How to Use winhex to restore deleted files in the NTFS partition (on)

Original article. Please indicate the source for reprinting. Thank you!
Author: Qinglin, blog name: feikong jingdu

 

In this tutorial, I would like to use the simplest example to illustrate how to use winhex to restore the deleted files in the NTFS partition, in order to make the knowledge of the previous article as simple as possible, the conditions I restored here are as follows:

 

1. I formatted a partition, so there is no file in the partition.

2. The file size I used is smaller than 1 K. Therefore, this file is a resident attribute in the Data Attribute of the NTFS partition file record. Therefore, this does not involve computing operations.

The simplest file is restored. In this example, you can establish a general principle of data recovery.

 

Hope you like it :)

 

Start.

 

1. Create a text file

I formatted my partition G. The partition type is NTFS. It is used for quick formatting. Normal formatting is only useful when checking bad disk channels...

 

Then, I created a text file in this partition, as shown in:

 

 

This file is very simple and has little content. After saving the file, let's take a look at the file size information, as shown in:

 

We can see that the size of this file is 224 bytes. Remember, you can compare it when you restore this file...

Then I deleted the file. Now, let's see how to restore it!

 

Second, use winhex to open a partition.

 

Run winhex and choose tools> open disk to open the G disk. As shown in:

We can find the $ MFT file, right-click it, and click open to open the file MFT. As shown in the following two figures:

 

 

 

 

 

So why?

Because, we only need to find the lost file in MFT. If we search for the entire partition and the partition is large, it will take a lot of time, and the MFT file will be much smaller, the maximum size is about 1 GB. This is manually produced by me. Generally, it is difficult for the system to see such a large MFT file unless you are a server and have a lot of disk fragments and small files...

 

Then, we can click Search --> search text in the menu. As shown in:

 

We enter the name of the file we want to restore, helloworld, and note that you should select Unicode. Because the MFT file name is in the unicode format, it will be searched later!

 

In a moment, we will find this file, as shown in:

 

 

To use the winhex color, go to the partition to view the file record! First, we can see that the offset address of this file record in MFT is 7450 H. Then we will transfer it to the view of our partition in winhex, and then click the MFT file, in this way, it is offset to the location of our MFT file, and then select location --> in the menu to go to the offset location.

Then output 7450, starting from the current position! As shown in:

 

 

Then, we find the file record, as shown in:

 

 

On the left side of the figure, the file record number is 29. In the blue box, the file record ID is file. So how do we know that this is a deleted file? One way is to look at it directly on the file record header, such as the red box. The two bytes are at 16 h of the file record offset, 0 indicates that the file has been deleted, 1 indicates that the file is in use, 2 indicates that the file is a directory, and so on.

 

Now let's look for the data attribute in the file record. This attribute starts with 80 h. Fortunately, winhex has this color classification, which is easy to find, as shown in the orange box.

 

Here we extract this data attribute for analysis, as shown in:

 

Let's analyze the content in the box one by one. The first red box indicates that this is a data attribute with a value of 80 h. Orange box: 0 indicates that this is a resident attribute, that is, the content of this file is in this file record. If it is 1, it indicates that this is a resident attribute, to obtain the data, we need to obtain it from the computing in the operation. This will be explained in the next section!

The four bytes in the blue box indicate the data size of the file: e0h, which is equivalent to 224 in decimal format. That is, the size of the file is 224. Do you remember that, there is also the file size above! The four bytes in the green box indicate the 18 h offset of the data in the file. The offset is calculated from the starting position of the data attribute, that is, the 80 h offset. This position is calculated as follows: 75b0h + 18 h = 75c8h.

Then, we can get the data of the file from the offset location and size of the data, as shown in the purple box.

 

Finally, we use the mouse to select the data (the color of the selected data changes), right-click the data, and choose Edit> copy option block> implant a new file, as shown in:

Here, we 'd better select another partition. Do not save the file in the partition to be restored. We have ensured that our data will not be overwritten!

In this case, I keep the file in the drive and name it helloworld.txt.

 

Finally, let's take a look at our recovered files:

 

File recovered!

This section will introduce more complex recovery in the future!