| Author | Message | ||
     rjohnson |
A few months back I created a rudimentary template for NTFS FILE records (and it works OK). I am using it again this week. This time to rebuild the first 3 bad records (6 sectors) of an MFT (MFTMirr has same first 3 records bad). FYI-The rebuild is on a different HD and the damaged sectors offer zero data because they are inaccessable. I can recover by type pretty well but the bulk of the MFT looks OK (an occasional few more records are damaged) and it would be nice to recover by name with the directory structure. Using the template, I have plugged in many entries derived from my usual sources for the first MFT record ($MFT) and things are improving and I expect a success. However, my question to all is this: is there another source on the hard drive (explicit or implicit) that has information to help rebuild the first three MFT records ($MFT, $MFTMirr and $Logfile - The Volume record appears OK)? On start up, WinHex -> Access mneu -> MFT does not go anywhere. Using the PBR (VBR) info I goto the (empty) start of the MFT and I can use the Access menu to "find next record" until the ROOT dir is found, I can get WinHex to display the Contents of the Root DIR in the Browser window (rather than only 'Lost & Found') but I cannot do anything with the diplayed items in the browser display. WinHex can recover a file by name if the EditWindow is right on the file entry so that the access menu displays the file name, however this does not work for Folders even though the Access menu diplays the folder name, the resulting recovery is zero files. (BTW WH11.5 Access menu does not display the names, just the size, at this point, whereas 11.26 does show names) | ||
| Stefan Fleischmann (Admin) |
> but I cannot do anything with the diplayed > items in the browser display Why not, what error message do you get? "xy not found", where xy is a filename/directory name? Since the MFT has lost its overview of itself (= MFT record #0 is not available) I recommend you try to get WinHex to scan for MFT fragments. You may be able to provoke an offer to scan for them by double-clicking the items in the root directory in the directory browser. However, this works only on NTFS volumes that have been used under Windows XP, not Windows NT/2000. After that scan has taken place, WinHex has its own overview of where the MFT is located and should be able to recover the directory structure when you right-click items in the directory browser. Alternatively, one could copy record #0 from another NTFS drive and modify its data attribute such that it matches the MFT layout on the damaged volume. | ||
| ntfs master |
The file $Boot contains the starting cluster for $MFT and $MFTMirr. To recover any part of the first few entries of $MFT, just copy them from $MFTMirr. For NTFS 1.2 through 3.1 (i.e., the filesystems written by NT 3.5, NT 4.0, Win2K and XP), $MFTMirr is 16,384 bytes: the first 8 files FRS info. Use the template "Boot Sector NTFS" on sector zero of the partition. The entry at offset 0x38 "Start C# $MFTMirr" has an exact copy of the sectors which should have been at whatever value is in 0x30 "Start C# $MFT". | ||
| M N Islam Shihan (Mnislamshihan) |
Hi ntfs_master, Can u tell me how can I delete a folder named $Extend (that is not shown in the explorer, but in winhex) created by one of installed software?? Eagerly waiting for ur help. Regards, M N Islam shihan | ||
| Jens Kirschner (Admin3) |
The folder $Extend is part of the NTFS file system and I highly recommend AGAINST trying to delete it! | ||
| CHRIS WOOD (Cswminty) |
Can you read an MFT when it's within a RAID configuration of drives ?? or is it broken up amoungst the stripes in say a RAID 5 array ?? Thanks Chris | ||
| Stefan Fleischmann (Admin) |
Unless it's a small virgin MFT, it's likely broken up amongst the stripes. However, RAID level 5 systems can be internally reassembled in X-Ways Forensics. |