inicializa o sistema de arquivos NTFS do antigo $ MFT

Navegue suas respostas
1

Devido a um acidente estúpido, perdi uma tabela de partições com uma partição formatada como NTFS. testdisk e parted não funcionam (devido a outro erro), mas eu posso restaurar a árvore do sistema de arquivos usando RecuperaBit . Infelizmente, este programa ainda não pode restaurar dados compactados, exceto alguns arquivos chamados $ MFT e alguns outros que começam com $.

Então, é possível montar essas informações e inicializar um novo sistema de arquivos ntfs com aquelas para habilitar o acesso nativo aos dados? A árvore do sistema de arquivos é completa e exatamente a mesma que costumava ser.

Editar: Um Hex-Dump dos primeiros 1024 Bytes: 

$ head -c 1024 \$MFT | od -A x -t x1z -v
000000 46 49 4c 45 30 00 03 00 36 14 09 05 00 00 00 00  >FILE0...6.......<
000010 01 00 01 00 38 00 01 00 98 01 00 00 00 04 00 00  >....8...........<
000020 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00  >................<
000030 1a 00 54 94 00 00 00 00 10 00 00 00 60 00 00 00  >..T.........'...<
000040 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00  >........H.......<
000050 28 f1 05 f0 ff 41 d2 01 28 f1 05 f0 ff 41 d2 01  >(....A..(....A..<
000060 28 f1 05 f0 ff 41 d2 01 28 f1 05 f0 ff 41 d2 01  >(....A..(....A..<
000070 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000080 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00  >................<
000090 00 00 00 00 00 00 00 00 30 00 00 00 68 00 00 00  >........0...h...<
0000a0 00 00 18 00 00 00 03 00 4a 00 00 00 18 00 01 00  >........J.......<
0000b0 05 00 00 00 00 00 05 00 28 f1 05 f0 ff 41 d2 01  >........(....A..<
0000c0 28 f1 05 f0 ff 41 d2 01 28 f1 05 f0 ff 41 d2 01  >(....A..(....A..<
0000d0 28 f1 05 f0 ff 41 d2 01 00 40 00 00 00 00 00 00  >(....A...@......<
0000e0 00 40 00 00 00 00 00 00 06 00 00 00 00 00 00 00  >.@..............<
0000f0 04 03 24 00 4d 00 46 00 54 00 00 00 00 00 00 00  >..$.M.F.T.......<
000100 80 00 00 00 48 00 00 00 01 00 40 00 00 00 01 00  >....H.....@.....<
000110 00 00 00 00 00 00 00 00 7f 06 00 00 00 00 00 00  >................<
000120 40 00 00 00 00 00 00 00 00 00 68 00 00 00 00 00  >@.........h.....<
000130 00 00 68 00 00 00 00 00 00 00 68 00 00 00 00 00  >..h.......h.....<
000140 32 80 06 00 00 0c 00 00 b0 00 00 00 48 00 00 00  >2...........H...<
000150 01 00 40 00 00 00 05 00 00 00 00 00 00 00 00 00  >..@.............<
000160 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  >........@.......<
000170 00 20 00 00 00 00 00 00 08 10 00 00 00 00 00 00  >. ..............<
000180 08 10 00 00 00 00 00 00 21 02 ef 51 00 00 00 00  >........!..Q....<
000190 ff ff ff ff 00 00 00 00 ff ff ff ff 00 00 00 00  >................<
0001a0 00 00 04 00 00 00 00 00 31 40 00 00 0c 00 04 9c  >........1@......<
0001b0 b0 00 00 00 50 00 00 00 01 00 40 00 00 00 05 00  >....P.....@.....<
0001c0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  >................<
0001d0 40 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00  >@........ ......<
0001e0 08 10 00 00 00 00 00 00 08 10 00 00 00 00 00 00  >................<
0001f0 31 01 ff ff 0b 11 01 ff 00 00 01 00 00 20 1a 00  >1............ ..<
000200 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0002a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0002c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0002d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0002e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0002f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0003a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0003b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0003c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0003e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00  >................<

e os registros de inicialização (espero que pelo menos) 

