Jump to content











Photo

MFT repair/rebuild?

mft error repair rebuild

  • Please log in to reply
15 replies to this topic

#1 u2o

u2o

    Frequent Member

  • .script developer
  • 257 posts
  • Location:Argentina
  •  
    Argentina

Posted 18 August 2011 - 04:26 AM

Would it be possible?

We rarely collided with this type of problem, but it happens.

ChkDsk exits with an error when start. I had no choice.... than format the logical drive.

Has anyone been able to repair or rebuild the master file table?

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13751 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 August 2011 - 10:47 AM

Would it be possible?

Yes/No.
http://homepages.tes...no-answers.html

We rarely collided with this type of problem, but it happens.


ChkDsk exits with an error when start. I had no choice.... than format the logical drive.

Sure it does happen :(.


Has anyone been able to repair or rebuild the master file table?

Yes. :smiling9:

You see the point is that the question is pointless :ph34r:, it greatly depends on the type and extension of the damage the $MFT had.

Apps like:
dmde:
http://softdm.com/

NTFSwalker:
http://dmitrybrant.com/ntfswalker

And now the new parser by joakims:
http://www.forensicf...iewtopic&t=8010

May help, but if you are thinking of something like CHKDSK that will repair it "automagically", it simply won't happen. :dubbio:

TESTDISK has a "fix $MFT" feature, but basically it just uses the $MFT_Mirror to fix it, (and as you might be familiar with $MFT_Mirror should be called $MFT_Mirror:Incipit as it stores only the first few records of the $MFT):
http://www.cgsecurit..._and_MFT_Repair

:cheers:
Wonko

#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 18 August 2011 - 11:28 AM

I think rebuilding/fixing a (severely) damaged $MFT needs lots of manual work, and just thinking about it gives me a headache. Btw, have you recovered anything from the original?

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13751 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 August 2011 - 11:56 AM

I think rebuilding/fixing a (severely) damaged $MFT needs lots of manual work, and just thinking about it gives me a headache. Btw, have you recovered anything from the original?


Yes, you wrote the "magic words" ;) "recover anything", yes, I did "recover something" from a botched $MFT and yes it is a big PITA and it took me hours of manual labour (and a few "educated", but still "wild" guesses :ph34r:) to just get a bunch of (needed) files that other recovery utilities were not able to recover properly "automagically", and - for the scope of the time - I completely ignored timestamps, permissions and whatever else, as all I had to do was to find some vital fragments of a handful of files.

:cheers:
Wonko

#5 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 18 August 2011 - 01:36 PM

(and as you might be familiar with MFT_Mirror should be called MFT_Mirror:Incipit as it stores only the first few records of the MFT)

Didn't knew that. Thought the MFT mirror would be a perfect mirror, like the FAT table.

:cheers:

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13751 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 August 2011 - 01:56 PM

Well, my guess would be that if you have two actual copies of the $MFT you wouldn't have much space for actual files.
Right now the "norrmal" settings for the $MFT are in

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem
Add Value name NtfsMftZoneReservation as a type REG_DWORD and set the data value. The valid range is 1 - 4.

Value: 1 12.5% of free space, default
Value: 2 25% of free space
Value: 3 37.5% of free space
Value: 4 50% of free space

If you have Value 4 :w00t: and a "full mirror" .... :whistling:

:rofl:

Seriously, the $MFTMirror is just
http://www.ntfs.com/...ystem-files.htm

A duplicate image of the first four records of the MFT


:cheers:
Wonko

#7 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 18 August 2011 - 09:57 PM

Yes, the $MFTMirror is a nogo in regards to manually locating files off the original volume (except the first 4 systemfiles). As jaclaz already suggested, it's a doable process to reconstruct some files based off a (at least partially) recovered $MFT. If $MFT itself is not revoverable at all, then a blind/raw recovery based on header signature is the only option (with fragmentation of the targeted files playing a major role in the successrate in such an attempt).

#8 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 18 August 2011 - 11:06 PM

Sorry, but the more i think about it, the less sense it makes.
Why would anyone create a mirror, which contains only 4 file entries? That's not even good enough to at least get the OS running again.
Unless someone in Redmont uses a natively NTFS capable DOS, of course! :lol:

:cheers:

#9 u2o

u2o

    Frequent Member

  • .script developer
  • 257 posts
  • Location:Argentina
  •  
    Argentina

Posted 19 August 2011 - 04:05 AM

Yes/No.
http://homepages.tes...no-answers.html

Sure it does happen :(.



