
使用PC-3000 Data Extractor手工展开NTFS分区

使用PC-3000 Data Extractor手工展开NTFS分区

There are a lot of cases which alow to read a user data but it’s to slow or drive has a damaged surface at the start of users area, as result impossible to expand a user partition or it takes a lot of time.

But how to deal with such cases if customer needs his data right here right now or we have a time restriction by drive operation because it proceed to damage the heads/surface…

In this article we will talk about this problem and possible solutions for it.

例如,我们在Data Extractor工具中创建了一个新任务,并在开始时看到很多无法读取的扇区,DE无法识别NTFS分区。
For example we have created a new task in the Data Extractor tool and see a lot of problem sectors at the start and DE can’t recognize NTFS partition.

使用PC-3000 Data Extractor手工展开NTFS分区

Basically if drive haven’t physical problems and partition(s) can’t be opened we can launch a Quick disk analysis option or RAW recovery procedure and find a Partition.

But if the drive have a scratches on the surface we have a time restriction and should perform steps quickly. The only way is try to expand partition(s) manually.

使用PC-3000 Data Extractor手工展开NTFS分区

In this article we will talk about drive with one NTFS partition.

If we know that it’s only 1 NTFS partition on the drive we can try to find NTFS Boot file by RAW recovery or by GREP signature.

使用PC-3000 Data Extractor手工展开NTFS分区

At the end of the users area there is a Boot copy that is also can be used for building a Virtual partition.

But if Quick disk analysis is failed and we haven’t Boot and Boot copy (sectors doesn’t read) then we can try expand partition based on MFT table .

MFT table (Master File Table) is a main file which describes all user files in partition.

First 16 records are system and they are not available for OS they are called Metadata. These first 16 records have a fixed LBA address.

So, firstly we need to find first record of MFT table in the RAW recovery or by GREP.

If drive have a reading problems then we can use our knowledges.

对于驱动器上的第一个NTFS分区,引导可以位于LBA 63或LBA 2048(90%的情况),正如我们在第一个MFT表格上方看到的,第一条记录具有固定的LBA,因此:
For first NTFS partition on the drive Boot can be at LBA 63 or LBA 2048 (90% cases), as we saw above the first MFT table have a fixed LBA for first record so:

在LBA 63引导 – MFT表从6291519 LBA开始
Boot at LBA 63 – MFT table start from 6291519 LBA

LBA 2048引导 – MFT表从6293504 LBA开始(6291519 +(2048 – 63))
Boot at LBA 2048 – MFT table start from 6293504 LBA (6291519 (2048 – 63))

如何确定我们发现了MFT表的第一条记录?- 它在自身上有一个已知的签名$ .MFT0x0F0偏移量
How to determine that we found exactly first record of MFT table? – it have a known signature in the body $.M.F.T at 0x0F0 offset:

使用PC-3000 Data Extractor手工展开NTFS分区

After finding this record we can try to expand NTFS partition. Let’s add a Virtual NTFS partition:

使用PC-3000 Data Extractor手工展开NTFS分区

Here is need to set few values:

使用PC-3000 Data Extractor手工展开NTFS分区

初始LBA – 预计NTFS引导扇区(63或2048)的LBA。
Initial LBA
 – it’s anticipated LBA of NTFS Boot sector (63 or 2048).

最终LBA – 它是分区的最后一个扇区。让我们假设在整个用户区域只有一个分区,然后设置最后一个扇区值。
Final LBA
 – it’s last partition sector. Let’s think that we have only one partition on whole user area then set the last sector value.

簇大小 – 正如我们所知,驱动器按簇写入数据(基本上是8)。
Cluster size
 – as we know drive write data by cluster (basically it’s 8).

Then we get this window:

使用PC-3000 Data Extractor手工展开NTFS分区

我们应该填写三个字段“Total sectors,MFT_Mirr_Cluster和MFT_Cluster”。
We should fill three fields” Total sectors, MFT_Mirr_Cluster and MFT_Cluster.

总扇区数 – 设置最后的LBA值
Total sectors
 – set last LBA value

MFT_Mirr_Cluster – 这是前4个MFT记录的副本 – 设置任何值(但不能为零)
 – this is copy of first 4 MFT records – set any value (but not a zero)

MFT_Cluster – 这是第一个MFT记录的簇号(不是LBA)的值。
 – this is value of first MFT record in clusters (not LBA).

因此,我们知道第一个MFT记录LBA是6293504减去2048引导LBA并按簇大小8 = 786432为第一个MFT记录簇
So, we know that the first MFT record LBA is 6293504 minus 2048 Boot LBA and divide by cluster size 8 = 786432 first MFT record cluster

In other words:

对于2048 LBA引导分区的第一个MFT记录簇=(6293504–2048)/ 8
First MFT record cluster for partition with Boot in 2048 LBA = (6293504 – 2048) / 8

对于63LBA引导分区的第一个MFT记录簇=(6293504–63)/ 8
First MFT record cluster for partition with Boot in 63 LBA = (6293504 – 63) / 8

As result we get a virtual NTFS partition and can perform a different researching procedures like build MFT map, perform Partition analysis etc.

In current case we got a whole partition structure with all files and folders.

使用PC-3000 Data Extractor手工展开NTFS分区

Note: that we have created a Virtual Partition. Nothing has been wrote on the drive.

This guide probably will not work in cases with non-standart ways of NTFS volume creation (via Virtual machines images, embeded devices, dvr devices, etc).

转载请注明:成都千喜数据恢复中心 » 使用PC-3000 Data Extractor手工展开NTFS分区

喜欢 (23)or分享 (0)

您必须 登录 才能发表评论!

顶部 电话 微信
QQ 地图 底部