NTFS Recovery with Recover My Files
The New Technology File System (NTFS) was commercially released by Microsoft in the mid 1990’s and was designed to supersede FAT. Today FAT remains popular for removable storage devices (for simplicity, portability and compatibility reasons) whilst NTFS is now widely used for home and office installations.
Advantages of NTFS over FAT include:
- File-level security;
- File compression and encryption;
- Reliability and system recovery;
- Purpose designed as a flexible and scalable storage system for large volumes and RAID devices.
Master File Table (MFT)
The Master File Table file, “$MFT”, is one of a core group of NTFS system files on an NTFS disk. It is the central control structure of the NTFS file system. The file "$MFT" is an index of all the files on the volume, consisting of rows of file “records” and columns of file “attributes”. It contains at least one record for every file.
The NTFS file system views each file as a set of file attributes. Information such as the file's name, its physical and logical size, its file dates (created, modified, written) are all file attributes. Attributes will vary in size for different files. The starting position of an attribute is identified in a MFT record by an attribute header.
If a files attributes can fit within the 1024kb MFT file record, they are called “resident” attributes. When all the attributes for a file become too large to fit in the MFT file record, they are stored either in additional MFT records or in extents that lie outside the MFT. These are referred to as “non-resident” attributes and the first MFT maintains an attribute list to track them. For small files, typically less than 900 bytes, the MFT record may itself store the file data within the MFT table. These are referred to a “resident” files.
Deleted NTFS Files
Each file and folder on an NTFS drive has an “allocation status” set by a flag in the MFT record header. When a file or folder is deleted the flag status changes from “allocated” (active), to “unallocated” (deleted).
When a NTFS file is deleted and the MFT record is marked as unallocated, both the MFT record and clusters used to store the data (for non-resident files) become available to store new data. However, importantly:
- the file attributes within the unallocated MFT record remain intact;
- the data for the file remains untouched.
To display deleted files, Recover My Files reads the MFT to find “unallocated entries”.
If new data has been written to the drive after the deletion, it is possible that the MFT record of a file, and/or the clusters holding the data, will be overwritten with new data. If this happens the possibility for successful recovery of the deleted file is diminished.
Recover My Files creates an "Orphans" folder to hold folders and files for which the original parent folder is unknown. Orphans are like any other deleted file, the only difference being that it is no longer possible to determine the location of the file or folder within the directory structure prior to deletion.
Recovery of Formatted Disk
The NTFS recovery principles for recovering a formatted NTFS disk are essentially the same. At the highest level, Recover My Files searches for missing NTFS partitions which it rebuilds and displays in the search results screen. It then searches for additional individual MFT entries on the disk to recreate the file and folder structure.
In a Recover My Files search it is possible to determine when MFT entries are located by watching the "Files and Folders" number next to the progress bar. MFT records are usually located at the start of a partition. This means that when the Files and Folders number rises quickly then remains stable, an MFT file table has been found and read. The "skip" button can then be used to jump directly to the process of rebuilding and displaying the file and folder structure in the search results screen. This methodology can greatly reduce the time needed to complete a search and recovery all file and folders with the original structure.
Learn more about a Recover My Files drive recovery.