Naprawdę nie był przypadek z ciężkich, tylko malutki szczegół
u kolegi nie było na co kopiować dla tego musieli naprawić sama partycja, a tu nie jest tak już różowo jak może wydawać się.
To jest nasz $mft, jeżeli popatrzymy na atrybut $data widzimy ze sam plik $mft posiada tylko jeden odcinek długości 8 klastrów
0x0000 46 49 4C 45 30 00 03 00 F9 0E 00 02 00 00 00 00 FILE0...ù.......
0x0010 01 00 01 00 38 00 01 00 98 01 00 00 00 04 00 00 ....8...˜.......
0x0020 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ................
0x0030 03 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 ............`...
0x0040 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H.......
0x0050 80 88 68 9C F3 B9 C8 01 80 88 68 9C F3 B9 C8 01 €ˆhœó¹È.€ˆhœó¹È.
0x0060 80 88 68 9C F3 B9 C8 01 80 88 68 9C F3 B9 C8 01 €ˆhœó¹È.€ˆhœó¹È.
0x0070 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0080 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
0x0090 00 00 00 00 00 00 00 00 30 00 00 00 68 00 00 00 ........0...h...
0x00A0 00 00 18 00 00 00 03 00 4A 00 00 00 18 00 01 00 ........J.......
0x00B0 05 00 00 00 00 00 05 00 80 88 68 9C F3 B9 C8 01 ........€ˆhœó¹È.
0x00C0 80 88 68 9C F3 B9 C8 01 80 88 68 9C F3 B9 C8 01 €ˆhœó¹È.€ˆhœó¹È.
0x00D0 80 88 68 9C F3 B9 C8 01 00 40 00 00 00 00 00 00 €ˆhœó¹È..@......
0x00E0 00 40 00 00 00 00 00 00 06 00 00 00 00 00 00 00 .@..............
0x00F0 04 03 24 00 4D 00 46 00 54 00 00 00 00 00 00 00 ..$.M.F.T.......
0x0100 80 00 00 00 48 00 00 00 01 00 40 00 00 00 01 00 €...H.....@.....
0x0110 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
0x0120 40 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 @........€......
0x0130 00 80 00 00 00 00 00 00 00 80 00 00 00 00 00 00 .€.......€......
0x0140 31 08 00 00 0C 00 01 00 B0 00 00 00 48 00 00 00 1.......°...H...
0x0150 01 00 40 00 00 00 05 00 00 00 00 00 00 00 00 00 ..@.............
0x0160 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x0170 00 10 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................
0x0180 08 00 00 00 00 00 00 00 31 01 FF FF 0B 00 00 00 ........1.ÿÿ....
0x0190 FF FF FF FF 00 00 00 00 40 00 00 00 00 00 00 00 ÿÿÿÿ....@.......
0x01A0 00 80 00 00 00 00 00 00 00 80 00 00 00 00 00 00 .€.......€......
0x01B0 00 80 00 00 00 00 00 00 31 08 00 00 0C 00 01 00 .€......1.......
0x01C0 B0 00 00 00 48 00 00 00 01 00 40 00 00 00 05 00 °...H.....@.....
0x01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x01E0 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 @...............
0x01F0 08 00 00 00 00 00 00 00 08 00 00 00 00 00 03 00 ................
0x0200 31 01 FF FF 0B 00 00 00 FF FF FF FF 00 00 00 00 1.ÿÿ....ÿÿÿÿ....
0x0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 ................
to nasz atrybut $data patrzymy offset 20h od poczatku atrybuta i widzimy ze nasz run list zaczyna sie z offsetem 40h od poczatku atrybuta, tu widzimy
taki spis ekstentow 31 08 00 00 0C 00 co odpowiada jednemu odcinku który zaczyna się od klastra 786432 (C0000) i ma długość 8 (8h) klastrów.
Z tego co mamy jasne ze nam pozostaje tylko odnalezienie odcinków $mft i ich wpisanie w run list takim sposobem możemy odbudować data runs $mft i naprawić partycja w locie bez jakiegokolwiek kopiowania danych na inny nośnik, dla całej operacji nam wystarczyło by tylko odbudować run list, allocated size, real siaze, compressed size a dla tego
musimy pozbierać wszystkie odcinki $mft i jeżeli nam powiedzie, to, nasz $mft nie będzie fragmentowany jak i okazało się w końcu.
0x0000 80 00 00 00 48 00 00 00 01 00 40 00 00 00 01 00 €...H.....@.....
0x0010 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ................
0x0020 40 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 @........€......
0x0030 00 80 00 00 00 00 00 00 00 80 00 00 00 00 00 00 .€.......€......
0x0040 31 08 00 00 0C 00 01 00 1.......
Po przeanalizowaniu mft wpisy zaczyna ja się z 6291519 lba ostatnia sygnatura FILE znajduje się w lba 6488063, z tego wychodzi ze mamy nie fragnetowany ekstent długościa 196544 sektorów (24568 (5FF8) klastrów), teraz musimy tylko wpisać to w run list podliczyć znaczenia allocated size, real size, compressed size w bajtach (100630528 b) konwertować to w hex (5FF8000) i tez wpisać w odpowiedni pola, od razu możemy wyliczyć i wpisać last VCN pierwszy VCN jest 0 ostatni będzie 24567 .
0x0000 80 00 00 00 48 00 00 00 01 00 40 00 00 00 01 00 €...H.....@.....
0x0010 00 00 00 00 00 00 00 00 F7 5F 00 00 00 00 00 00 ........÷_......
0x0020 40 00 00 00 00 00 00 00 00 80 FF 05 00 00 00 00 @........€ÿ.....
0x0030 00 80 FF 05 00 00 00 00 00 80 FF 05 00 00 00 00 .€ÿ......€ÿ.....
0x0040 32 F8 5F 00 00 0C 00 00 2ø_.....
Tak wygląda $data po edycji, już po tym jak sprawdzimy wszystko i odpalamy chkdsk i czekamy w tym przypadku wynik był 100% odzyskanych danych, bez kopiowania ich na inny nośnik . Wszystko .
Z góry dzieki
Z góry dzieki