Data recovery - NTFS with broken MBR and MFT

WARNING: By using method or any tools described in this article you take you take full responsibility for your actions. Neither me nor any of authors of software described can't be held responsible for possible damage or loss of data. Before you actually do anything read the whole post to save a lot of time and avoid dead alleys :-)

As it's well known, overwriting MBR is not a problem at all if there is a Linux on the disk. Just boot off the CD and start rescue and single mode (single mode because we just need shell and not recovery app). Ubuntu has it solved really well... Then just follow old, tested path - mount hard drive (linux root partition) in one of the directories, chroot, grub-install or fix MBR manually from GRUB's interactive shell (if for some reason you use LILO your job is literally one command). Because I prefer the second method myself (interactive), here is the command I use (all in one line):

grub> install (hd0,5)/boot/grub/stage1 d (hd0) \
      (hd0,5)/boot/grub/stage2 p (hd0,5)/boot/grub/menu.lst

The following parameters mean:

• stage 1
• where to install boot loader (hd0)
• stage 2
• configuration file (menu)
  

Everything is fine up to one point...

Disk layout

Lenovo x60s has SATA drive that comes under Linux as /dev/sda. The layout I use is simple but may be not the most obvious or typical:

root@x60s:~# fdisk -l /dev/sdaDisk /dev/sda: 80.0 GB, 80026361856 bytes

240 heads, 63 sectors/track, 10337 cylinders
Units = cylinders of 15120 * 512 = 7741440 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        2584    19535008+   7  HPFS/NTFS
/dev/sda2            2585        7752    39070080    7  HPFS/NTFS
/dev/sda3            7753        9668    14484929    f  W95 Ext'd (LBA)
/dev/sda4            9669       10337     5057640    c  W95 FAT32 (LBA)
/dev/sda5            7753        7882      982768+  82  Linux swap / Solaris
/dev/sda6            7883        9668    13502128+  83  Linux

/dev/sda4 (physically it's at the end of the disk!) is Lenovo's utility partition. As you can see Linux is installed on /dev/sda6 - before upgrade this partition was set as bootable. After upgrade /dev/sda1 became active bootable partition - that's not that bad... yet :-)

The problem is that I forgot about it and installed new GRUB's boot-sector on /dev/sda which is MBR of the whole disk. It's still not a tragedy... but having experience with older mother boards, that could boot only from MBR or first sector of first partition I have developed a habit of installing boot-loader in the first sector of the Linux's root partition as well as in MBR... Unfortunately this time I've made a mistake - I've installed GRUB in MBR and in the first sector of /dev/sda1 - which is (as you can see above) damn NTFS - my drive C:.

I didn't have to wait long for the reuslts - GRUB works perfectly fine... ie. when I have chosen  Windows from the boot menu I was going back to the same menu - hmmmm... Let's go back to Linux and look around...

Growing white hair

Yes yes... if you did the same mistake as I did, surely your hair will start getting white when you realize what was on that disk! NTFS partition is destroyed - no way to mount it. Boot sector and MFT is gone.

There is though one important thing we have to keep in mind. FAT32 users won't have that problem - first sector of the drive (512 bytes) is a boot-sector, followed by actual FAT. GRUB installs exactly 512 bytes, so it will just overwrite boot-sector without damaging FAT. If you have FAT32 just boot Windows off the CD or floppy, go to the command line (that's all you need) and run fdisk /mbr to fix the problem. NTFS users doesn't have so much luck because in NTFS boot-sector has only 446 bytes followed immediately by MFT (master file table - logical equivalent of FAT in FAT32 file system). Obviously in such case GRUB will overwrite 66 bytes of MFT - say bye bye to your files!

Step 1 - rebuilding the system

First I've decided to rebuild the boot-sector. Having fully operational Linux on the disk I thought it will be easy. First step is always to make a backup copy of what we'll be changing - the boot-sector. I've decided to copy a bit more - 16 sectors should be enough. The ideal tool to o it is our old good friend - dd.

root@x60s:~# dd if=/dev/sda1 bs=512 of=broken_bootsect.bin count=16

This way we have a copy of first 16 sectors (8kB) of broken partition. This copy holds boot-sector and part of the broken MFT.

