Messing with Corrupted NTFS

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
girlsrcute
Posts: 14
Joined: 15 Aug 2015, 03:35

Re: Messing with Corrupted NTFS

#11 Post by girlsrcute »

I have a Biostar Motherboard with built-in RAID, so I use that. I know a backup would be great, but I have no 1TB backup, so I'll take the risks. After I re-created the array, I ran the sync and no inconsistencies were found. I had previously, individually, run chkdsk - with same results on each disk. So far, I don't believe there is any data loss except for the mystery of the number of sectors from the earlier posts. I also found another problem. Out of curiousity, I ran TestDisk, this time looking at the Drive letter, instead of disk and it showed this:

Drive C: - 999 GB / 931 GiB - CHS 121575 255 63
Partition Start End Size in sectors
P NTFS 0 0 1 121575 253 63 1953118377

Boot sector
Status: OK

Backup boot sector
ntfs_boot_sector: Can't read backup boot sector.
Status: Bad


--------------------------------------

I see many posts on here saying to use TestDisk on the disks, not the logical drives. What's the difference? What would be the harm if I tried to correct this boot sector problem on the logical drive? (Also, I understand that the RAID1 is a logical drive anyway).

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Messing with Corrupted NTFS

#12 Post by Fiona »

A disk has a partition table.
A drive is like a partition and has no partition table.
For example the first executable sector (512 Bytes) is either your MBR containing your partition table or your GPT (GUID partition table).
A Drive or partition starts with the boot sector.
So there is no partition table.
That's why, if you choose Drive and running for example TestDisk / Analyse, the values are not correct and can't display your partition table.
Drive is a good solution if your partition appears as RAW or unformatted to run a boot sector diagnose using the menu Advanced.
But it makes only sense if your partition in your partition table is correct.

Fiona

girlsrcute
Posts: 14
Joined: 15 Aug 2015, 03:35

Re: Messing with Corrupted NTFS

#13 Post by girlsrcute »

Regarding the MFT: TestDisk, previously to re-creating my array, would show each drive as having an MFT and mirror that matches perfectly.

Now, for the array, it shows:

"Both MFT seems ok but they don't match, use chkdsk"

Even after chkdsk on the array, I continue to get this message. To me, it means something is wrong. Why is the MFT and MFT-mirror on my RAID not a perfect match?

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Messing with Corrupted NTFS

#14 Post by Fiona »

Drive C: - 999 GB / 931 GiB - CHS 121575 255 63
Partition Start End Size in sectors
P NTFS 0 0 1 121575 253 63 1953118377

Boot sector
Status: OK

Backup boot sector
ntfs_boot_sector: Can't read backup boot sector.
Status: Bad
I don't recommend to run OrgBS to copy the boot sector over its backup.
In some cases it caused problems, if the file system is not consistent.
"Both MFT seems ok but they don't match, use chkdsk"
RepairMFT is only intended as a companion to chkdsk if chkdsk stops or hang.
Some info:
http://www.cgsecurity.org/wiki/Advanced ... MFT_Repair

Most important in your case would be a backup.
Then you could create a RAID1 from the scratch and copy your data back.
In some cases, after a RAID was degraded, user recreated their RAID/array exactly like before without partitioning and formatting it and were running a diagnose using TestDisk.
After writing the partition to the partition table and in case a boot sector repair, they didn't experience any problems and everything was exactly like before.
An exception would be, if a disk or data got modified before the array was recreated exactly like before.

Fiona

girlsrcute
Posts: 14
Joined: 15 Aug 2015, 03:35

Re: Messing with Corrupted NTFS

#15 Post by girlsrcute »

I'm thinking I should fix the MFT issue on both disks, then look into fixing the Boot Sector issue of the array. I'm looking for another tool aside from TestDisk or chkdsk to auto-repair the MFT, but so far not finding anything simple - it's looking very technical and highly involved. I'll make backups of the MFT first, with dd, as I noticed that TestDisk shows me the location of the MFT.

girlsrcute
Posts: 14
Joined: 15 Aug 2015, 03:35

Re: Messing with Corrupted NTFS

#16 Post by girlsrcute »

I realized this is a little complicated for me as I am not very familiar with dd. I know it can be used to copy sectors. Now, I don't know what that command would look like. I also don't have the MFT size, but it appears I can extract it somehow.