Yes. :smiling9:

You see the point is that the question is pointless :ph34r:, it greatly depends on the type and extension of the damage the $MFT had.

Apps like:
dmde:
http://softdm.com/

NTFSwalker:
http://dmitrybrant.com/ntfswalker

And now the new parser by joakims:
http://www.forensicf...iewtopic&t=8010

May help, but if you are thinking of something like CHKDSK that will repair it "automagically", it simply won't happen. :dubbio:

TESTDISK has a "fix $MFT" feature, but basically it just uses the $MFT_Mirror to fix it, (and as you might be familiar with $MFT_Mirror should be called $MFT_Mirror:Incipit as it stores only the first few records of the $MFT):
http://www.cgsecurit..._and_MFT_Repair

:cheers:
Wonko


Sorry for my terrible English...

My problem was not retrieve the data, I had done it. But I wanted to restore the copy of the MFT (on an NTFS volume) with TestDisk and I couldn't see where is the option for process it.

I think rebuilding/fixing a (severely) damaged $MFT needs lots of manual work, and just thinking about it gives me a headache. Btw, have you recovered anything from the original?


I do not think it's a good idea to do a manual work for this. Beyond the amount of knowledge needed, no one can get an idea of ​​the exact number of files on a disk, especially if I will try to recover a disk that isn't mine.
Imagine a partition with 400 GB of files, programs, games and documents! I think it's impossible to recover by that way.

----


Thank you all for information, ideas and applications mentioned! :worship:

When I crash again with this problem :frusty: , I will notify how I could fix it if I succeed.

I can't see possibility for re-create this problem in a partition, purposely :hammer:

Edited by u2o, 19 August 2011 - 04:09 AM.


#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13751 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 August 2011 - 08:34 AM

Sorry for my terrible English...

To me your English is fine (or fine enough), I see more problems (NO offence intended :)) in the logic behind it.


But I wanted to restore the copy of the MFT (on an NTFS volume) with TestDisk and I couldn't see where is the option for process it.

Yes, but as said there is NO $MFT copy ANYWHERE.
The option in TESTDISK (that will attempt using the $MFT mirror, which is NOT a copy of the $MFT, as said, but just it's "incipit") is clearly explained here:
http://www.cgsecurit..._and_MFT_Repair

I do not think it's a good idea to do a manual work for this. Beyond the amount of knowledge needed, no one can get an idea of ​​the exact number of files on a disk, especially if I will try to recover a disk that isn't mine.

Imagine a partition with 400 GB of files, programs, games and documents! I think it's impossible to recover by that way.

Sometimes, expecially when you have NO OTHER option :ph34r:, even not-so-good ideas start becoming appealing. :dubbio:


A common error that people does when entering the data recovery field, is what I call "integralist" approach. :w00t:
If you spend some time analyzing the contents of a common hard disk, with a critical view, you will find that most (and I mean most) of the files on it are either expendable or replaceable.

The "real data", the one that is UNreplaceable or that it will take you ages to recreate or that you CANNOT simply re-create, usually amounts to a small fraction of the whole.

And OBVIOUSLY if anyone is (like most people do) have partitions/volumes in sizes of hundreds of GB :w00t: with everyhing "mixed up together" and possibly not THOROUGHLY defragged RECENTLY, they are asking for troubles.

The key question when approaching DATA recovery is: HOW MUCH (in US$ or €) is this particular piece of data worth?

A few examples:
  • A picture of your toddler: INESTIMABLE
  • Anything that you can buy, new or used (like programs, games, OS, etc.): The price in US$ that you can have them for (usually and at the most a few hundreds dollars)
  • Anything that you can reinstall as you have a copy/original media: US$0 (or actually just the time needed to re-install)
  • A lousy spereadsheet you used to take note of the expenses in fiscal year 2001: US$0
  • .....
In other words, once tested the "easy way" in an attempt to recover *anything*, you need to apply TRIAGE to the DATA:


http://en.wikipedia.org/wiki/Triage

and act according to the priorities and value you attribute to the lost data.
And always remember that sometimes you win :smiling9:, sometimes you lose. :(

Please note how there is also a "subtractive" technique in the case of a "mixed contents" volume.
(sometimes I wonder if I can tell this to people that didn't take the oath and know nothing about the secret handshake :dubbio:)

