2

After I unplugged my external drive after a phony safe removal on Ubuntu, two sectors are destroyed. The important sector contained records 4 to 7 (which is $AttrDef, $ (root), $Bitmap and $Boot) of the NTFS MFT. The sector now gives an IO error and mounting the device is impossible this way.

I copied all other accessible bytes to files on a new external drive. The file system except for the MFT is intact, everything is there.

I'd like to know which method or tool exists to recreate, regenerate these MFT records? They are not mirrored so I could not imagine them being unrecoverable. I think of recomputing these records from the available residual files.

And if there is no tool like that could you provide me a site with enough information so that I could write a simple tool or script by my own? I don't care, whether it takes long or whether I have to traverse the whole rescued files.

Thank you very much!

ChrisoLosoph
  • 121

2 Answers2

1

I am not aware of any tools that can do this, mirror of MFT only contains first 4 records if I am not mistaken despite the popular belief that a backup of the entire MFT exists somewhere. These are contents of this mirror with MFT template engaged so we can clearly see the 4 records it backs up:

enter image description here

Any documentation/info you might need should be here: https://flatcap.github.io/linux-ntfs/ntfs/files/index.html

File recovery is very possible though as for that we do not need these records. A cheap tool like DMDE ($20 - one year license) should be able to salvage everything.

0

One tool that specializes in recovery partially-destroyed disks is TestDisk.

The recovering of the MFT and the partitions table is described in the article Advanced NTFS Boot and MFT Repair.

Note that a backup of the MFT should exist on the disk, and TestDisk should be able to find and restore it.

harrymc
  • 498,455