有许多情况下可以读取用户数据,但是在用户区域开始时,读取非常缓慢或驱动器盘片已损坏,因为无法扩展用户分区或需要花费大量时间。
There are a lot of cases which alow to read a user data but it’s to slow or drive has a damaged surface at the start of users area, as result impossible to expand a user partition or it takes a lot of time.
但是,如果客户现在需要他的数据,或者我们受到硬盘的时间限制,因为它会继续损坏磁头或盘片表面,如何处理这种情况……
But how to deal with such cases if customer needs his data right here right now or we have a time restriction by drive operation because it proceed to damage the heads/surface…
在本文中,我们将讨论这个问题以及可能的解决方案。
In this article we will talk about this problem and possible solutions for it.
例如,我们在Data Extractor工具中创建了一个新任务,并在开始时看到很多无法读取的扇区,DE无法识别NTFS分区。
For example we have created a new task in the Data Extractor tool and see a lot of problem sectors at the start and DE can’t recognize NTFS partition.
基本上,如果驱动器没有物理问题并且分区无法打开,我们可以启动快速磁盘分析选项或RAW恢复程序并找到分区。
Basically if drive haven’t physical problems and partition(s) can’t be opened we can launch a Quick disk analysis option or RAW recovery procedure and find a Partition.
但是如果硬盘盘片表面有划痕,我们有时间限制,应该快速执行步骤。唯一的方法是尝试手动扩展分区。
But if the drive have a scratches on the surface we have a time restriction and should perform steps quickly. The only way is try to expand partition(s) manually.
在本文中,我们将讨论一个NTFS分区的硬盘。
In this article we will talk about drive with one NTFS partition.
如果我们知道驱动器上只有1个NTFS分区,我们可以尝试通过RAW恢复或GREP签名来找到NTFS引导文件。
If we know that it’s only 1 NTFS partition on the drive we can try to find NTFS Boot file by RAW recovery or by GREP signature.
在用户区域末尾有一个引导副本,也可用于构建虚拟分区。
At the end of the users area there is a Boot copy that is also can be used for building a Virtual partition.
但是,如果快速磁盘分析失败并且我们没有启动和引导复制(扇区不读取),那么我们可以尝试基于MFT表扩展分区。
But if Quick disk analysis is failed and we haven’t Boot and Boot copy (sectors doesn’t read) then we can try expand partition based on MFT table .
MFT表(主文件表)是描述分区中所有用户文件的主文件。
MFT table (Master File Table) is a main file which describes all user files in partition.前16个记录是系统,它们不可用于OS,因此称为元数据。这些前16个记录具有固定的LBA地址。
First 16 records are system and they are not available for OS they are called Metadata. These first 16 records have a fixed LBA address.
因此,首先我们需要在RAW恢复或GREP中找到MFT表的第一条记录。
So, firstly we need to find first record of MFT table in the RAW recovery or by GREP.
如果驱动器读取有问题,那么我们可以使用我们的知识。
If drive have a reading problems then we can use our knowledges.
对于驱动器上的第一个NTFS分区,引导可以位于LBA 63或LBA 2048(90%的情况),正如我们在第一个MFT表格上方看到的,第一条记录具有固定的LBA,因此:
For first NTFS partition on the drive Boot can be at LBA 63 or LBA 2048 (90% cases), as we saw above the first MFT table have a fixed LBA for first record so:
在LBA 63引导 – MFT表从6291519 LBA开始
Boot at LBA 63 – MFT table start from 6291519 LBA
LBA 2048引导 – MFT表从6293504 LBA开始(6291519 +(2048 – 63))
Boot at LBA 2048 – MFT table start from 6293504 LBA (6291519 (2048 – 63))
如何确定我们发现了MFT表的第一条记录?- 它在自身上有一个已知的签名$ .MFT在0x0F0偏移量:
How to determine that we found exactly first record of MFT table? – it have a known signature in the body $.M.F.T at 0x0F0 offset:
找到这条记录后,我们可以尝试扩展NTFS分区。我们添加一个虚拟NTFS分区:
After finding this record we can try to expand NTFS partition. Let’s add a Virtual NTFS partition:
这里需要设置几个值:
Here is need to set few values:
初始LBA – 预计NTFS引导扇区(63或2048)的LBA。
Initial LBA – it’s anticipated LBA of NTFS Boot sector (63 or 2048).
最终LBA – 它是分区的最后一个扇区。让我们假设在整个用户区域只有一个分区,然后设置最后一个扇区值。
Final LBA – it’s last partition sector. Let’s think that we have only one partition on whole user area then set the last sector value.
簇大小 – 正如我们所知,驱动器按簇写入数据(基本上是8)。
Cluster size – as we know drive write data by cluster (basically it’s 8).
然后我们得到这个窗口:
Then we get this window:
我们应该填写三个字段“Total sectors,MFT_Mirr_Cluster和MFT_Cluster”。
We should fill three fields” Total sectors, MFT_Mirr_Cluster and MFT_Cluster.
总扇区数 – 设置最后的LBA值
Total sectors – set last LBA value
MFT_Mirr_Cluster – 这是前4个MFT记录的副本 – 设置任何值(但不能为零)
MFT_Mirr_Cluster – this is copy of first 4 MFT records – set any value (but not a zero)
MFT_Cluster – 这是第一个MFT记录的簇号(不是LBA)的值。
MFT_Cluster – this is value of first MFT record in clusters (not LBA).
因此,我们知道第一个MFT记录LBA是6293504减去2048引导LBA并按簇大小8 = 786432为第一个MFT记录簇
So, we know that the first MFT record LBA is 6293504 minus 2048 Boot LBA and divide by cluster size 8 = 786432 first MFT record cluster
换一种说法:
In other words:
对于2048 LBA引导分区的第一个MFT记录簇=(6293504–2048)/ 8
First MFT record cluster for partition with Boot in 2048 LBA = (6293504 – 2048) / 8
对于63LBA引导分区的第一个MFT记录簇=(6293504–63)/ 8
First MFT record cluster for partition with Boot in 63 LBA = (6293504 – 63) / 8
因此,我们得到一个虚拟的NTFS分区,并可以执行不同的研究过程,如构建MFT映射,执行分区分析等。
As result we get a virtual NTFS partition and can perform a different researching procedures like build MFT map, perform Partition analysis etc.
在目前的情况下,我们获得了包含所有文件和文件夹的整个分区结构
In current case we got a whole partition structure with all files and folders.
注意:我们已经创建了一个虚拟分区。没有在硬盘上写入任何内容。
Note: that we have created a Virtual Partition. Nothing has been wrote on the drive.
This guide probably will not work in cases with non-standart ways of NTFS volume creation (via Virtual machines images, embeded devices, dvr devices, etc).
本指南可能不适用于创建NTFS卷的非标准方式(通过虚拟机映像,嵌入式设备,dvr设备等)。