Step 2

We start a disktool program, set disk geometry (VERY IMPORTANT!), select Advanced and get information about our partition... and info, that the boot-sector doesn't match the copy (yes - THERE IS a copy!). If we want to recover our boot-sector that's fine. Few seconds later we get another message saying that MFT is also broken and we can recover it... honestly - don't bother, that was waste of time :-)

Step 3

I've lost quite a lot of time here - doing boot-sector recovery manually using dd (obviously) to write it to the disk. Anyway after reboot I got a beautiful BSOD... once again I've copied first sector and used hexedit to build a new MBR to put it back in place with dd. Another reboot and another BSOD (blue screen of death).

Step 4

The data can be recovered using Ontrack's tools (Hiren's Boot CD has some but their legality is rather 'questionable') but they are far from being speed daemons and sometimes they simply die without any visible reason. The biggest question mark for me would be if they are legal - I guess the answer will be 'no', so I wouldn't use them...

Of course there are also great Open Source tools.

1. Recovery Is Possible (RIP) - http://freshmeat.net/projects/recoveryispossible/
2. Scrounge NTFS - http://memberwebs.com/stef/software/scrounge/

The first one makes a great first impression but unfortunately didn't work in my case for two reasons... you can't read NTFS partition (can't mount because MFT is broken so the partition is not recognized as anything mountable even with manually supplied parameters) and the hard drive is SATA - not all tools can detect those. If it can't detect the drive, it can't use it... even if it could, then NTFS is unusable so that's another problem... I didn't even have chance to test RIP properly.

Step 5 - Scrounge NTFS

Scrounge NTFS is a very interesting tool - as the author says, it can rebuild/recover data from broken partition and place them in another directory. Sounds perfect - works even better!

First of all, scrounge NTFS treats the source drive as READ-ONLY (software r/o - no write blocker, etc), it's really easy to use and terribly fast! Before we start recovering our data we should plan our actions and prepare the system for recovery process.

Step 6 - preparing disk space

Because I work quite a lot in Linux and my partition is full of various stuff I had to look in my drawer for some other disk for storage - 40GB USB drive sounds perfect :-) I've also estimated that I need about 14-16GB for data I plan to recover, I need long file names and a file system that is reliable - choice was simple - ext3. I've reformatted the disk creating one big ext3 partition and mounted it as /mnt/rescue - this will be the directory where I put all my recovered files.

Step 7 - all we need to know before we start

Scrounge NTFS requires functional and working MFT to recover the files and directory structures. If we don't have MFT (well - of course mine is broken), all recovered files will be placed in one directory (ouch - that will be one big mess!). Of course NTFS has a copy of MFT but it's located in various places of the partition, depending on the Windows OS version. Scrounge NTFS can of course find this copy (given as offset) by using -l option..

root@x60s:~# scrounge-ntfs -l /dev/sda

    Start Sector    End Sector      Cluster Size    MFT Offset
==================================================================
Drive: /dev/sda
    63              39070017        8               6449840
    39070080        78140160        8               6291456
    117210303       119175839
    119175903       146180097
    146180160       10115280

As we can see the partition starts in sector 63, which is rather normal in PC type systems. We also have the address (MFT Offset) of MFT copy we've been looking for. This MFT copy should have all the information about our file system - how it looked like before we've destroyed our primary MFT, so Scrounge NTFS should be able to rebuild the whole directory structure, not just get back the files. Let's start data recovery and hope it will work!

Step 8 - getting the data back!

Having all the information at hand we can start recovery...

root@x60s:/mnt/rescue# scrounge-ntfs -m 6449840 -o /mnt/rescue /dev/sda 63 39070017

... as soon as we hit Enter we see the program copying our files to /mnt/rescue - wooow! After a few minutes I had 14GB of data - almost all files... almost all because some compressed files recognized as belonging to Windows (hibernation file, swap file, etc) - anyway those are unimportant.