Basically, you try to find on the failed filesystem all the files that you can "recognize" (all .exe's, .dll's, etc. which you know were there and of which you have a copy or can procure one) and 00 them out (physically, i.e. by writing 00's over the actual sectors occupied by them).
What remains is a smaller set of data, which may be easier to re-build.
And yes, it takes TIME :ph34r:(and of course money if you value your time), but if there is NO OTHER option..... :whistling:

I can't see possibility for re-create this problem in a partition, purposely :hammer:

Well, I can :smiling9:


:cheers:
Wonko

#11 u2o

u2o

    Frequent Member

  • .script developer
  • 257 posts
  • Location:Argentina
  •  
    Argentina

Posted 19 August 2011 - 10:57 AM

To me your English is fine (or fine enough), I see more problems (NO offence intended :)) in the logic behind it.

Yes, but as said there is NO $MFT copy ANYWHERE.
The option in TESTDISK (that will attempt using the $MFT mirror, which is NOT a copy of the $MFT, as said, but just it's "incipit") is clearly explained here:
http://www.cgsecurit..._and_MFT_Repair


Sometimes, expecially when you have NO OTHER option :ph34r:, even not-so-good ideas start becoming appealing. :dubbio:


A common error that people does when entering the data recovery field, is what I call "integralist" approach. :w00t:
If you spend some time analyzing the contents of a common hard disk, with a critical view, you will find that most (and I mean most) of the files on it are either expendable or replaceable.

The "real data", the one that is UNreplaceable or that it will take you ages to recreate or that you CANNOT simply re-create, usually amounts to a small fraction of the whole.

And OBVIOUSLY if anyone is (like most people do) have partitions/volumes in sizes of hundreds of GB :w00t: with everyhing "mixed up together" and possibly not THOROUGHLY defragged RECENTLY, they are asking for troubles.

The key question when approaching DATA recovery is: HOW MUCH (in US$ or €) is this particular piece of data worth?

A few examples:

  • A picture of your toddler: INESTIMABLE
  • Anything that you can buy, new or used (like programs, games, OS, etc.): The price in US$ that you can have them for (usually and at the most a few hundreds dollars)
  • Anything that you can reinstall as you have a copy/original media: US$0 (or actually just the time needed to re-install)
  • A lousy spereadsheet you used to take note of the expenses in fiscal year 2001: US$0
  • .....
In other words, once tested the "easy way" in an attempt to recover *anything*, you need to apply TRIAGE to the DATA:










http://en.wikipedia.org/wiki/Triage

and act according to the priorities and value you attribute to the lost data.
And always remember that sometimes you win :smiling9:, sometimes you lose. :(

Please note how there is also a "subtractive" technique in the case of a "mixed contents" volume.
(sometimes I wonder if I can tell this to people that didn't take the oath and know nothing about the secret handshake :dubbio:)

Basically, you try to find on the failed filesystem all the files that you can "recognize" (all .exe's, .dll's, etc. which you know were there and of which you have a copy or can procure one) and 00 them out (physically, i.e. by writing 00's over the actual sectors occupied by them).
What remains is a smaller set of data, which may be easier to re-build.
And yes, it takes TIME :ph34r:(and of course money if you value your time), but if there is NO OTHER option..... :whistling:


Well, I can :smiling9:


:cheers:
Wonko


Please tell me how I can break a hard disk! :eek: , Good idea for a virus :exclamation:. No, good idea for test repair...

-----------------------

The logic of my language is different to yours (Spanish/English). Do not worry, you don't offend me. The problem is that the translator that I use :google_lt: was done by people who speak English, so do not take into account the subtleties of other languages ​​with more vocabulary. :blink:

-----------------------

Just something that highlights my work ... above the other people in this city dedicated to the same activity (PC Technical Service) .... is the copy of data before reinstalling a PC, or rescue data before a disaster occurs. Also I achieve good results in recovery!

You're quite right, most of the files are useless, but I'll give you a terrible example. A person is a musician and has 10 years of own musical scores and own digital work, on the hard disk. A total of 20 GB. It does not have a copy, because your PC has never failed. Until the day that the hard disk does not respond. At this time, he know... he hasn't backup. :frusty:
He had 10 years to make a backup, but he always forgot it. :bye:

Although it sounds stupid, I see this a lot!

We all have our files that seem insignificant but we have taken time and effort, regardless of the activity in which we engage.. To its owner, your files are very important and very private.


