Someone recently rebooted their windows XP system uncleanly and chkdsk decided it would be great if it ran on reboot and *fixed* problems(deleted index and fragments). He had some 40gb of presentations in AVI format on the disk at the time. Does anyone have good documentation or know-how of how to recover from this sort of situation?
I am not too sure I understand the problem from how you describe it, as CHKDSK is a utility for checking the condition of the Hard Drive (and Floppy Disks). It checks to make sure the surface of the disk for any damaged areas and marks them as unusable by the system, preventing the storing of data in there. It reports on how much hard drive space is available.
The sudden 'unclean' shutdown of the system may have caused some physical damage to the disk (however this is extremely rare, and it is possible the disk was suffering to begin with)
Windows running the program is an attempt to repair the damage caused. It could have been stopped during the boot (Windows normally offers the choice of letting it run or stop).
On a disk with 40GB of .avi files, I suggest there is every possibility of recovering many such files, you just need the software to do it.
This link might help:
Andy
Sorry about that. Let me clarify. From what I was told, this system rebooted uncleanly (as in skipped the normal shutdown procedure), chkdsk somehow got scheduled to run, and when the system rebooted, chkdsk automatically ran in /f mode where it deletes file fragments and cleans the disk.
When it "fixed" the problems, it deleted all index entries in the MFT for the files, and modified the BITMAP attributes. Since the BITMAP attribute was changed, chkdsk saw the location as unallocated and cleaned it. So as far as I know there is no practical way to piece the files back together based on VCN or LCN. I strongly doubt that they were contiguous as well. I am certain they are recoverable, it's just a matter of how, and the Microsoft documentation that I could find on chkdsk is kind of lousy.
Since they are .avi files, and RIFF is in the header, I tried foremost to pull out the files (or atleast the headers so I could start looking), but didn't have much luck.
Output from the chkdsk is below..(sorry for the length of it, but I wanted to be as complete as possible).
[removed the previous similar messages]
Deleting orphan file record segment 117.
Index entry $ObjId of index $I30 in file 0xb points to unused file 0x19.
Deleting index entry $ObjId in index $I30 of file 11.
Index entry $Quota of index $I30 in file 0xb points to unused file 0x18.
Deleting index entry $Quota in index $I30 of file 11.
Index entry $Reparse of index $I30 in file 0xb points to unused file 0x1a.
Deleting index entry $Reparse in index $I30 of file 11.
Index entry speaker1.avi of index $I30 in file 0x5 points to unused file 0x21.Deleting index entry speaker1.avi in index $I30 of file 5.
Index entry speaker10.avi of index $I30 in file 0x5 points to unused file 0x2d.Deleting index entry speaker10.avi in index $I30 of file 5.
Index entry speaker11.avi of index $I30 in file 0x5 points to unused file 0x2e.Deleting index entry speaker11.avi in index $I30 of file 5.
Index entry speaker12.avi of index $I30 in file 0x5 points to unused file 0x2f.Deleting index entry speaker12.avi in index $I30 of file 5.
Index entry speaker2.avi of index $I30 in file 0x5 points to unused file 0x25.Deleting index entry speaker2.avi in index $I30 of file 5.
Index entry speaker3.avi of index $I30 in file 0x5 points to unused file 0x26.Deleting index entry speaker3.avi in index $I30 of file 5.
Index entry speaker4.avi of index $I30 in file 0x5 points to unused file 0x27.Deleting index entry speaker4.avi in index $I30 of file 5.
Index entry speaker5.avi of index $I30 in file 0x5 points to unused file 0x28.Deleting index entry speaker5.avi in index $I30 of file 5.
Index entry speaker6.avi of index $I30 in file 0x5 points to unused file 0x29.Deleting index entry speaker6.avi in index $I30 of file 5.
Index entry speaker7.avi of index $I30 in file 0x5 points to unused file 0x2a.Deleting index entry speaker7.avi in index $I30 of file 5.
Index entry speaker8.avi of index $I30 in file 0x5 points to unused file 0x2b.Deleting index entry speaker8.avi in index $I30 of file 5.
Index entry speaker9.avi of index $I30 in file 0x5 points to unused file 0x2c.Deleting index entry speaker9.avi in index $I30 of file 5.
