NTFS data recovery sample

 

NTFS data recovery sample
 
     Specific failures of data loss: drive of the three zones in an accident after a disk crash prompted (the first two areas are normal) prompted unformatted (in fact, most of my friends know that maybe this time the problem is much simpler to rebuild after DBR whole disk inside the data are in, do not talk about here, for the time being of the solution to this problem), death is already mysteriously then click the formatted result, of course, we know the data is definitely gone. According to my colleagues here said that he used a variety of search software to search the entire area several times (which is most of the so-called professional data recovery recovery methods used by the supplier), of course, be found to a lot of data, although a mess but also open properly. Finally the customer to confirm the data found out most normal, but the most important one compressed file is damaged, you know corrupted compressed files is very, very difficult to repair it. First WINHEX I found out that he opened analyzed under a compressed file, the file header chaos in the middle of the data is not normal. Can not be repaired and had to start from the original disk. Search software actually found out is damaged, it can only be done by hand, of course, to do this manually formatted data is very time-consuming, and also a great amount of computation, only for individual characteristics such as this is important data. 
After the formatting of the original disk partition off a mirror finish, with WINHEX open image, set the image file to disk. As shown below: 
 NTFS data recovery sample
 
Partition is NTFS format, the entire partition size is 25.4G. Research on NTFS partition format had friends will know that in the NTFS file system, the file will be allocated according to the cluster, the file on disk to determine its storage location, size, attributes through the master file table MFT (Master File Table) and other information. FAT system is equivalent under FAT + FDT function. Each file has a file record. The first record is the MFT itself. We go to the first MFT file record is a direct point of view as shown below:
 
NTFS data recovery sample
 
Down through the first documented observation that does not cause damage to the file record format after. So then we can have an idea of the recovery: finding said that the compressed file in the record in the MFT, and through analysis of documentation files on the disk to determine the location and size, which can be made ​​directly files. Expect to do, just know that a compressed archive file named: source files and materials. Well, we can create a text notepad enter only the file name --- source files compressed with material! Save, and then you can see WINHEX open as shown below:
 
NTFS data recovery sample
 
Then turn back directly down to start the search hex value from the first file record 90 6E 87 65 F6 4E 0E 4E 20 7D 50 67 search for a place to stop, look at the record is not that compressed files it see the figure:
 
NTFS data recovery sample
 
It is based on the observed record can be seen that customers want to compress the file, then how can we be sure that this compressed file on disk that sector? It takes up much of the sector? This will need to understand the NTFS format. NTFS file as a property, the property value set to the handle, which is not the same as other file systems. MFT can be seen using a segment in different colors to distinguish,
     
NTFS data recovery sample
              
Above figure marked the first file of the recording head, and the second represents the standard attribute 10H, 30H, said third file name attributes, data flow, said last 80H is the key to the property. Here we only analyze the data flow properties, other properties not one analysis, you can view the information. Each attribute has two parts: the header and content properties. Let's analyze the first data stream attribute properties: four from the first 4 bytes indicates the type of property, the first four bytes of 5 8 where the value is 48 million, said the length of the property (including the header and content properties ) is 72 bytes. From 17-24 of 8 bytes starting VCN virtual cluster number that the first 25-32 bytes of eight ends here 2D7FH VCN is the compressed file takes up 11,648 clusters. Further down analysis indicates the offset data run from 33-40 of 8 bytes. 40H is here from the first 64 bytes began. We have to analyze the data directly run only this one running 32 LCN that logical cluster number 80 2D D5 58 17 so starting to 1758D5H = 1530069, length 2D80H = 11648. Next we go to 153 0069 cluster look, choose the right first byte block starts, count out above, this document, as follows:
 
Domain name: www.mrtlab.com | | Telephone: +86-27-82621261
MRT data recovery website,provides professional HDD firmware repair and data recovery technical resources!
Copyright 2003-2014 Powered By MrtLab