And considering the size of the hard disks of today .... 500GB, 1TB, 2TB!!! :nuke: :nuke: :nuke: the people save documents and save photos and save music and thus save and collect, therefore they don't remember where they saved the important. And to the extent of not knowing how important it was even. They don't even know where are the important files, they don't remember what they have, but know it's there ... :wodoo: :wodoo: :wodoo:

stupid and vicious circle in which we fallen.

-----------------------

Ok... I wanted to know if is possible to repair or recover the $MFT, no file recovery.

I haven't found the appropriate option in TestDisk, I only got the list of partitions in the step that asks which partition to set as valid. But I can not see option that refers to the $MFT. The http://www.cgsecurit..._and_MFT_Repair don´t shows where is.
As any changes can be disastrous at this point, I decided rather than continue wasting time, recover the files using other software and presto: Format the disk and re-install.

But the changes made by TestDisk in the MBR to set the partitions, also affects the $MFT of file-system on a partition?

Is there something that is happening to me right? :boo:

Edited by u2o, 19 August 2011 - 11:03 AM.


#12 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13751 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 August 2011 - 12:31 PM


Please tell me how I can break a hard disk! :eek: , Good idea for a virus :exclamation:. No, good idea for test repair...

You seem - again no offence intended :) - to have some "mixed" concepts, noone is talking about breaking a "hard disk" we were talking about "corrupting a filesystem".

The logic of my language is different to yours (Spanish/English).

Rest assured that my language (Italian) is surprisingly similar to yours (Spanish).
As said my perplexities are not with the English translation (which is good enough) of your Spanish, it is about the concepts behind what you write.
This question:

But the changes made by TestDisk in the MBR to set the partitions, also affects the $MFT of file-system on a partition?

shows sadly how you don't have even the faintest idea of what you are talking about :w00t: - again don't take it as an offence, as it is not intended to - you should go back to school (or whatever) and study and learn the very basics BEFORE using a tool.
Tools, even nice ones like TESTDISK are just tools.
It is the ability of the hand that uses them that makes them precious (or dangerous).
You don't ask if your hammer will drive a wood screw into a block of steel because:
  • you don't use hammers to drive screws
  • you don't use wood screws on steel
  • if you are a kid and don't know the above you shouldn't play with your dad's tools ;) until you have learned to use them

You're quite right, most of the files are useless, but I'll give you a terrible example. A person is a musician and has 10 years of own musical scores and own digital work, on the hard disk. A total of 20 GB. It does not have a copy, because your PC has never failed. Until the day that the hard disk does not respond. At this time, he know... he hasn't backup. :frusty:
He had 10 years to make a backup, but he always forgot it. :bye:

Although it sounds stupid, I see this a lot!

We all have our files that seem insignificant but we have taken time and effort, regardless of the activity in which we engage.. To its owner, your files are very important and very private.


It is not related to "stupidity" it is related to "ignorance".
There is (unfortunately :() no cure for stupidity:
Spoiler

but there is for "ignorance", it is called "education" or "studying and learning", and of course "experience".

Experience: that most brutal of teachers. But you learn, my God do you learn.


The "final" user (your musician example) has no or very little responsabilities as probably noone ever told him to backup regularly.

BUT not implementing a backup routine for his/her precious files come from two assumptions :ph34r: BOTH wrong:
  • that he/she was qualified to operate the tool, i.e. the PC (and in this he/she may have been deceived by the false easiness of use that modern OS's and advertisement and "friends" induce)
  • that the hard disk and it's contents are "eternal" and "fail proof" (and this one has NO excuses as ALL the rest of things around everyone - i.e. "common experience" - either age or wear or fail in time)
What he/she did was to gamble against odds he/she did know nothing about (and obviously lost). :(
So, ignorance has to be accompanied by the presumption of knowing what one is doing - and not applying the "common sense" that derives from observation of the environment around you).

The only good thing that can come from such a dreadful experience is having learned a lesson: BACKUP your data, NOW, do it AGAIN!
(though I have had several cases of people that notwithstanding having lost some or all their precious data still continue to gamble by not makling backups, this is actual stupidity :ph34r:)

And considering the size of the hard disks of today .... 500GB, 1TB, 2TB!!! :nuke: :nuke: :nuke: the people save documents and save photos and save music and thus save and collect, therefore they don't remember where they saved the important. And to the extent of not knowing how important it was even. They don't even know where are the important files, they don't remember what they have, but know it's there ... :wodoo: :wodoo: :wodoo:

Remember that there are two kinds of VERY different failures.
  • Hardware ones (to which you can do nothing or almost nothing, if not make redundant copies on other media)
  • Filesystem ones (which odds of losing data you can normally reduce greatly by making SMALLER partitions/volumes).