Step 9 - rebuilding OS

Before we can rebuild OS we need to do a few more things, because the recovery software won't be able to recover or even install Windows from scratch. I've tested several application - Lenovo Rescue and Recovery that sits on Lenovo utility partition and should revert the system to factory defaults (BTW - you can boot utility partition only via GRUB now, ThinkVantage button didn't work for me), neither Windows installer could do it... nor Nero BackItUp fron Nero 7 Platinium.

First Lenovo way - when restoring to drive C: the tool just hangs up... Windows installer (when it has finally started - seems it didn't like the disk too much so it needed much more time to start) has thrown his hands up in the air and displayed BSOD. The last thing that really worried me was Nero BackItUp with it's recovery disks (yes - I had to make them before!) which in fact (the recovery tool) is a Linux distro in Live CD format that has all the tools to recover the data from dump files. Pretty well done, but all I got was a core dump and that's all I could get from my backup... Finally after several restarts I was able to see that the reason for this behavior was an error when parsing disk layout / partition data, which suggests that the kernel can't tell what is the type of my broken partition.

Quick decision... change partition type to something simple like FAT32 (using fdisk) and formatting it as FAT32 - all from Linux. The point was to make partition mountable in any format to make sure that the system doesn't die at the boot time.

root@x60s:~# mkfs.vfat -F 32 /dev/sda1

Unfortunately I didn't have a copy of my system made with Norton Ghost - I wonder if Norton would be capable of solving my problem. Another important or rather handy tip - I did backup of my system using Nero BackItUp after I have most of the tools and software installed. After turning partition into FAT32 Nero picked it up and started singing and dancing all over the place... After about 35 minutes I had my clean Windows back in place with all the important software (no garbage) I need... and a copy of all my old data on the USB drive.

Step 10 - summary

It's not the first (and surely not the last) time, that Open Source can deliver fantastic tools that simply do the job you expect... and believe me - I had A LOT to fight for... Booking and extras for our anniversary trip (my wife wouldn't be happy if I lost those), tickets and all other documents for all my trips planned for the next 6 months, records of all on-line payments (taxes, etc)... a lot of stuff in PDF format. I'm afraid to think what would happen if I lost it. All I can say now is that I was very very lucky and yet again Open Source - this time in form of Scrounge NTFS - made my day! Thank you.

Comparing Norton Ghost and Nero BackItUp

Having bought both tools for quite a long time I couldn't decide which one to use. My impression is that Ghost is faster and has a better compression rate but Nero works with typical German precision - first calculates CRC for all files, locks file system if possible, then burns CD/DVD and at the end verifies data on media it has just recorded (and yes - you CAN'T turn it off). The whole process takes much longer than with Ghost but it's worth it. Another thing I like about it is a boot prompt when starting from the CD - first we see 'boot:' well known from Linux, then kernel boots and we get a splash screen that then is replaced with nice looking application screen. From there we can recover our data as with any other tool. More over - Nero had no problems with detecting SATA drive and all the strange hardware I have (USB DVD drive among others). Maybe it is slow, but hey - it works!

On the other hand if we are talking about doing backups on the flight, periodic backups or incremental ones I would chose Ghost, but for full system backup/restore Nero takes the lead!

Last thoughts

As we can see nothing is impossible, but obviously not everything is worth doing. For me recovery of my private and job related files was definitely worth 3 days of time. During that time I've learned a lot (for example that boot sector on NTFS drive has 446 bytes and not 512, whare are the copies of MFT, etc) and I've found yet another great Open Source piece of software!

I hope you will avoid such stupid mistakes as I did. Look for dd usage - one typo in parameters given and there will be nothing to recover from :-/

Additional thanks to Alex for ideas and kaspsior for catching typos :)

Disclaimer...

Please remember that by using any of the solutions, hints or any other information presented in this post you take full responsibility for your actions and that neither me nor any of the software authors takes responsibility for what may happen to your data as a result of your actions. This article is given as-is, use at your own risk.

If something works for me it doesn't mean it has or will work for you. The text of article or disclaimer may be changed at later time without any further notice.