Manually recovering files deleted by mistake in NTFS volumes

                  For data recovery, although all data runs after file deletion can be found in the residual MFT, the smaller the number of data runs, the less fragmented or fragmented the file, the less likely the file is to be overwritten. The probability of data recovery is also higher. The following is the process of manually recovering files from the NTFS volume by mistake. 1. The file to be restored When a file in the NTFS volume is deleted, its MFT has not been deleted. As described above, here is an example of restoring a deleted file in an NTFS volume, assuming that it is in the user's NTFS volume D disk. There is a directory called photo, which has a file called "penquan.jpg", as shown in Figure 5-1. Suppose the user accidentally deletes this file. Figure 5-1 Files to be deleted in the NTFS volume 2. Locate the MFT where you want to restore the file. First open the logical disk where WinHex is located, as shown in Figure 5-2. Figure 5-2 Selecting a disk partition Open the partition of the disk and find the MFT of the partition, as shown in Figure 5-3. Figure 5-3 Go to the beginning of the MFT 3. Recover the data After finding the $MFT of the partition, find the MFT of the file by the file name, as shown in Figure 5-4. Figure 5-4 Find the result of the MFT of the file as shown in Figure 5-5. Figure 5-5 MFT of deleted file

First look at the MFT header. The offset 15.16H is 0 to indicate that the file has been deleted. The system determines whether to overwrite this file when creating a new file. Create your own MFT with MFT. The 10H attribute is not analyzed, unless all the time attributes of the file you want to restore are the same as before, the user is generally not so high, so skipping the 10H attribute is not analyzed. The 30H attribute is not analyzed here. The key is to analyze the 80H attribute, that is, the data attribute. In all the descriptions of the attribute, there are two most useful information for recovering the data. One is that the 8-byte attribute starting from the offset 00C12DD160H is the actual size of the file 506E. The unit is byte. Another place is the data run position description starting from offset 00C12DD170H, here is the hexadecimal number 41H 06H 83H 0BH 90H 00H. Where 41H defines the number of clusters followed by 1 byte indicating the data running of the file, and 4 bytes indicating the starting logical cluster number of the data run. Here, it defines that the operation occupies 06 clusters. , its starting logical cluster number is 900B83H. Knowing the starting cluster number and the actual size of the data run, and even knowing the number of clusters running, it is easy to recover the file data. Select "Location" in WinHex