I haven't found the appropriate option in TestDisk, I only got the list of partitions in the step that asks which partition to set as valid. But I can not see option that refers to the $MFT. The http://www.cgsecurit..._and_MFT_Repair don´t shows where is.

I really don't get it? :w00t:
http://www.cgsecurit..._and_MFT_Repair

In the Advanced menu, select your NTFS partition, choose Boot, then Repair MFT. TestDisk will compare the MFT and MFT mirror (its backup). If the MFT is damaged, it will try to repair the MFT using the backup. If the MFT backup is damaged, it will use the main MFT.

Do you want me to draw a map of it? :dubbio:

:cheers:
Wonko

#13 renee

renee

    Member

  • Members
  • 46 posts
  •  
    United States

Posted 24 February 2012 - 08:04 PM

Hi Joakim,

I've been reading your worf on the MFT with some fascinatiom. Then another group put all there work om the microsoft Projects board. but I couldnt build it with VS eventhought ir was written entirely in VB. The scripting that you use, alkthough it's good work, it's also becomes very esoteric.

I want the know how to open a disk and then an then an MFT so very badly. I've started collecting articles.

Would you like to help. I have a feeling I should start learning C++ anyway.

Renee

Edited by renee, 24 February 2012 - 08:10 PM.


#14 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 24 February 2012 - 09:03 PM

Hi Joakim,

I've been reading your worf on the MFT with some fascinatiom. Then another group put all there work om the microsoft Projects board. but I couldnt build it with VS eventhought ir was written entirely in VB. The scripting that you use, alkthough it's good work, it's also becomes very esoteric.

I want the know how to open a disk and then an then an MFT so very badly. I've started collecting articles.

Would you like to help. I have a feeling I should start learning C++ anyway.

Renee

My stuff (mft2csv ++) is largely based on info found here; http://www.reddragonfly.org/ntfs/ but as you may have noticed no real MS documentation is present (for obvious reasons).with pieces of information spread all over the net. A shame you didn't contact me half a year ago, since I briefly started looking into c++ at the time, but didn't have time to dig into it. We could have done the stuff in c++ instead then.. ;) I agree it is a bit messy, and honestly it is a product of someone trying to build a cabin without ever having touched a hammer before (almost). The NTFS stuff is of course the complex stuff. Reading physical disk is way easier, and can be done by a few winapis. My autoit source should not be that hard to interpret, but you can also look at disk imaging powershell script I wrote; http://social.techne...86-63e45336229a (much smaller and consice). So when reading physical disk done, you need to know how $MFT is constructed and traverse it (with the concept of solving runs very important) by using file pointers on physical disk. Anyways, don't expect this to be an easy task. It will take time and give you lots of headaches, unless you're a very experienced programmer and take this easy (not meaning to scare you off, but being realistic).

But sadly I don't have much spare time these days to continue improvements on my projects. And for that reason I'm likely not being much of a support.. Good luck!!

#15 renee

renee

    Member

  • Members
  • 46 posts
  •  
    United States

Posted 25 February 2012 - 03:37 AM

Yes, I am am experienced devo who has been literally been hit by a car. Originally, I worked for Digital as an OS developer on VMS.
Computers are my life which I don't play as well since my head injury. Please keep in touch. My email (rmctwo) addy at gmail.com.

Im sorry but by policy I don't do script.

I will take a look at the stuff. I knew Dave Cutler, the lead developer of ntfs, who originally worked worked for Digital.

Renee

Edited by renee, 25 February 2012 - 04:16 AM.


#16 renee

renee

    Member

  • Members
  • 46 posts
  •  
    United States

Posted 25 February 2012 - 04:14 AM

Digital used to publish their exec on Microfiche. Today kids have access to computers and write viruses while MOST people dont care enough about computers to be bothered, In reality, ms pays attention to profit-bottom line.

Renee

Edited by renee, 25 February 2012 - 04:17 AM.






Also tagged with one or more of these keywords: mft, error, repair, rebuild

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users