that a run could be missed. It is therefore not a function that should be used if a complete forensic report could be required in court.


By finding MFTs, this is also the basis of a simple analysis of the disk structure, as it will also determine start of partition, and cluster size.


The values are displayed in Decimal or Hex, depending on the value set in the main NTFS recover screen.




The above information is filled in automatically by the program, there is flexibility to change it.  In particular, the starting location of the search is determined by Sector Start.  This feature can be used to start searching on an area of the disk known to be, for instance, the second partition


Run Search


The search increment is the number of sectors to jump between searches, so the display above would relate to every 256 (0x100) possible MFTs, for a normal 512 byte disk.  (Some optical disks are 1024 bytes). A large search increment may skip over a section of the disk containing MFTs, a very small increment will take a long time to search. When the disk is searched, two sectors are actually read, so that it does not matter if the start is odd or even. Once a block of MFTs are found, the program then searches backwards to the first MFT in the range. The status list box shows the start of any MFT run that has the first entry of $MFT



Start sector and End Sector


These values define the range of searching.  Typically use the default values, unless one knows where to look, and one wants to save time.



Scan for all valid MFTs


The $MFT is a file, made up of MFT records.  Each record starts with the string FILE0 or FILE*, and is 1024 bytes long.  The first entry will always have a filename of $MFT.  The function scan for all valid MFTs will scan the complete disk for any run of MFTs that starts with $MFT.  For many applications, only the first one is required, and for a single partition disk, there should only be one. 


For a disk that has been repartitioned, a full scan may well point to where old MFT runs have been found.



Apply Values


If the scan has brought up possible MFT runs, these may be applied to the main recovery program.  If more than run has been detected, it is necessary to select the one required.  It will then configure these values into Partition 0 of the disk.  Thus if there are multiple partitions, it will be necessary to run this routine several times for each partition.


Cancel


The cancel button has two modes of operation. If the program is scanning, it will cancel the scan.  If the scan has finished (or been cancelled) then this function will exit, and not update the main parameters