- Thread Author
- #1
Which tools can recover fragmented files from a partially overwritten NTFS partition?
A friend of mine used a clone drive utility without knowing the implications. It looks like he selected the wrong target drive, and, more importantly, he did not unplug unused devices before using such a dangerous tool.
So he ended up partially overwriting a flash drive which had an NTFS partition.
He has a backup that is a few days old (otherwise it would have been a catastropic loss. This can't be overstated, have a backup! Also, consider storing important files on write-once optical discs (-R and +R discs), because data on write-once optical discs is inviolable.), however, he would like to recover the files created since then.
The tools that I could find online apparently only support simple "file carving", meaning files are detected by their signatures. For example, "FF D8" for JPEG, and "42 4D" for BMP.
File carving is limited in that it can not recover file names and attributes such as the date and time stamp. It can only recover file contents. The time stamp of files can only be known if it was written into metadata inside the file, such as EXIF in JPEG photographs.
File carving also only recovers the first extent of fragmented files. This means fragmented recoverd JPEG files only are partially visible, and fragmented MP4 and MPEG-PS (Program Stream) files with a "moov atom" at the tail end are not playable at all. Some files with nearby fragments might be recoverable through puzzling and concatenation (see File puzzling).
However, NTFS appears to store directories also in INDX entries separately from the $MFT (master file table), so if the partition is only partially overwritten, some of these INDX entries might have survived. I assume they were not all at the overwritten beginning. Some information I found, but I only read it partially because it is highly complicated and technical: https://dfrws.org/wp-content/upload..._investigation_of_ntfs_file_fragmentation.pdf .
Now that those INDX entries representing directories are not referenced from a parent directory, they are referred to as "orphaned directories".
I'm sure this is not the first time occuring and some people here have heard similar stories.
Is there any tool which can salvage those INDX entries and recover fragmented files based on them?
A friend of mine used a clone drive utility without knowing the implications. It looks like he selected the wrong target drive, and, more importantly, he did not unplug unused devices before using such a dangerous tool.
So he ended up partially overwriting a flash drive which had an NTFS partition.
He has a backup that is a few days old (otherwise it would have been a catastropic loss. This can't be overstated, have a backup! Also, consider storing important files on write-once optical discs (-R and +R discs), because data on write-once optical discs is inviolable.), however, he would like to recover the files created since then.
The tools that I could find online apparently only support simple "file carving", meaning files are detected by their signatures. For example, "FF D8" for JPEG, and "42 4D" for BMP.
File carving is limited in that it can not recover file names and attributes such as the date and time stamp. It can only recover file contents. The time stamp of files can only be known if it was written into metadata inside the file, such as EXIF in JPEG photographs.
File carving also only recovers the first extent of fragmented files. This means fragmented recoverd JPEG files only are partially visible, and fragmented MP4 and MPEG-PS (Program Stream) files with a "moov atom" at the tail end are not playable at all. Some files with nearby fragments might be recoverable through puzzling and concatenation (see File puzzling).
However, NTFS appears to store directories also in INDX entries separately from the $MFT (master file table), so if the partition is only partially overwritten, some of these INDX entries might have survived. I assume they were not all at the overwritten beginning. Some information I found, but I only read it partially because it is highly complicated and technical: https://dfrws.org/wp-content/upload..._investigation_of_ntfs_file_fragmentation.pdf .
Now that those INDX entries representing directories are not referenced from a parent directory, they are referred to as "orphaned directories".
I'm sure this is not the first time occuring and some people here have heard similar stories.
Is there any tool which can salvage those INDX entries and recover fragmented files based on them?