Restore NTFS partition from RAW in external USB drive after disconnecting power

Question

I apologize in advance for a new post on a similar topic, but looking through the others, I can't really find a solution for myself. The drive lost partition tables possibly on removing the USB cable from the socket without safely removing the hardware. It is a drive removed from the laptop...

mati211p · Accepted Answer

Attach these bad sectors to the file - $ MFT fragments (3 files: 1 - sectors 7010304 - 7010313, 2 - sectors 7015370 - 7015377, 3 - sectors 775116800 - 775116809). They should be repairable. The disk has not lost its partition table and $ MFT is corrupted.

EDIT: There is no tutorial. You need to know what is damaged and what to change. Not every case is the same. You have damaged 3 out of 4 records of the 0 $ MFT cluster in both cases and two more records. It is not known if there is more damage.

mati211p · Accepted Answer

It would be easier if you put these specific sectors in the file now: give the range 768,072,000 to 768,073,000, although these files are not 100% because they are outside the partition. Retry the operation for the starting sector from 768,800,000. I think 12 as far as I remember. Send password and ID in PW.

mati211p · Accepted Answer

Okay, that's probably a 527MB $ LogFile partition, and it's wrong anyway. Give the ID and password to TeamViewer in PW, because I have to get up at 4 tomorrow and I have already sat a bit too much, but in 15 minutes I will have a look. I will see if it makes sense to find $ Object ID and try to reconstruct these sectors after data backup (for security reasons). In this case, temporarily 360GB of space on another disk is needed.

EDIT: Both partitions recovered, no problem after $ MFT classes rebuild. 0 sec. 2-7 and records 2534 and 2535 of partition 1, the system read them correctly. Fortunately, the $ MFT class.0 sec. 0 of both partitions, hence the repair is much easier.

jusznw · Answer

Which operation in DMDE - copy sectors? (specific) Thank you so much for Supeeer Express in reply! In the margin. Looking at the window with partitions from where so many of them! And in addition, the unallocated 368MB and 529MB space is it left over from using a laptop? Can they be used in the future? Edit: Is this a $ MFT mirror? MTF Record:

mati211p · Answer

Copy sectors. Only do it correctly as you gave 0-2048. Only now, instead of 0 and 2048, you will have other ranges given by me.

Added after 34 [minutes]:

Show $ MFT mirror for these partitions. The damage is of such a type that, however, all of these sectors are probably lost. The first partition looks virtually empty, but the second has millions of files. For the first partition, the data will definitely be faster. For the second, you can try to rebuild these 6 sectors, as long as $ MFT mirror also contains incorrect data. Is there any 5,800,000 files on this second partition?
EDIT: It seems as if it is supposed to be the same. $ MFT mirror start cluster 2 - ok I saved.
EDIT2: You have the file $ LogFile to find, give its starting cluster or disk sector where it starts by searching from the beginning of this partition with the following hex string in DMDE: 52 53 54 52 1E 00 09 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00

jusznw · Answer

I'm sorry for my ignorance but I don't know if that was it: If I have kicked something, please give me a hint. I opened the second partition and object not found edit: Now you made me crazy! I'm sorry, but you can ask for instructions in a very good way - step by step pliiiis!

mati211p · Answer

You did a good job, but you were supposed to search from the starting sector of the second partition, not from the beginning of the disk. This is how you found the correct file, but not belonging to this partition

When you find it, the most recent changes are also saved in it, not only in case a copy of $ MFT classes is not found. 0, we have the initial calster $ LogFile, maybe you can also find $ MFT classes there. 0. If not, you will have to try manually. In this file, as you find, try to search for the following sequence: 46 49 4C 45 30 00 03 00 E2 5C 10 27 07 00 00 00 01 00 01 00 38 00 01 00 10 02 00 00 00 04 00 00
EDIT: Do not search partition only on disk.
EDIT2: You also need to find $ Object ID

jusznw wrote:
I'm sorry, but you can ask for instructions "in a very good way" - step by step pliiiis!

