cgsecurity.org

I have noticed with consistency that both the Primary and Mirror MFT (so much for a backup!) gets corrupted when drives lose connectivity or power while in use on Windows systems. Would it be possible to have TestDisk add a "backup/restore MFT" to file feature?

Such feature will not be implemented as it's better served by a traditionnal backup.

Just want to add this here from experience since I can't find it anywhere else:

Symptom:
- (On Windows) NTFS Partition becomes RAW.
- Chkdsk aborts. It correctly finds NTFS, but "Unable to determine volume version and state."
- Boot Sector is intact. Logical partitions is intact. Data is intact.
- Primary $MFT and Mirror $MFT headers overwritten with "USBC" and junk (it should start with "FILE").

Solution:
- Restore $MFT header from backup manually using hex editor (or recreate if if no backup).
- If no header backup, use PhotoRec or file recovery software. (The original directory structure is intact but I don't know how this is done with recovery tools. Maybe it ignores the $MFT header and parses contents?)

Hairbrained wrote: 28 May 2019, 11:16 Just want to add this here from experience since I can't find it anywhere else:

Symptom:
- (On Windows) NTFS Partition becomes RAW.

"Windows" is not precise.
Where is that partition located? Harddrive? USB-stick?

- Chkdsk aborts. It correctly finds NTFS, but "Unable to determine volume version and state."
- Boot Sector is intact. Logical partitions is intact. Data is intact.

How come you know when the partition is RAW?

- Primary $MFT and Mirror $MFT headers overwritten with "USBC" and junk (it should start with "FILE").

Solution:
- Restore $MFT header from backup manually using hex editor (or recreate if if no backup).

This is not useful as what you are probably refering to as "header" is not static.

Do you have deeper knowledge of the MFT Mirror?

How do you check it?

Is the Mirror at the end of the drive?

I forgot to mention "USBC" appears only when you are using external USB drives (badly programmed controller?), but I have seen MFT corruption for internal drive when power is pulled (MFT header is broken but directory structure and files can be found with undelete or data recovery tools).

iwlf wrote: Do you have deeper knowledge of the MFT Mirror?
How do you check it?
Is the Mirror at the end of the drive?

1) No.
2&3) The location of the Primary MFT (offset 0x30) and MFT Mirror (offset 0x38) will be in the Boot Sector record. Mirror contains only MFT header.

Hairbrained wrote: 29 May 2019, 01:22 2&3) The location of the Primary MFT (offset 0x30) and MFT Mirror (offset 0x38) will be in the Boot Sector record. Mirror contains only MFT header.

If you had a look at it time to time to notice the inconsistency was the Mirror usually at the end of disk?

https://www.blackbagtech.com/blog/2017/ ... le-basics/ master-file-table-basics

" Each MFT entry is made up of a header and several attributes."

Where do you know from Mirror only have headers?