Index entry SPEAKE~1.AVI of index $I30 in file 0x5 points to unused file 0x2d.Deleting index entry SPEAKE~1.AVI in index $I30 of file 5.
Index entry SPEAKE~2.AVI of index $I30 in file 0x5 points to unused file 0x2e.Deleting index entry SPEAKE~2.AVI in index $I30 of file 5.
Index entry SPEAKE~3.AVI of index $I30 in file 0x5 points to unused file 0x2f.Deleting index entry SPEAKE~3.AVI in index $I30 of file 5.
Index entry System Volume Information of index $I30 in file 0x5 points to unused file 0x1b.Deleting index entry System Volume Information in index $I30 of file 5.
Index entry SYSTEM~1 of index $I30 in file 0x5 points to unused file 0x1b.Deleting index entry SYSTEM~1 in index $I30 of file 5.
Index entry Dg1.avi of index $I30 in file 0x1e points to unused file 0x33.Deleting index entry Dg1.avi in index $I30 of file 30.
Index entry Dg2.avi of index $I30 in file 0x1e points to unused file 0x32.Deleting index entry Dg2.avi in index $I30 of file 30.
Index entry Dg3.avi of index $I30 in file 0x1e points to unused file 0x31.Deleting index entry Dg3.avi in index $I30 of file 30.
Index entry Dg4.avi of index $I30 in file 0x1e points to unused file 0x30.Deleting index entry Dg4.avi in index $I30 of file 30.
Index entry INFO2 of index $I30 in file 0x1e points to unused file 0x20.Deleting index entry INFO2 in index $I30 of file 30.
Cleaning up minor inconsistencies on the drive.
CHKDSK is recovering lost files.
Creating object id file.
Inserting an index entry into index $I30 of file 11.
Creating index $O for file 20.
The object id in file 0x3 does not appear in the object
id index in file 0x14.
Inserting an index entry into index $O of file 20.
The object id in file 0x34 does not appear in the object
id index in file 0x14.
Inserting an index entry into index $O of file 20.
Creating reparse point file.
Inserting an index entry into index $I30 of file 11.
Creating index $R for file 21.
Creating quota file.
Inserting an index entry into index $I30 of file 11.
Creating index $O for file 22.
Creating index $Q for file 22.
Inserting default quota record into index $Q in file 22.
Cleaning up 7 unused index entries from index $SII of file 0x9.
Cleaning up 7 unused index entries from index $SDH of file 0x9.
Cleaning up 7 unused security descriptors.
Correcting errors in the master file table's (MFT) BITMAP attribute.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.
195358400 KB total disk space.
34958760 KB in 12 files.
20 KB in 16 indexes.
0 KB in bad sectors.
74724 KB in use by the system.
65536 KB occupied by the log file.
160324896 KB available on disk.
4096 bytes in each allocation unit.
48839600 total allocation units on disk.
40081224 allocation units available on disk.
Even if what your saying is what happened chkdsk wouldn't have wiped anything. You need to find the mft entry for the the files you think are deleted. Assuming you haven't used the drive since the incident the deleted mft entries should still be there. Encoded within is the starting cluster and further extents for the file. It will be an arduous process but you can recover it all that way. Then just copy out the contents of the clusters indicated in the mft entry and paste them back together. The process is covered in depth at the Guidance advanced forensics class. It's possible, if time consuming.
I had the exact same problem happen to with chkdsk and "lost" over 200 gigs of data.
The posts above are helpful, but can someone explain more plainly how I can fix the mft?
How do I find the mft entry for the the files that are deleted? How do I copy out the contents of the clusters indicated in the mft entry and paste them back together?
Where can I find the link to this guidance advanced forensics class?
Thanks very much!
How do I find the mft entry for the the files that are deleted? How do I copy out the contents of the clusters indicated in the mft entry and paste them back together?
This type of manual recovery will not be practical for anything more than a handful of files. Data recovery software exists or better yet (depending on how important the data is to you) would be to hire someone with the tools and skills to recover it.
Revygrrl,
1.If HDD>137GB check your system for support LBA48
_http//
2.For viewing(search,copy) MFT record-deleted file etc. you can use Directory Snoop.Start DS and Filter-status-deleted and DS show for your deleted files(name,path,cluster,MFT)
Also you can use other software like winhex etc.