Corrupt NTFS MFT Recovery and Tools.
Scott Moulton
it was very similar to the items we were discussing about using the MFT
and the Bitmap to recover files. Sorry if this is redundant for some of
you, others might find it useful. If other people have other methods
besides this attachment I have, please feel free to post, make
suggestions, help each other. The goal is to use the details from the
MFT itself to recover the data from the disk without scanning the disk
and just extracting the correct clusters/sectors.
ORIGINAL POST
I have a few suggestions that have worked for me in the past, one that
has worked well enough that we use it in the Data Recovery Forensic
Class SEC606.
There are some tools that you can use to extract the records from the
MFT itself like MFT Ripper, GrokNTFS, etc and try to figure out the
clusters to sectors translation and extract the files you need.
I also like to use a set of tools from Runtime.org to do this, it is not
quite as straight forward as a click fest, so I have written up a quick
lab on how to do this process and pass the parameters in memory. It is
attached as a word document, if it does not come through, I will post it
somewhere else. It's not a great write up but should get you through the
process, but maybe one day I can write a really nice step by step blog
posting on it for Rob Lee :)
DETAILS OF PROCESS
Scanning a drive from end to end of a drive is very dangerous and can
further damage a drive. Avoid this at all costs unless it is retrieving
data at the same time. There is a tool I use often that will read the
MFT, and in many cases a damaged MFT and give me a list of folders.
Since I really care more about something like the Documents and Settings
folder rather than all the other files, for instance, I might want to go
after just that folder. So I want a tool that uses the MFT file, reads
it, displays the list of folders, and then uses the Clusters to
Reassemble by only touching those sectors, and if the sector fails be
able to retry. Sounds good? Yes, well Runtimes Disk Explorer for NTFS
will do just that for like $50. If you get the list, you just go find
in the list the Docs and Settings and click Save and it will reassemble
the clusters for just that folder and export the files. NOTE: It
displays both listings for the Long and Short File Names, so if you want
to limit the construction go to the folder you need the most and just
extract that from the Long File Name version.
There are times that it does not know how to get to the MFT depending on
damage. So if you use their other tool called GetDataBack and you select
just QuickScan, it will locate the MFT records, and then allow you to
PASS the collected data to the package DISK Explorer for NTFS in memory.
It works great on many occasions in seconds and allows me to recover
data not available otherwise without some long intense scanning that btw
- any scanning process can further damage the disk even worse so you
want to avoid it.
One thing to note in my steps is if you want to use a DD image of the
drive, you can, but you need to name the extension .IMG or it will not
pass in memory to Disk Explorer and you will be looking at your local
drive instead. You can use Multipart files, but you need the parameters
from a command line. From the command line you have to run the tool and
pass the size of the file by using the /fSIZE command. So it is like
this "Command /F1024"
There is another way that is more costly and a little more experimental
but might be more exact and safer. There is a tool called a DeepSpar
Disk Imager. It makes a Map of a drive and stores the status of each
sector. If you modify the map because you know the sectors you want
(manual process for that) you can go after the exact files and sectors
from the clusters. This is a process several people from our data
recovery group have been working on and starting to document and trying
to get a process down. I assure you it is very cool work. If you want
to see some of that content coming out of the data recovery side there
is a Google group that documents a lot of the functions, talks about
firmware etc and possible fixes. Some really really good stuff here:
http://groups.google.com/group/datarecoverycertification?hl=en
If you want more of this, keep in mind these are the exact topics
covered in the SANS SEC606 Data Recovery Class. The one coming up in DC
July is almost sold out and since we limit the seating due to
limitations on hardware, if you want a seat you better hurry, otherwise
you have to go to San Diego in September :)
Sign up here Now if interested.
http://www.sans.org/forensics09_summit/description.php?tid=3032
Thank you,
----------------------------------------------------------
Scott A. Moulton / CCFS CCFT CDRP DREC
Certified Computer Forensic Specialist
Certified Computer Forensic Technician
Certified Data Recovery Professional
Data Recovery Expert Certification
SANS Instructor for SEC606
Forensic Data Recovery
http://www.sans.org/training/description.php?mid=1237
----------------------------------------------------------
Forensic Strategy Services, LLC &
My Hard Drive Died, DBA
----------------------------------------------------------
601b Industrial Court, Woodstock, Ga 30189
Phone: 770-926-5588 Fax: 770-926-7089
Web: www.ForensicStrategy.com
Web: www.MyHardDriveDied.com
----------------------------------------------------------
-----Original Message-----
From: gcfa-b...@lists.sans.org [mailto:gcfa-b...@lists.sans.org]
On Behalf Of Leigh Vincent
Sent: Tuesday, June 23, 2009 12:52 AM
To: gc...@lists.sans.org
Subject: [GCFA] Corrupt NTFS MFT
Is there a way that I can rebuild the MFT from an NTFS File System?
Using testdisk-6.11.3, tells me that the "MFT and MFT mirror are bad.
Filed to repair them."
Is there another way to do this?
Thanks
Leigh
Leigh Vincent
ICT Security Officer
Information Services
University of Ballarat
PO Box 663
BALLARAT VIC 3353
Tel: +61 3 5327 9386
Mobile: 0439 357 203
e-Mail: l.vi...@ballarat.edu.au
http://www.ballarat.edu.au
CRICOS Provider Number: 00103D
_______________________________________________
gcfa mailing list
gc...@lists.sans.org
https://lists.sans.org/mailman/listinfo/gcfa