I have cloned a problem NTFS HDD and subsequently overwrote both the MFT and MFT mirror on the clone. I'd like to be able to copy the MFT from the original HDD across to the clone. So...

1. Is there any S/W which can export then reload the MFT ? Alternatively
2. How do I calculate the position and length of the MFT so I can manually copy it across using ddrescue ?

thanks

The location of the $MFT is specified at the offset of 0x30 to 0x37 (normally it is 0x0C0000=cluster 786432) of the DBR sector.

Go to this cluster, and check the data run of the $MFT from the data attribute. The $MFT may be fragmented if there are more than one data run.

e.g. ''32 68 7C 00 00 0C'', it means the $MFT start from cluster 0x0C0000, and it has a length of 0x7C68 clusters.

_________________
DR Research Engineer

How did you overwrite it in the first place? Might you need to re-clone the whole drive?

_________________
You don't have to backup all of your files, just the ones you want to keep.

This is my drive seagate-momentus-5400-st9500325as-t17691.html#p121167. it has Windows 7 OS on it. The cloned drive was unable to be mounted and as I am learning what to do as I go (and because I was working on the clone), I gave myself the liberty of trying anything that helped me to mount it. Somehow I ended up creating a new MFT (which I now realise essentially equates to doing a quick format) which then allowed me to mount the drive. Part of this 'drastic' action was my inability to run CHKDSK on the volume as I thought it needed to be mounted (I was able to run ntfsfix prior to eventually mounting it). Gparted couldn't mount the volume and kept requesting me to run CHKDSK /f on it. In the Windows 7 recovery command prompt window I couldn't mount the volume and I couldn't get CHKDSK to scan it because my reasonable interpretation of the CHKDSK syntax [1] had me thinking the volume parameter was not optional (I later discovered it is optional and just by typing CHKDSK all drives are scanned). C: wouldn't appear in the Win7 command prompt and CHKDSK didn't recognise the volume name \Device\Harddisk0\DR0. After eventually re-creating the MFT, I could then run CHKDSK which turned up no errors (surprise surprise).

So my plan now is to re-instate the MBR and MFT from the original to the clone, then run CHKDSK on the clone. Anyway this is all part of experimenting and learning in the process.


My original drive is difficult to clone. For a particular 70GB section (out of 500GB), as soon as a bad sector is read the drive is unable to be communicated with again and I must reboot the entire laptop. I managed to read parts of that section by reading in reverse using ddrescue, but that only gave me another 10GB and took me ages to do. So it is now much more efficient use of my time to just copy across things like the MBR and MFT.



[1] CHKDSK [volume[[path]filename]]] [/F] [/V] [/R] [/X] [/I] [/C] [/L[:size]].
volume:Specifies the drive letter (followed by a colon), mount point, or volume name.

Thanks tckin.

If the $MFT is fragmented, is is still possible to copy it at a byte level ?

BTW I discovered that FTK Imager Lite can read/export the $MFT, so at least that way I can confirm exactly how long it is and if it is fragmented. In fact I now realise that using MHDD I can probably read that exported $MFT file and write it to the clone....

If the $MFT is fragmented, you have to copy the $MFT byte by byte to the clone drive. Extracting the whole $MFT is useless if you want to make your clone drive working as the original drive.

It is possible to use script to copy the content of $MFT to your clone drive at a byte.

Let me know the cluster chain of the $MFT, I can send you a script to do what you want to do.

_________________
DR Research Engineer

Hi,

I'm in a similar situation. I have:
1. a VM with a disk that is corrupt but the MFT looks intact ( used NTFSwalk to read it).
2. another clone VM with the data but no MFT because it was formatted. (testdisk has been able to recover a lot but without filenames and directory structure, and worst the most important files are Zip archives and they are not completely recovered).

I'm trying to do an exact byte for byte copy of the MFT but can't find any utility that will do it. How can this be done?

Thanks in advanced for your help,

Rui

I assume both clone VM disks were the same or from the same timeframe
If slightly different timeframes, then obviously some stuff will have changed between them, although most of the main unmodified data files should still be in the same place

The formatting of one copy (assuming quick format)
will have 'reset' the first few entries of the MFT and in particular the MFT bitmap and volume bitmap and root index, such that it thinks the rest of the MFT entries and most the data clusters on the drive are unused

You should be able to get away with just finding and copying over the first 16 sectors of the good MFT (easy)
and the data clusters pointed to by the $BITMAP entry in file record 0 ($MFT) and the data clusters pointed to by the $DATA entry of file record 6 ($Bitmap)

In fact those last two areas should still be ok and have their original data on the formatted drive
and so just copying over the first 16 sectors of the original MFT might be enough
UPDATE - on second thoughts probably not as the format will have tended to reuse and reset those data areas

In fact why not do a disk / file recovery scanner (like Rstudio etc) on the "clone VM with the data but no MFT because it was formatted" - that should be able to find the left over MFT entries (other then the first few which were reset) and follow the data clusters they point to
- Ah you've done that "testdisk has been able to recover a lot but without filenames and directory structure"
But suggest try scanning with RStudio or Restorer2000