MFT became courrpt chkdsk erased the drive

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
Zober
Posts: 4
Joined: 02 May 2021, 01:01

MFT became courrpt chkdsk erased the drive

#1 Post by Zober »

Hi,

MFT somehow became corrupt, linux suggested i ran chkdsk, booted windows which loaded chkdsk, it *fixed* the problem the drive became accessible but all the files were gone, replaced by chkdsk logs...
Can i still get the files? there is not physical issue with the drive or any bad sectors.

I tried Testdisk but it says everything is valid and the only files it sees are those chkdsk logs :(

It is a 3TB GPT NTFS drive, i'm cloning it right now with ddrescue just in case.

Didn't try PhotoRec yet, what else can i do?

recuperation
Posts: 2718
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: MFT became courrpt chkdsk erased the drive

#2 Post by recuperation »

You could check if you ran a faulty chkdsk version.
Otherwise you could run any other commercial recovery software.

Zober
Posts: 4
Joined: 02 May 2021, 01:01

Re: MFT became courrpt chkdsk erased the drive

#3 Post by Zober »

recuperation wrote: 02 May 2021, 09:17 You could check if you ran a faulty chkdsk version.
Otherwise you could run any other commercial recovery software.
Not familiar with the first option, can you elaborate? how can chkdsk be faulty.
Also it's the same OS as when the drive was made so the version is the same if that helps.

So if i understand correctly chkdsk has fixed the MFT errors by making a new one and has also overwritten the backup and now there is no way to fix it by going that route and i'm left only with the option to recover the data? which also means it will be in a messed up order and names. is that correct?

As a side question in the future if MFT is corrupt is it better to run testdisk first or chkdsk should be the first option?

recuperation
Posts: 2718
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: MFT became courrpt chkdsk erased the drive

#4 Post by recuperation »

Zober wrote: 02 May 2021, 15:17
recuperation wrote: 02 May 2021, 09:17 You could check if you ran a faulty chkdsk version.
Otherwise you could run any other commercial recovery software.
Not familiar with the first option, can you elaborate? how can chkdsk be faulty.
viewtopic.php?f=16&t=10593&p=32792&hili ... dsk#p32792

Also it's the same OS as when the drive was made so the version is the same if that helps.

So if i understand correctly chkdsk has fixed the MFT errors by making a new one and has also overwritten the backup and now there is no way to fix it by going that route and i'm left only with the option to recover the data? which also means it will be in a messed up order and names. is that correct?
Chkdsk either broke your disk even more or repaired it if you did not ran the faulty version. Repairing does not necessarily mean recovering but bringing into a state to comply with the NTFS specification. That process may have overwritten things that would have been recoverable with a commercial software.
As a side question in the future if MFT is corrupt is it better to run testdisk first or chkdsk should be the first option?
Testdisk is better because you can use it to just analyze instead of making irreversible changes that chkdsk does.
I prefer duplicating a drive before running chkdsk.

Zober
Posts: 4
Joined: 02 May 2021, 01:01

Re: MFT became courrpt chkdsk erased the drive

#5 Post by Zober »

I tried the latest CHKDSK it didn't help.

Commercial tools did save some of the data but now i have another question.

I used recuva (please suggest something better if you know it) and besides the files there were copies of the $MFT file.

I think if i restore that file my HDD will be accessible again, how do i do it? i didn't find any good solution for this, only people talking about copying byte by byte to the header, sure it's dated 8 months ago but not much has changed so i don't care about the new stuff anyway.

recuperation
Posts: 2718
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: MFT became courrpt chkdsk erased the drive

#6 Post by recuperation »

Zober wrote: 04 May 2021, 14:38 I tried the latest CHKDSK it didn't help.

Commercial tools did save some of the data but now i have another question.

I used recuva (please suggest something better if you know it) and besides the files there were copies of the $MFT file.

I think if i restore that file my HDD will be accessible again, how do i do it? i didn't find any good solution for this, only people talking about copying byte by byte to the header, sure it's dated 8 months ago but not much has changed so i don't care about the new stuff anyway.
There are no copies of the MFT. There are some copies of some entries. If they are sufficient for repairs Testdisk is one of the few programs, maybe the only one that will write on a logically broken partition.
If it's as simple as you think why do all the recovery programs only extract and never repair?

I was smiling when I read "MFT somehow became corrupt" without delivering any proof for it.

If you want to repair broken file systems, you need a hex editor and preferabbly programming abilities in one language. NTFS is proprietary stuff but there is enough free public information about it on the internet.

Zober
Posts: 4
Joined: 02 May 2021, 01:01

Re: MFT became courrpt chkdsk erased the drive

#7 Post by Zober »

recuperation wrote: 04 May 2021, 20:13 There are no copies of the MFT. There are some copies of some entries. If they are sufficient for repairs Testdisk is one of the few programs, maybe the only one that will write on a logically broken partition.
If it's as simple as you think why do all the recovery programs only extract and never repair?

I was smiling when I read "MFT somehow became corrupt" without delivering any proof for it.

If you want to repair broken file systems, you need a hex editor and preferabbly programming abilities in one language. NTFS is proprietary stuff but there is enough free public information about it on the internet.

Can you elaborate a little, i thought testdisk works mostly with the MFT mirror file and not MFT fragments around the HDD isn't it not the case?
The quick answer to the extracting question (and i could easily be wrong) is that getting data via signatures is easier than working out all the details and insides of NTFS since it's proprietary and takes more work, this is similar to me as in the AV industry signatures are easier to maintain rather than a dynamic or AI based thinking SW of sorts

Maybe it's cultural differences but i didn't understand the smiling part, are you saying i'm jumping to conclusions or just amused by the situation in general?

Yeah i continued digging into this and it's a mess and a lot of work, don't real have the time, easier to recover data at this point, maybe in the beginng if it just just a courrpt entry and not the loss of the whole MFT i would tried something similar to this guy here:
https://itectec.com/superuser/ntfs-part ... -fix-them/

But like i said, not gonna bother here, in case anyone finds the thread i ran the following software:
DMDE
Zar
Recuva
Rstudio
EaseUS
GetDataBack

DMDE is by far the best tool as it uses MFT fragments and recovers the structure of the HDD along with the files, pure magic
Recuva could be used for a quick file type grab like photos but DMDE is THE tool here
Got most of my data back maybe 90% can't say for sure what's missing out of 2TB of data...

Locked