Logical Drive Corru...
 
Notifications
Clear all

Logical Drive Corrupted - MFT Damaged?

TestAYTube
(@testaytube)
New Member

Hello
I'm looking to see if I can recover the data from my 8TB HDD - Please see info below.

The HDD is mapped as F:
Within the HDD there are two partitions.

1. 140GB Partition

2. 7305GB Partition

Within the 2nd partition, I have an encrypted Veracrypt volume that contains both an outer and hidden volume.

Normally I map the hidden veracrypt volume is mapped as V:

Last week, the HDD (F:) wouldn't mount in Windows correctly, it gave an error saying "F:\ not accessible. Access is denied".
I thought it was strange as I've only had the HDD for a couple of weeks and there was not abrupt disconnection of the HDD when this occurred.

To troubleshoot this, I ran CHKDSK /F on the drive, which ran some repairs.
However, the drive still couldn't be opened.

After some research, I found the following page and ran diskmgt as admin, and re-mapped the drive - I could access the drive again.

Then I used Veracrypt to remap the hidden volume as V:
Upon trying to access the drive, windows produced an error saying "the disk structure is corrupt and unreadable".

 

I tried running repair file system (CHKDSK) via Veracrypt which showed an error saying

"Checking the file system on the VeraCrypt volume mounted as V:...
The type of the file system is NTFS.
The shadow copy provider had an unexpected error while trying to process the specified operation.

Unable to determine volume version and state. CHKDSK aborted." 

I checked the logical drive V: in TestDisk and tried to repair the MFT.
An error appeared saying "MFT and MFT mirror are bad. Failed to repair them. "

I have checked the logical drive in both DMDE and RStudio and can see that the $MFT is there along with the mirror.

I can also see some of the file structure is intact as some files/folders have dates and filenames.
I understand I could try running data recovery software to restore the files, though I will lose the metadata such as filenames.

I was wondering if there was some way to reconstruct or repair the MFT so that I get get the filesystem back to how it was?

Quote
Topic starter Posted : 19/06/2021 11:12 pm
jaclaz
(@jaclaz)
Community Legend

IF DMDE sees the $MFT as correct you can use "pure FS reconstruction", that would allow you to recover (at least some of) the files including the metadata, for those files that have corrupted $MFT entries direct carving (and thus losing the metadata) may be your only option (and not necessarily it will work for *all* files).

Likely the $MFT is only partially corrupted, but manually repairing it (if possible at all) may be a huge work, it depends on number of files and severity of corruption.

DMDE has a NTFS cluster map feature, from that you can probably get an idea of the amount of corrupted entries.

How big is the volume?

How many files are (were) in it?

Which type of files are (were) them? (as an example formats like JPEG have internal metadata that can be useful to recreate the filesystem ones from a directly carved or "raw" recovery)

How many files are still correctly viewable in DMDE via the $MFT?

The answers to these questions may make the difference from "worth an attempt" and "forget about it".

In any case you MUST make as soon as possible a RAW copy of the volume and stop fiddling on the original.

jaclaz

 

 

ReplyQuote
Posted : 20/06/2021 9:47 am
TestAYTube
(@testaytube)
New Member

@jaclaz The volume is 7TB

Around 161,128 files according to DMDE
Files in there were TXT, MP4, JPG.
Most files are still viewable, however seems like some are missing.
I have created a clone of the disk and am using it to see what can be recovered.

ReplyQuote
Topic starter Posted : 20/06/2021 8:13 pm
TestAYTube
(@testaytube)
New Member

Just correcting the above post.

There are around 500,000 files according to DMDE.

ReplyQuote
Topic starter Posted : 21/06/2021 12:10 am
jaclaz
(@jaclaz)
Community Legend

Unfortunately, 161,128 or 500,000 doesn't make much difference, they are essentially "many" (the way I can count, 1... 998, 999, many) or " a suffusion of yellow".

Several tens of thousands of files are simply too many for anything "manual", and they are probably also too many for a "negative recovery" approach[1].

I think you are stuck with the following procedure:
1) recover all the files you can via "pure FS reconstruction"
2) recover all the files you can via direct carving
3) process the result eliminating the duplicates

jaclaz

[1] this is a pet peeve of mine, basically you first recover all the files you can via "pure FS recovery", these files will have a "proper" address/extents in the $MFT, so you can 00 those extents once you have recovered them AND delete the files, making (hopefully) easier to carve the rest

 

 

 

 

ReplyQuote
Posted : 22/06/2021 9:00 am
TestAYTube
(@testaytube)
New Member

Is there a way to take the $MFT file/structure from a backup volume on another disk and use it to repair or replace the $MFT on the corrupted volume?

ReplyQuote
Topic starter Posted : 30/06/2021 1:16 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @testaytube

Is there a way to take the $MFT file/structure from a backup volume on another disk and use it to repair or replace the $MFT on the corrupted volume?

The $MFT is essentially comparable in layman's terms to the index of a book.

You can see from it that Chapter 24 is titled "Something" and starts on page 458, and since on the next line Chapter 25 is listed as starting on page 475, you know that the chapter is some 17 pages long.

If you copy the index from another book, possibly Chapter 24 is titled "Something else" and starts at page 147, and Chapter 25 is on page 201, making it 54 pages long.

So, your questions sounds - more or less - as "Can I make a photocopy of the index of The Bible and replace with this copy the missing index of my HP Laserjet manual?"

Of course you can, but you will unlikely find in this index how to solve a paper jam.

A backup volume may have the same contents, but very, very likely, in a completely different physical order on disk, so the copied/transplanted $MFT won't work as well.

Loosely this is among the reasons why in forensics you usually make disk or volume images (as opposed to backups).

On the other hand, if you have an actual copy (be it a  backup or an image), you don't need to recover the original.

In reality, the first few records of the $MFT have "standard" entries (though of course addresses in them depend on the specific volume size/offset/OS/tool that created the filesystem) so, it is possible - in theory - to recreate them from a "base" copied from an identical (same size, offset, OS, tool used) volume, but what you can do ends right there.

Imagine that you have several books, all of them have a "fixed" part where you have the index starting as:
Foreword -> page 1
Introduction -> page 3
Chapter 1 -> page 6

but then each book (and its index) will have different content.

The $MFT is a "growing" entity, i.e. when you create a filesystem (by formatting the volume) only a minimal part of it is created, all the rest is added at the time you add files/directories to it, so the entries in the $MFT are essentially following the order files/directories were created or copied to the volume (and this order is usually very different in normal use vs. making a backup, to which you add deleted files, reused $MFT entries, the effect of defragmentation tools, etc.).

jaclaz

ReplyQuote
Posted : 30/06/2021 10:05 am
Share: