Feature Request: MFT Backup/Restore

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
Hairbrained
Posts: 3
Joined: 28 May 2019, 03:11

Feature Request: MFT Backup/Restore

#1 Post by Hairbrained »

I have noticed with consistency that both the Primary and Mirror MFT (so much for a backup!) gets corrupted when drives lose connectivity or power while in use on Windows systems. Would it be possible to have TestDisk add a "backup/restore MFT" to file feature?

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Feature Request: MFT Backup/Restore

#2 Post by cgrenier »

Such feature will not be implemented as it's better served by a traditionnal backup.

Hairbrained
Posts: 3
Joined: 28 May 2019, 03:11

Re: Feature Request: MFT Backup/Restore

#3 Post by Hairbrained »

Just want to add this here from experience since I can't find it anywhere else:

Symptom:
- (On Windows) NTFS Partition becomes RAW.
- Chkdsk aborts. It correctly finds NTFS, but "Unable to determine volume version and state."
- Boot Sector is intact. Logical partitions is intact. Data is intact.
- Primary $MFT and Mirror $MFT headers overwritten with "USBC" and junk (it should start with "FILE").

Solution:
- Restore $MFT header from backup manually using hex editor (or recreate if if no backup).
- If no header backup, use PhotoRec or file recovery software. (The original directory structure is intact but I don't know how this is done with recovery tools. Maybe it ignores the $MFT header and parses contents?)

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Feature Request: MFT Backup/Restore

#4 Post by recuperation »

Hairbrained wrote: 28 May 2019, 11:16 Just want to add this here from experience since I can't find it anywhere else:

Symptom:
- (On Windows) NTFS Partition becomes RAW.
"Windows" is not precise.
Where is that partition located? Harddrive? USB-stick?

- Chkdsk aborts. It correctly finds NTFS, but "Unable to determine volume version and state."
- Boot Sector is intact. Logical partitions is intact. Data is intact.
How come you know when the partition is RAW?
- Primary $MFT and Mirror $MFT headers overwritten with "USBC" and junk (it should start with "FILE").

Solution:
- Restore $MFT header from backup manually using hex editor (or recreate if if no backup).
This is not useful as what you are probably refering to as "header" is not static.

iwlf
Posts: 10
Joined: 10 Jun 2016, 22:37

Re: Feature Request: MFT Backup/Restore

#5 Post by iwlf »

Do you have deeper knowledge of the MFT Mirror?

How do you check it?

Is the Mirror at the end of the drive?

Hairbrained
Posts: 3
Joined: 28 May 2019, 03:11

Re: Feature Request: MFT Backup/Restore

#6 Post by Hairbrained »

I forgot to mention "USBC" appears only when you are using external USB drives (badly programmed controller?), but I have seen MFT corruption for internal drive when power is pulled (MFT header is broken but directory structure and files can be found with undelete or data recovery tools).
iwlf wrote: Do you have deeper knowledge of the MFT Mirror?
How do you check it?
Is the Mirror at the end of the drive?
1) No.
2&3) The location of the Primary MFT (offset 0x30) and MFT Mirror (offset 0x38) will be in the Boot Sector record. Mirror contains only MFT header.

iwlf
Posts: 10
Joined: 10 Jun 2016, 22:37

Re: Feature Request: MFT Backup/Restore

#7 Post by iwlf »

Hairbrained wrote: 29 May 2019, 01:22 2&3) The location of the Primary MFT (offset 0x30) and MFT Mirror (offset 0x38) will be in the Boot Sector record. Mirror contains only MFT header.
If you had a look at it time to time to notice the inconsistency was the Mirror usually at the end of disk?

https://www.blackbagtech.com/blog/2017/ ... le-basics/ master-file-table-basics

" Each MFT entry is made up of a header and several attributes."

Where do you know from Mirror only have headers?

Locked