Active
File Recovery

Cluster Chains on NTFS

How to erase hard drive? Windows7 logo   How to erase hard drive? Intel logo

User's guide:

Example of defining cluster chains on NTFS

When recovering on a NTFS volume, part of the DATA attribute (called Data Runs), provides a location of the file clusters. In most cases, DATA attributes are stored inside a MFT record. The found MFT record for the deleted file will most likely be able to determine the cluster's chain.

In the example below, the DATA attribute is marked in green. The Data Runs within are marked Bold.

   Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
  
00012580 2E 00 70 00 70 00 74 00 80 00 00 00 48 00 00 00 ..p.p.t.€...H... 00012590 01 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 ................ 000125A0 6D 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 m.......@....... 000125B0 00 DC 00 00 00 00 00 00 00 DC 00 00 00 00 00 00 .U.......U...... 000125C0 00 DC 00 00 00 00 00 00 31 6E EB C4 04 00 00 00 .U......1neA.... 000125D0 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 yyyy‚yG.........

Data Runs need to be decrypted. The first byte (0x31) shows how many bytes are allocated for the length of the run (0x1 in this case) and for the first cluster offset (0x3 in this case). Next, take one byte (0x6E) that points to the length of the run. Next, pick up the 3 bytes pointing to the start cluster offset (0xEBC404).

Changing the byte order, its determined that the first cluster of the file 312555 (equals 0x04C4EB). Starting from this cluster, it is necessary to pick up 110 clusters (equals 0x6E). The next byte (0x00) indicates that no more data runs exist. The file is not fragmented, so there is only one data run.

Here is a review to check is there is enough information about the file’s data:

Cluster size is 512 bytes.

There are 110 clusters, 110*512 = 56320 bytes

The file size was defined as 56320 bytes, so there is enough information now to recover the file clusters.

Important

DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING YOUR IMPORTANT DATA THAT HAS JUST BEEN ACCIDENTALLY DELETED! Even the installation of data recovery software could spoil your sensitive data. If the data is really important to you and you do not have another logical drive to install the software to, take the whole hard drive out of the computer and plug it into another computer where data recovery software has already been installed or use recovery software that does not require installation. For example, recovery software which is capable of running from a bootable CD / USB media.

DO NOT TRY TO SAVE DATA THAT YOU FOUND AND ARE TRYING TO RECOVER ONTO THE SAME DRIVE! Saving recovered data onto the same drive where sensitive data is located can hinder the recovery process by overwriting FAT/MFT records for this and other deleted entries. It's best to save data onto another logical, removable, network or floppy drive.

This document is available in PDF format,
which requires Adobe® Acrobat® Reader
(Free download):

USER'S GUIDE (PDF)

Data Recovery

Data Utility

Data Security

Data Backup

CD/DVD Tools