Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: NTFS reversing

  1. #1

    NTFS reversing

    Wasn't sure where to post this. It's about trying to undo, or partly undo an NTFS file system that has been written over other data.

    First the problem. In a state of brain lock, using Comodo Backup, I started a clone operation on an external drive thinking it was a creating an image of my disk. I caught it almost immediately, swearing at my own stupidity but also at the stupidity of an app which would allow a write process that could eradicate data without so much as a warning. Such apps should have a stupid notification asking, "do you really want to write over the data on this disk, stupid?"

    Ok, I'm the dummy but I have given a great deal of thought as to how much data I could recover and how to go about it. Recovering the data is not critical but my reversing curiosity sees this as a good way to dig into an NTFS system. Most apps pertinent to data recovery that I have tried see the new NTFS partition, marked as primary, and presume nothing is wrong. I do have an app that goes deeper and recovers files but for some reason it messes them up while marking them as good. It is chopping of the front ends of the files.

    I am at the bottom end of an NTFS learning curve but I have worked a fair amount with FAT16 and FAT32 recovery, so I have experience with manually repairing and removing partitions.

    What I'd like to do is manually remove the NTFS partition added by Comodo Backup. I don't think it had time to do any real damage other than cutting off a lot of the data on the disk into an extended partition, now marked as free space. I think I'd have more luck if I could remove the partition and let a data recovery app have a look.

    I am posting here in an attempt to prevent re-discovering the wheel. I don't mind putting in the time required for the learning curve but a few words from someone with experience on NTFS systems could point me in the right direction.

    The question is which app to use. In the old days I would have used Norton recovery disks so I could read sector by sector from cylinder one out.

    Since it was doing a clone and only had a few seconds of action before I stopped it, I am theorizing that a lot of my old data is still intact and lying there as lost clusters. However, if Comodo wrote over the original MFT, it could be a real chore to recover the data.

    Does anyone know off hand if MFTs can be recreated, either manually or with a recovery app? Is it a good idea to kill the new partition and go from there?

  2. #2
    hi waxfordSqueers nice to see you around
    Recuva Portable for files ? the MFT i dont know did you make a backup file for this ?

    could you find out why the baseprocessstart problems apears ? it happend randomly to me

  3. #3
    Quote Originally Posted by Elenil View Post
    hi waxfordSqueers nice to see you around
    Recuva Portable for files ? the MFT i dont know did you make a backup file for this ?

    could you find out why the baseprocessstart problems apears ? it happend randomly to me
    Elenil...sorry I did not get back sooner. I just sent you a PM.

    I have tried Recuva but it does not seem to have really low level features. I had another app loaded that shows the NTFS partition in different colours but I just did a repair instal with win 7 and seem to have lost it. It may have been a system restore earlier that lost it.

    I might add a word of warning about boot disks written in Linux. I was using one, from Comodo, and it wrote all over my C:\ partition on win 7. Luckily it only damaged some user files, which I was able to recover, but it messed up other areas of windows.

    I have no idea what happened. I allowed it to do a scan of my system from the boot disk and it flagged a file as questionable. According to their manual, you can press on the highlighted error while the scan is going on to get more info about the error. I did that and the scan stopped, with the scanning app disappearing. When I booted back into windows, my program files directories were messed up and a folder in which I keep legacy apps as well.

    I just don't trust Linux apps written for Windows, but against my better judgement, I tried one and nearly lost my entire system.

    BTW...for anyone interested, you can do a repair install on a Win 7 system but it has to be initiated from within a win 7 installation by hitting setup.exe on the win 7 install disk. You are presented eventually with two choices: one to do an upgrade and another to do a clean install. Pick the upgrade and it will re-install your win 7 installation without harming your existing file system or data.

    You may get issues with compatibility and have to reboot to straighten it out. Also, it is better to start setup.exe as admin. I have seen a suggestion to use Vista SP2 compatibility with the admin option checked.

  4. #4
    Where's Blabberer? Where's Kayaker...it's too early to be out paddling around unless you have an icebreaker canoe.

    Surely someone has an intelligent opinion on this problem, even a dumb opinion will do.

    I am quickly arriving at the conclusion that it's not worth the effort to get into NTFS. For one, Microsoft has made the concept of the MFT table, as opposed to the old FAT table, so complex that no one seems to know much about the innards of the system. Like quantum mechanics, NTFS works but no one has any idea why.

    For another, any software I have tried just isn't up to the task. Norton Disk Editor wont read USB. I tried another disk editor that claims to be really good, but when they recover an exe file, it has no MZ header. You would think that's the first thing they'd check to be sure they had a valid exe file. I am afraid there are a lot of duffer apps on the net claiming to do things they can't do very well.

