Manual winhex data recovery of files accidentally deleted from NTFS volumes

For data recovery, although all the data run after the file is deleted can be found in the residual MFT, the fewer data runs, that is, the fewer file fragments or no fragments, the smaller the possibility of file overwriting, the higher the probability of data recovery. The following describes how to manually restore an NTFS Volume and accidentally delete the file.

1. files to be restored

Upload file, as shown in Figure 5-1. Assume that you accidentally delete the file.

Figure 5-1 files to be deleted in the NTFS Volume

2. Find the MFT to restore the file

First, use winhex to select the Logical Disk where the file is located and open it, as shown in Figure 5-2.

Figure 5-2 select a disk partition

Open the disk partition and find the MFT of the partition, as shown in Figure 5-3.

Figure 5-3 transition to the starting position of MFT

3. Restore data

Find the $ MFT of the partition and find the MFT of the file through the file name, as shown in Figure 5-4.

Figure 5-4 search for the MFT of a file

The result 5-5 is shown.

Figure 5-5 MFT of deleted files

Let's take a look at the MFT header. The offset 15.16h is 0, indicating that the file has been deleted. The system determines whether to overwrite the MFT and create its own MFT when creating a new file. The 10 h attribute will not be analyzed. unless all the time attributes of the file to be restored are the same as before, the user's requirements for this are generally not that high, so skipping the 10 h attribute will not be analyzed. The 30 h attribute is not analyzed here. The key is to analyze the 80 h attribute, that is, the data attribute. Among all the descriptions of this attribute, there are two most useful information for data restoration, the attribute of the 8 bytes starting from the offset 00c12dd160h is the actual size of the file 506e, in bytes. There is also a description of the data operation location starting from the offset 00c12dd170h. Here, the hexadecimal number is 41 h 06 h 83 H 0bh 90 h 00 H. The 41h defines the number of clusters for data running in the file in 1 byte, and the 4 byte indicates the starting logical cluster number for the data running, it is defined that the operation occupies 06 clusters, and its initial logical cluster number is 900b83h. Knowing the actual size of the starting cluster number and data running, or even the number of clusters occupied by the running, it is easy to restore file data.

In winhex, select the "location" | "convert to slice" command. In the dialog box that appears, enter 9440131 (decimal number after 900b83h conversion) in the "cluster" text box, and click OK, you can find the starting position of the data, where FFH dbhis the header of the .jpg photo. Right-click the start position of the data and select the "select block start" command. 5-6.

Figure 5-6 start position of a file

Continue to select the "location" | "conversion offset" command in winhex. Open the "go to offset" dialog box and enter 20590 (convert 506eh to decimal number), as shown in 5-7.

Figure 5-7 conversion offset

After you click "OK", the system will jump to the end of the file, right-click and select the "select block end" command, as shown in Figure 5-8, and you will be able to completely select the file data to be restored.

Figure 5-8 locate the end position of the file

After selecting all the data content to be restored, right-click on any selected block and select "edit" | "copy and select block" | "Enter New File" command 5-9.

Figure 5-9 copy all data

Name the file and save it to the specified path, as shown in Figure 5-10.

Figure 5-10 save an object

After the file is successfully saved, close winhex and open the file according to the saved path. The data is restored successfully. Figure 5-11 shows the recovered file.