Can Testdisk undo MFT rewrite

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
poetman
Posts: 2
Joined: 08 Jan 2013, 14:18

Can Testdisk undo MFT rewrite

#1 Post by poetman »

Hi to all,
I got a simular problem like many visitors in this forum: ext HD went suddenly from NTFS to RAW.
OK I saved the most important things using Testdisk, after that I tried to recover the drive, but accidentely I wrote the mirror MFT over the original MFT. Wrong !
I can see only one subdirectory, where there should be 10 or so.
Question: can I undo the overwriting/ copying of the partition file table, and exute it in the opposite direction (i.e. overwrite the mirror MFT)
Thanks in advance for any answer
Poetman
(the ext HDD is a brandnew LaCie 500 Gb USB3, I've got two of them, I stick them in- and out very often in different computers (standalone's, not networkconnected), I think Windows system thingy got mixed up, same problem occurred two weeks ago, did complete format and re-install, like to go for recovery now)

dragonfly41
Posts: 67
Joined: 14 Sep 2012, 20:51

Re: Can Testdisk undo MFT rewrite

#2 Post by dragonfly41 »

Read this old thread ..

http://www.velocityreviews.com/forums/t ... cient.html

I've been looking around for some time to see if it is feasible to backup $MFT (as a shorter backup than a full disk backup).
I've seen that $MFT is a key file and if corrupted it is difficult to recover files.
So I'm preparing for the time when this disaster hits me.

http://superuser.com/questions/387875/i ... ndows-ntfs

http://www.dtidata.com/resourcecenter/2 ... -recovery/

It seems to be difficult but not impossible.

So you are left with file recovery if $MFT is lost (e.g. in your case being overwritten).

If you have a Linux Live CD you can try ntsfprogs on the ntfs partition.
http://en.wikipedia.org/wiki/Ntfsprogs

Or ntfswalker running in Windows will walk you through the $MFT.

To answer your question .. no .. from what I've read it's not possible to "undelete" or "undo" an overwritten $MFT file (which is possibly fragmented).

When $MFT is working you can try ultradefrag on $MFT

http://ultradefrag.sourceforge.net/en/index.html

poetman
Posts: 2
Joined: 08 Jan 2013, 14:18

Re: Can Testdisk undo MFT rewrite

#3 Post by poetman »

Thanks Dragonfly for your fast and extensive answer.
I'll have to dig into it, for now it's a little Spanish to me (I am not Spanish)
I'll try to run the NTFSwalker-tool, and struggle/ learn more from there on.

My biggest concern is that NTFS 2 RAW transition will happen again in the near future, for me it feels like a Windows bug or shortcoming, or a human shortcoming (me)

For example: the moment just before the NTFS 2 RAW transition I connected one of my Lacie's, but then it gave me the content and file structure of the other LaCie. I think that's strange. I could even dive in sub-sub-sub directories, I didn't try to actualy load a file. I unplugged it (always using "Safely Remove Hardware"), plugged the other LaCie in, and...... life turned raw.

Two weaks ago sort of same thing happened: the LaCie comes with its own nice icon, used in Explorer-view.
Things also mixed up: the day before the NTFS 2 RAW transition my local harddrive got this icon, and the LaCie drive got a standard Windows drive-icon. This situation still exists.

Anyway thanks for your concern, if you, or anyone, feels to shine a light on the above mentioned mystery you're very welcome.

Poetman

dragonfly41
Posts: 67
Joined: 14 Sep 2012, 20:51

Re: Can Testdisk undo MFT rewrite

#4 Post by dragonfly41 »

I unplugged it (always using "Safely Remove Hardware"), plugged the other LaCie in, and...... life turned raw.
Problems might arise if you plug in devices while the PC is running .. i.e. there is no "Safely Plugin Hardware" to use.

Try shutting down PC and then plugging in your La Cie .. not plugging in "on the fly".

You might also try booting up into Windows "safe mode" and running testdisk in administrator mode.

Also booting up a Linux CD and not Windows is often a good bet. You can use the Live CD to inspect your drives. And also use testdisk in your Live CD. I use Ubuntu but you can use other Linux distros such as Parted Magic. Just make sure that you go into bios at bootup to make boot via CD (or USB) your first choice rather than the HDD boot. If you can use Linux Live CD then as written earlier you have ntfsprogs to use as tools.

Locked