    On the face of it, NTFS is far too complicated to work. I mean, an MFT file can theoretically expand through a binary tree to take up half the available space on a disk, then it downsizes itself as space is required. Too wild for me. The concept of binary trees is right up there with rocket science and Microsoft can't help themselves when it comes to obfuscating something that should be dead simple. Look at Windows 8. On the other hand, stick with 7, or XP.

    I have read a couple of attempts at explaining the MFT structure but even though the explanations are well done, the authors are scratching their heads about what Microsoft means by certain things. I spent months, even tried to learn Russian, so I could repair a disk drive that would not read. A guy's gotta learn that some things are better left alone. Maybe NTFS is one of them. If it crashes, and you don't have a backup, reformat and get on with life.

  5. #5
    I personally use: Stellar Phoenix Windows Recovery. Never disappointed me. Your mileage may vary. What the heck, try it out. Ver 5 is the latest. Cracked black and blue all over the internet. Shouldn't have issues with that.

    Have Phun
    Blame Microsoft, get l337 !!

  6. #6
    Quote Originally Posted by Aimless View Post
    I personally use: Stellar Phoenix Windows Recovery. Never disappointed me. Your mileage may vary. What the heck, try it out. Ver 5 is the latest. Cracked black and blue all over the internet. Shouldn't have issues with that.

    Have Phun
    Thanks for the tip, Aimless. I will seek it out. Trouble is, there are not many low level apps that I have seen that understand the MFT process.

    I have admitted to being a bonehead for not paying attention when I tried to use a cloning technique for backup, thinking I was making an image. The cloning app ran for only a few seconds before I caught it, but in that time it managed to write something to my drive. It probably wrote over the original MFT and replaced it with the MFT from the drive it was cloning. So, any low level app sees at least two MFT's. One of them returned 4 MFT's, all with different dates, and that seems wrong. I only had a few files on a 500 gig drive, one of them a large backup, and I would think there should have been no more than two MFTs since it was the original file system on the drive.

    To complicate matters, the cloning process copied the boot sector of a bootable drive and created a system partition of 100 megs and an active partition of 149 Gigs. I took a chance and had a partition manager remove the partitions to leave me with the full 500 gigs but then Windows complained that the drive needed to be formatted. Low level apps can still read the drive but I think they are confused by the presence of two partitions, or traces of them..

    Even at that, using the MFT's it found, the app returned found files that were mainly corrupted. Exes, PDFs and Jpegs had no headers on them, and it was obvious with many of the recovered files that they were simply not even related to the type of file they should be. So, the app was somehow finding what it thought were files but it was not verifying them through their headers, or even a signature.

    There was nothing critical on the drive. I am just curious from a reversing POV what can be recovered and what can't.

    Something just dawned on me. If it created a 100 meg partition, it probably started writing 100 megs into the drive data. In that case, it will be a mess.

  7. #7
    Have you tried running the drive manufacturers software on the drive to see what is wrong with it.

    Most of the low level tools I use take days to complete the task. The same should be true with
    your recovery software. It should take at least a few hours depending on the size of the drive
    and the amount of content.

    http://www.macrium.com
    I saw a post in their forum regarding MFT problems and their product repaired the problem.

    Woodmann
    Learn Or Die.

  8. #8
    Quote Originally Posted by Woodmann View Post
    Have you tried running the drive manufacturers software on the drive to see what is wrong with it.

    Woodmann
    Hey, Woody. The drive is fine it's the NTFS system. All I need is a format and I'm back in business. Before doing so, I was curious about the NTFS system and if I could reverse it after it became corrupted.

    Thanks for the link, I have d/l'd a trial to see how low level it gets.

    There is a master file, the MFT, that is roughly the equivalent of the old FAT system. They keep a mirror file that points to various parts of the MFT, theoretically enough to recover it.

    I am having several problems and I am pondering whether it is worth retrieving any files. As I said in an earlier post, I stupidly started a clone process while my brain was thinking image file. Don't know why the app did not flag me as to the catastrophic nature of the process, which I knew only too well, but I am used to apps that give you a warning, like "Hey, dummy, this can wipe off any data you have on the drive. Are you sure you want to proceed""? I get such warnings all the time in Windoze for really trivial procedures.

    One of the problems is the sheer size of the drive...500 gigs. I have done a fair amount of low level with Norton Disk Editor but that was on drives that were not even a gig in size. When you start manually tracing architecture on NTFS with a drive that large, it can be a daunting process. So I'm looking for apps that might automate the process without getting too high level.

    The MFT file is a binary tree and it gets pretty convoluted. I have been reading on it for two days now and it's not making much more sense than when I started. I seem to have lost the link between the bottom of the tree and further along, and it is likely impossible to reconstruct it.

  9. #9
    I would have given a try on "ufsexplorer". I was impressed by it once..