I found this pdf: https://www.fbi.h-da.de/fileadmin/perso ... andout.pdf

Records of the MFT:
I Record 0: MFT (record for the MFT itself).
I Record 1: $MFTMirr (backup of the first MFT entries).

Found this windows command to get info about the $MFT:

C:\windows\system32>fsutil fsinfo ntfsinfo C:
NTFS Volume Serial Number : 0xbeb0c174b0c13425
Version : 3.1
Number Sectors : 0x00000000746a38a8
Total Clusters : 0x000000000e8d4715
Free Clusters : 0x000000000033489a
Total Reserved : 0x0000000000002780
Bytes Per Sector : 512
Bytes Per Cluster : 4096
Bytes Per FileRecord Segment : 1024
Clusters Per FileRecord Segment : 0
Mft Valid Data Length : 0x000000003af00000
Mft Start Lcn : 0x00000000000c0000
Mft2 Start Lcn : 0x000000000746a38a
Mft Zone Start : 0x00000000016454a0
Mft Zone End : 0x0000000001651b20
RM Identifier: 5BF7A6AF-4568-11E5-9204-806E6F6E6963

I'm guessing the dd command would be something like so:

dd if=/dev/sdc of=/media/1111/mft.img bs=512 count=988807168 (3af00000 HEX) skip=786432 (c0000 HEX) iflag=skip_bytes oflag=count_bytes

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Messing with Corrupted NTFS

#17 Post by Fiona »

I'm not as much a Linux tech savvy.
But here are some info about cloning and image creation using dd:
http://www.cgsecurity.org/wiki/Damaged_Hard_Disk
Except chkdsk, I don't know any tool fixing a MFT and its mirror.
Modifying a file system can be dangerous.
That's why I always recommend backup.

Fiona

girlsrcute
Posts: 14
Joined: 15 Aug 2015, 03:35

Re: Messing with Corrupted NTFS

#18 Post by girlsrcute »

I ran chkdsk on the array. TestDisk showed the disks in the array as having mismatched $MFT so then I destroyed the array, then ran chkdsk on both disks.

All my chkdsks showed: "Windows has checked the file system and found no problems."

In TestDisk, I still get this message:

"Both MFT seems ok but they don't match, use chkdsk."

I'm guessing the $MFT is actually fine since I can see my files on both disks. However, only guessing here, but it's probably that the $MFTMirr is not correct on each disk.

girlsrcute
Posts: 14
Joined: 15 Aug 2015, 03:35

Re: Messing with Corrupted NTFS

#19 Post by girlsrcute »

I tried using expert mode in TestDisk to repair the $MFTMirr, it writes, then when I restart and check again, TestDisk goes back to displaying the message:

"Both MFT seems ok but they don't match, use chkdsk."

Repairing the $MFTMirr doesn't seem to stick. I also noticed TestDisk lists 2 physical disks, but only one logical disk. I should see both, but I do not (again, the RAID 1 mirror no longer exists at this point).

Disk /dev/sdc - 1000 GB / 931 GiB
Disk /dev/sdd - 1000 GB / 931 GiB
Drive P: - 999 GB / 931 GiB

Stumped! Giving up.

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Messing with Corrupted NTFS

#20 Post by Fiona »

I've only used Expert Mode on FAT-Partitions.
MFT ant its Mirror are not the only Metadata hidden by the file system.
There are some other meta data too.
The $Bitmap for example contains info about used and free or unallocated space.
If it doesn't match, you can get this message too.
That's why I recommended to backup data, creating your RAID1 from the scratch and copy data back.
Struggling around with a disk and it's mirror after your RAID1 was degraded, can lead to such results.

Fiona

Locked