> allparts
Partition #0 -> Partition (NTFS, 1.82 TB, 4706 files, Recoverable, Offset: 2048, Offset (b): 1048576, Sec/Clus: 8, MFT offset: 6293504, MFT mirror offset: 2064)
Partition #1 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 316980352, MFT mirror offset: None)
Partition #2 -> Partition (NTFS, ??? b, 6 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 152503816, MFT mirror offset: None)
Partition #3 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 79517584, MFT mirror offset: None)
Partition #4 -> Partition (NTFS, ??? b, 2 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 9717656, MFT mirror offset: None)
Partition #5 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 151669368, MFT mirror offset: None)
Partition #6 -> Partition (NTFS, ??? b, 3 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 628571568, MFT mirror offset: None)
Partition #7 -> Partition (NTFS, ??? b, 2 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 395066792, MFT mirror offset: None)
Partition #8 -> Partition (NTFS, ??? b, 15 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 1953514624, MFT mirror offset: None)
Partition #9 -> Partition (NTFS, ??? b, 3 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 662340344, MFT mirror offset: None)
Partition #10 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 302860720, MFT mirror offset: None)
Partition #11 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 10357512, MFT mirror offset: None)
Partition #12 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 77430456, MFT mirror offset: None)
Partition #13 -> Partition (NTFS, ??? b, 2 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 85578480, MFT mirror offset: None)
Partition #14 -> Partition (NTFS, ??? b, 2 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 10767168, MFT mirror offset: None)
Partition #15 -> Partition (NTFS, ??? b, 3 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 9717856, MFT mirror offset: None)
Partition #16 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 77101768, MFT mirror offset: None)
Partition #17 -> Partition (NTFS, ??? b, 4 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 1953514608, MFT mirror offset: None)
Partition #18 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 154535088, MFT mirror offset: None)
Partition #19 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 7725240, MFT mirror offset: None)
Partition #20 -> Partition (NTFS, ??? b, 3 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 153627072, MFT mirror offset: None)
Partition #21 -> Partition (NTFS, ??? b, 3 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 10357624, MFT mirror offset: None)
Partition #22 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 716195416, MFT mirror offset: None)
Partition #23 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 6514936, MFT mirror offset: None)
Partition #24 -> Partition (NTFS, ??? b, 2 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 98269952, MFT mirror offset: None)
Partition #25 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 716141024, MFT mirror offset: None)
Partition #26 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 6820112, MFT mirror offset: None)
Partition #27 -> Partition (NTFS, ??? b, 2 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 716178792, MFT mirror offset: None)
Partition #28 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 395876840, MFT mirror offset: None)
Partition #29 -> Partition (NTFS, ??? b, 2 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 408808056, MFT mirror offset: None)
Partition #30 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 153921904, MFT mirror offset: None)
Partition #31 -> Partition (NTFS, ??? b, 2 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 10768552, MFT mirror offset: None)
Partition #32 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 621608448, MFT mirror offset: None)
Partition #33 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 716169080, MFT mirror offset: None)
Partition #34 -> Partition (NTFS, ??? b, 1 files, Offset: None, Offset (b): None, Sec/Clus: None, MFT offset: 154558208, MFT mirror offset: None)
    
por camelCase 03.12.2017 / 14:38

1 resposta

1

Unfortunately, this program cannot yet restore compressed data, except for some files called $MFT, and some others starting with $.

Eu criei o RecuperaBit e confirmo que ele não pode ler arquivos armazenados com compactação NTFS. Observe que não há exceção: $MFT é o arquivo que contém a tabela de arquivos mestre (todos os arquivos de metadados começam com $ e não são compactados, mas alguns deles são esparsos).

Seu objetivo:

initialise a new ntfs-filesystem with those to enable native access to the data

Não seria viável se a MFT estivesse realmente danificada. No entanto, você deve notar que provavelmente não é. Seu hex dump mostra que a primeira entrada (a mais importante) está bem. O mais provável é que os seguintes também sejam bons.

O que você precisa fazer é restaurar a tabela de partição e pegar pelo menos um setor de inicialização NTFS. Normalmente, o setor de inicialização de backup pode ser recuperado facilmente porque está no final da unidade.

Sua saída mostra o tamanho exato do sistema de arquivos. Esse número foi lido em um setor de inicialização, então você sabe que ainda está lá: 

Partition #0 -> Partition (NTFS, 1.82 TB, 4706 files, Recoverable, Offset: 2048, Offset (b): 1048576, Sec/Clus: 8, MFT offset: 6293504, MFT mirror offset: 2064)

Se você permitir que o Testdisk seja executado em 100% da unidade, ele localizará a partição. Você pode então usar o Testdisk para listar os arquivos e extraí-los. Talvez seja possível recuperar o backup do setor de inicialização do NTFS ou fazer isso manualmente, exibindo-o no primeiro setor da partição.

    
por 15.12.2017 / 17:46

Tags

Como acelerar o dd no macOS High Sierra? Como posso monitorar os IPs solicitados para um domínio específico?