  10. #10
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Well, if you are not faint of heart and if you prefer C sources to lot of words, I would suggest you Ntfsprogs for Windows - unfortunately rather old, in opposition to the continuously updated counterpart for Linux.
    It is a way of playing with NTFS in user-mode rather than in kernel mode. Lot of fun!
    Best regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  11. #11
    Quote Originally Posted by bilbo View Post
    Well, if you are not faint of heart and if you prefer C sources to lot of words, I would suggest you Ntfsprogs for Windows
    Noooooooooo........!!!!!

    *FAINTS*


    Have Phun
    Blame Microsoft, get l337 !!

  12. #12
    Quote Originally Posted by bilbo View Post
    Well, if you are not faint of heart and if you prefer C sources to lot of words, I would suggest you Ntfsprogs for Windows - unfortunately rather old, in opposition to the continuously updated counterpart for Linux.
    It is a way of playing with NTFS in user-mode rather than in kernel mode. Lot of fun!
    Best regards, bilbo
    Thanks, Bilbo, that's more along the lines of what I was looking for. The aim is to re-create the directory and file structure that was there initially. First, by what I understand so far, I have to find the correct $MFTmirr file and see if I can use it to rebuild the original $MFT file in the right place.

    I have been working in XP a lot with this chore, mainly because that's where all my reversing stuff is set up, with my beloved softice. So, an older program is not a problem, unless I have to go back to a win 98 OS to do it.

    What I am finding with info I have read so far on MFT files is people talking about them rather than explaining the structure. It's like someone talking about a PE header by giving the header structure and not explaining what each entry does. I have a really good layout of an MFT file, and related files like the logfile, but nothing about the structure on an NFTS system and where the the MFT should be located, etc.

    Also, many article written about NFTS presume the drive is bootable with a primary partition. My drive is an external drive used only for storage. Unfortunately, through my own stupidity, I allowed a cloning program to write over the first part of my file system, albeit for a few seconds only, so I don't know what should be there on a freshly formatted NFTS system and what should not.

    With regard to faintness of heart, I have traced backwards through ring 0 on the Windows OS using softice to find where a mouse driver was accessed in a DirectX application. Or was that stupidity? I am not in your class as a reverser but I don't mind a challenge provided it makes sense and has 'some' logic to it.

  13. #13
    Quote Originally Posted by Aimless View Post
    Noooooooooo........!!!!! *FAINTS* Have Phun
    I am still looking for the app you suggested. It's tougher these days with all the idiots posting malware, especially with antivirus apps using heuristic analysis going bonkers over something like Gmer.

  14. #14
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Quote Originally Posted by Aimless View Post
    *FAINTS*
    FEINTS?
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  15. #15
    Quote Originally Posted by bilbo View Post
    FEINTS?
    When Curly from the 3 Stooges exclaimed, "Ain't that quaint", Larry admonished him for using poor English, claiming it's not ain't, it's isn't. Curly may have nyuck, nyucked, I don't recall, but he corrected his statement to "Isn't that quisn't"?

    By the same token, shouldn't faint be fisn't? And what's with feint? It is described as feigning a blow, usually to make someone commit so you can hook him on the ear. Boxing is so much fun. Why is their a 'g' in feign and none in feint?

    BTW, I found a decent freeware app for examining NTFS file systems...Active@ Disk Editor, and the version I have is 2.1. It seems to be patterned on the old Norton Disk Editor but I have not tried editing with it yet. It did help me track down a a large MFT file about 700,000 clusters into my disk but for some reason the drive is not finding it.

    The app is laid out in byte offsets from byte one on the partition, like a hex editor, so there is a bit of converting back and forth from hex to decimal, and between sectors and clusters. The app does have drop down windows that allow you to enter values as sectors or clusters. There is a find utility as well but it's slow as molasses.

    The confusing thing is that Active@ finds the address of the MFT in cluster 2, which is a mirror file for $MFT. I read the cluster address right off cluster 2 and found the MFT no problem. I don't know if it is intact but apparently chkdsk can use the logfile contained in an MFT or MFTmirror file to reconstruct a bad MFT. I don't want to turn chkdsk loose on anything till I am confident that I have the basic structure intact.

    I know better than to be overly optimistic but I am making progress.

Similar Threads

  1. NTFS MFT Internals
    By WaxfordSqueers in forum Advanced Reversing and Programming
    Replies: 153
    Last Post: March 26th, 2014, 15:03
  2. problem with NTFS file encryption
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: October 22nd, 2004, 03:49
  3. xxx.reversing.net?
    By gadget in forum Off Topic
    Replies: 1
    Last Post: May 7th, 2003, 00:05
  4. New project: RSA-65 analysis on GetDataBack for NTFS
    By Lbolt99 in forum RCE Cryptographics
    Replies: 6
    Last Post: August 1st, 2002, 14:48
  5. Write to NTFS
    By tentakkel in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: October 8th, 2001, 17:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •