Over the next several weeks we are going to take an in depth look at how data recovery in all of its phases is applied to the Microsoft NTFS file system. You may consider this a class in the data recovery of an NTFS file system as well as a mini course in hard drive design repair.
The knowledge that I will impart over the next several weeks is not for the faint of heart. Although I will use plain language, as well as diagrams where needed, the application of the information is meant for technicians and software engineers. However, everyone I am sure will come away with a better understanding of the NTFS file system.
The following are the topics that will be covered on a week by week basis. Hopefully, I will be able to maintain the weekly schedule, however if life and my work get in the way, some weeks I may have to skip until the following week.
Boot Up Sequence: This will include how the BIOS determines a boot device. Once a boot device is determined how the BIOS hands over the boot sequence to the Master Boot Record. The layout of the Master Boot Record and how the boot code determines the boot partition. What can go wrong during the boot sequence and some ways you can fix those problems.
Continuing the Boot Sequence: This will cover how the Master Boot Record hands over the booting of the operating system to the OS Boot Record. This will include the layout of the BIOS Parameter Block, and how its data elements relate to data storage. A brief explanation of the NTLDR. I will also cover the problems that can arise during the OS boot and how you can possibly repair the problem.
Data Storage Part I: Understanding how data is stored is critical if you want to have even a remote chance of file recovery. Discussion on clusters, why they are used, how they are allocated. How the operating system stores the data on the physical media. Logical and physical sector addressing arithmetic will be explained. Fragmentation, the enemy of data recovery will also be explored.
Data Storage Part II: Once we have covered how the data is stored, we will need to then understand how NTFS handles keeping track of file and folder placement. The Master File Table will be discussed in great detail. Where it is placed, many of the components of the record will be discussed and how they relate to what we see translated into the file explorer.
Data Storage Part III: This week will be totally dedicated to run lists. This component is the key to breaking down how the clusters are stored. The method that Microsoft uses to track clusters is very complicated so I want to give this subject a full week.
Data Storage Part IV: Now that we have all of the theory of the MFT, this week we will cover how to recover data using a damaged MFT.
Hard drive theory: This will be a brief overview of hard drive design from a data recovery specialist’s point of view. Sector mapping, system area design. Permanent Defect tables. Growing Defect tables. Bad sectors, and how that relates to performance. How the operating system reacts to a bad sector. S.M.A.R.T early warning technology.
JPEG File recovery: The JFIF file format and how that relates to raw data recovery. Data mining, file carving and techniques used to extract data from a totally destroyed file system.
MP3 File recovery: The MPEG III file format will be covered and how that relates to file recovery. How data mining and file carving techniques may be used to recover the file. The ID3 data tag format and how that can be used to recover a more complete MP3 file.
Scenario: Hard drive has been fdisked, how do I recover?
Scenario: Hard drive has been formatted, how do I recover?
Scenario: Files have been deleted, how do I recover?
Scenario: I used the restore function from the manufacturer, how do I recover?
Scenario: Multiple partitioned drive made into single partition, how do I recover second partition?
Scenario: USB hard drive cannot be addressed, how do I recover?
Scenario: I lost all of my Canon CR2 Raw format pictures, how do I Recover from the flash chip?
Scenario: Hard Drive has reached maximum capacity and file system as well as the operating system have become inoperable. How do I recover?
Scenario: Malware virus attack on the Master Boot Record, or the operating system boot record. How do I get my operating system online?
Scenario: Drive has been formatted, and the operating reloaded. How do I recover data from the drive?
Scenario: Deleted email from my Outlook Express mail handler. How do I recover the deleted emails?
Scenario: Outlook PST file has exceeded the two gigabyte limit. How do I recover my email file without damaging all of my data?
Scenario: Reloaded Windows over the top of an existing Windows setup and lost my access Documents and Settings folder. How do I gain access to the folder?
Scenario: Hard drive has exhibited symptoms of possible bad sectors. How do I safely recover my data without compromising the physical attributes of the hard drive?
The future of data storage and what is needed in order to safeguard the data on your system. I am going to cover a great deal of material in the next six months. As I reveal each secret hopefully that information will help you recover and safe guard your data. If you have any questions please feel free to call or drop me an email.
dickc AT dtidatarecovery.com
(727)345-9665 Ext 203