Active@ File Recovery and Defining Cluster Chains on NTFS

Example of defining cluster chains on NTFS

When recovering on a NTFS volume, part of the DATA attribute (called Data Runs), provides a location of the file clusters. In most cases, DATA attributes are stored inside a MFT record. The found MFT record for the deleted file will most likely be able to determine the cluster's chain.

In the example below, the DATA attribute is marked in green. The Data Runs within are marked Bold.

Data Runs need to be decrypted. The first byte (0x31) shows how many bytes are allocated for the length of the run (0x1 in this case) and for the first cluster offset (0x3 in this case). Next, take one byte (0x6E) that points to the length of the run. Next, pick up the 3 bytes pointing to the start cluster offset (0xEBC404).

Changing the byte order, its determined that the first cluster of the file 312555 (equals 0x04C4EB). Starting from this cluster, it is necessary to pick up 110 clusters (equals 0x6E). The next byte (0x00) indicates that no more data runs exist. The file is not fragmented, so there is only one data run.

Here is a review to check is there is enough information about the files data:

Cluster size is 512 bytes.

There are 110 clusters, 110*512 = 56320 bytes

The file size was defined as 56320 bytes, so there is enough information now to recover the file clusters.

Important

  1. DO NOT WRITE ANYTHING ONTO THE DRIVE CONTAINING YOUR IMPORTANT DATA THAT HAS JUST BEEN ACCIDENTALLY DELETED! Even the installation of data recovery software could spoil your sensitive data. If the data is really important to you and you do not have another logical drive to install the software to, take the whole hard drive out of the computer and plug it into another computer where data recovery software has already been installed or use recovery software that does not require installation. For example, recovery software which is capable of running from a bootable CD / USB media.
  2. DO NOT TRY TO SAVE DATA THAT YOU FOUND AND ARE TRYING TO RECOVER ONTO THE SAME DRIVE! Saving recovered data onto the same drive where sensitive data is located can hinder the recovery process by overwriting FAT/MFT records for this and other deleted entries. It's best to save data onto another logical, removable, network or floppy drive.