Hard to deal file system corruption.
October 16th, 2014, 8:49
Dear friends
I will be happy to get some help for a severe file system corruption case. Disk has 2 partitions , it shows file system as NTFS but no data is traceable even after trying every possible way. There seems to be MFT corruption.
Disk was having pointsec encryption ,however as per IT support of customer disk was fully decrypted.
Raw recovery using DE shows data ,however winhex ,easyrecovery does not show data in raw mode as well.
How to deal in such situation.Is there any way to analyse MFT's or correct them?
Thanks
I will be happy to get some help for a severe file system corruption case. Disk has 2 partitions , it shows file system as NTFS but no data is traceable even after trying every possible way. There seems to be MFT corruption.
Disk was having pointsec encryption ,however as per IT support of customer disk was fully decrypted.
Raw recovery using DE shows data ,however winhex ,easyrecovery does not show data in raw mode as well.
How to deal in such situation.Is there any way to analyse MFT's or correct them?
Thanks
Re: Hard to deal file system corruption.
October 16th, 2014, 9:26
It would be helpful to have a step-by-step process of everything that happened since the initial point of failure.
1. Was the drive fully cloned without any bad sectors?
2. Did someone try to unencrypt the original drive and have the process fail part way through?
1. Was the drive fully cloned without any bad sectors?
2. Did someone try to unencrypt the original drive and have the process fail part way through?
Re: Hard to deal file system corruption.
October 17th, 2014, 1:03
Hi coughey Thanks for replying.
Yes this could be encryption related issue. As per customer disk was encrypted ,but decryption is successful for D drive.
in another case ,as per customer there was no encryption. I can update first 100 Mb of each drive./ partition.
Yes this could be encryption related issue. As per customer disk was encrypted ,but decryption is successful for D drive.
in another case ,as per customer there was no encryption. I can update first 100 Mb of each drive./ partition.
Re: Hard to deal file system corruption.
October 17th, 2014, 3:16
Show us sector 0 (MBR and partition table) and the boot sectors for each partition. The boot sector should tell us where the MFT is located, assuming it is decrypted. I'm not familiar with Pointsec, but if it encrypts the entire drive, then we may be able to tell if the drive has been fully decrypted by looking for a backup boot sector at the end of the partition. I'm assuming that decryption is a sector-by-sector operation, from beginning to end.
Re: Hard to deal file system corruption.
October 17th, 2014, 8:43
Hi Fzabkar
Here is all details like -- 1) partition table 2) MBR 3) MFT details 4) Root directory etc.
DISK 1
Here is all details like -- 1) partition table 2) MBR 3) MFT details 4) Root directory etc.
DISK 1
- Attachments
-
-
-
-
-
-
-
Re: Hard to deal file system corruption.
October 17th, 2014, 8:45
Here are details of DISK 2
- Attachments
-
-
-
-
- DISK 1.PNG (10.5 KiB) Viewed 6308 times
-
-
Re: Hard to deal file system corruption.
October 18th, 2014, 19:02
The boot sector is obviously not encrypted. There should be a backup boot sector at the end of each partition, namely sectors 204802047 and 625139711. If the backup boot sector is not encrypted, then I would think that lcoughey's concern regarding partial decryption could be put to rest. That said, it could be that I don't understand how Pointsec encryption works.
My next step would be to examine the MFT start cluster, namely 786432, and then walk down the MFT. If you have a clone copy, then CHKDSK in readonly mode should be able to do an integrity check of the NTFS file system.
My next step would be to examine the MFT start cluster, namely 786432, and then walk down the MFT. If you have a clone copy, then CHKDSK in readonly mode should be able to do an integrity check of the NTFS file system.
Re: Hard to deal file system corruption.
October 19th, 2014, 0:40
Thanks a ton fzabkar
I will analyze MFT and report.
I will analyze MFT and report.
Re: Hard to deal file system corruption.
October 20th, 2014, 6:21
Hi Fzabkar
I tried to run chkdsk , it has detected MFT error but could not fix it (gave error MFT cannot be recovered).
I have taken snapshots of various sectors ,hope it will make picture clear. I have also attached MFT records details which shows errors.
winhex gives error --cannot open "$MFT" unexpexted data at a offset C0000000 and offset 2000 Res =9 , Res2 = 9
I am eager to know what could be so severe issue for this corruption.
I tried to run chkdsk , it has detected MFT error but could not fix it (gave error MFT cannot be recovered).
I have taken snapshots of various sectors ,hope it will make picture clear. I have also attached MFT records details which shows errors.
winhex gives error --cannot open "$MFT" unexpexted data at a offset C0000000 and offset 2000 Res =9 , Res2 = 9
I am eager to know what could be so severe issue for this corruption.
- Attachments
-
-
-
-
-
-
-
-
- MFT error.PNG (4.17 KiB) Viewed 6206 times
Powered by phpBB © phpBB Group.