EDIT3: You select the drive. You write down the starting sector or approximately, for you it is enough to remember 768,000,000. You close the Partitions window. Go to Editor -> Go to offset and enter this value. After that Ctrl + F and enter: 52 53 54 52 1E 00 09 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00. As you find you write the LBA value or paste screen. After that, Ctrl + F and this time try to search: 46 49 4C 45 30 00 03 00 E2 5C 10 27 07 00 00 00 01 00 01 00 38 00 01 00 10 02 00 00 00 04 00 00, but maybe better only this: 46 49 4C 45 30 00 03, because I think I wrote too much, i.e. with the modified part. If it does not find this sequence quickly, it can be omitted, because above 5,000,000 LBA from this point on, you don't even have to look for it, because then it will find fragments of $ MFT, not $ MFT classes. 0 in $ LogFile. Say yes, it's a tough topic, but the prospect of manually recovering 5,000,000 files is probably not very interesting.

jusznw · Answer

In sequence: 1. Run DMDE (as administrator) 2. I choose the physical disk 3. A search is made for partitions 4. The result is displayed 5. I select the disk - I write down the starting sector or approximately, for me it is enough to remember 768 000 000. 6. I close the Partitions window. 7. Go to Editor -> Go to offset 8. I enter the value - 768,000,000. 9. After that Ctrl + F and type: 52 53 54 52 1E 00 09 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00 score: 10. As you find, write the LBA value or paste the screen. 11. After that Ctrl + F and this time try to search: 46 49 4C 45 30 0003 00 E2 5C 10 27 07 00 00 00 01 00 01 00 38 00 01 00 10 02 00 00 00 04 00 00, but maybe it's only better: 46 49 4C 45 30 00 03 file0 -hex 768,000,000 - hex

mati211p · Answer

AND....
You write down the starting sector or approximately, for you it is enough to remember 768,000,000. You close the Partitions window. Go to Editor -> Go to offset and enter this value. After that Ctrl + F and enter: 52 53 54 52 1E 00 09 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 00 00. As you find you write the LBA value or paste screen. After that, Ctrl + F and this time try to search: 46 49 4C 45 30 00 03. If you do not find this string quickly, you can skip the next search, because above 5,000,000 LBA from this point, you don't even have to look, because then it will find fragments of $ MFT and not $ MFT classes. 0 in $ LogFile.

You can also check the offset and specify 0, because it can find not only $ MFT classes. 0 in $ LogFile.

EDIT: It was supposed to be 768,000,000 from the sector, not 1,500,000, because that's how it would make no sense to wait an hour, and today I have little time, max 30 minutes. A colleague entered the value 768,000,000 in the offset, not the sector, hence the mistake of the beginning of the search area (sector number = offset / 512 - hence we got 768,000,000 / 512 = 1,500,000 sector)

EDIT2: Switch to hex view, because I don't know what is in the attached screenshots. Possibly tomorrow after 3pm through TeamViewer, because something is slowly going.

EDIT3: As previously noted, maybe everything is ok (although the last one doesn't look like a copy of $ MFT. 0 classes, but you will see, just put it in the hex view, not the partition table.

jusznw · Answer

I would be shy to ask, of course can be - which version of teamviewer (the last one available? - because as far as I remember they must be compatible)

jusznw · Answer

how to narrow this range (768 072 000 to 768 073 000) and how to show it? sorrry it's probably time ... I came ...

jusznw · Answer

To all posterity, reading Mr. MATI211P is a great guest - ask and it will be given to you!
Thank you very much for your time with my problem solved of course!
I am grateful and obligated.
Again thank you very much :spoko:

Restore NTFS partition from RAW in external USB drive after disconnecting power

Post #1

Post #2

Post #3

Post #4

Post #5

Post #6

Post #7

Post #8

Post #9

Post #10

Post #11

Post #12

Post #13

Topic summary