Pending OP Response NTFS MFT & BitMap of one Drive cut into another drive!!

  • Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Welcome to our Community
Wanting to join the rest of our members? Feel free to sign up today.
Sign up

Brickstin

PCHF Member
PCHF Member
Apr 6, 2019
4
0
35
so a few days ago.. i was using two External SAta TO USb Connectors, one was connected to a 1.0 Terabyte Drive, another was connected to a 1.5 Terabyte Drive.

Now i hadn't used them for a long time but for some reason my 1.0 Tera only worked with a specific USB to Sata Adapter.
Both of the adapter/converters used 3.0 external I/O mini controllers that would mount a Media drive of any type that is Sata or EIDE/IDE
and mount its partition info, the MFT, the BITMap and everything else of the partition residing in it and allowing the Operating system to mount it's Volume.

Well i had switched both the Adapters around after disconnecting both of them and my windows 10 Home premium did not properly dismount the 1.5 Volume from the System.
Both of them where set to quick disconnect so caching was disabled so the drives can be hot removed with out loss or corruption of data.
When i put the other adapter onto the 1.0 Terabyte Drive.
the $MFT, $BITMAP, $AttrDef, $MFTMirr, $Volume, and pretty much all Files with $ from the 1.5 Terabyte Drive got Written to the 1.0Terabyte drive.

When I used EaseUS partition master (latest version) and checked the partition (Windows OS Said the entire file system was corrupted and unreadable) It said it was labeled T: BUT it had the Volume Label from the 1.5 Terabyte Drive!!!! the size said the entire drive length itself and i was trying to use GETDataback from runetime to recovery my data.. I seen about 555GBs of data in the Step3 section and i seen pretty much almost all my files i was happily copying files when the system froze.. so i forced rebooted.. THEN When it rebooted i wasnt looking and windows 10 did a chkdsk on my 1.0 Terabyte Drive. it went to 9% I freaked out worrying that it was just deleting all my records from the MFT and the bitmap.. it was deleting a crapton and I have heard horror stories of chkdsk rendering one's drive EMPTY.
I pulled the plug on the laptop, Probably a bad thing to have done as i may have corrupted it more. But i didn't want ti to delete anymore Records of where all my files where located on the partition volume itself. and i was kinda right, because i tried to continue my scan and I am missing an additional 500MBs of data from my original Step 3 scan.

SO great now I lost more records of where my data was.. More MFT Entries where damaged. chkdsk was using the information from the 1.5 Terabyte drive it seems and was correcting (Erasing records of the original 1.0 Terabyte partition table info) and replacing it with the newly copied info that windows had ghosted from my 1.5 Terabyte drive to the 1.0 Terabyte drive..

What in the world do I do..... . ?


Lucky enough: on the first attempt of my data recovery i had decided to Select [NFTS] to recovery EVERYTHING including the Low level information of the partition and its volume itself.. I have copies of the MFT, its mirror, the Bitmap, badcluster file and the $Extended folder with its relative data and a bunch of other data.
it was a copy of the state of the drive that was pretty much just before the chkdsk that went to 9%.

How do I Copy the MFT and the mirror and everything else back to the partition?
I have made a Raw copy byte for byte of the original drive as a back up at least so my data is still all there its just.... .FLoating around...

any suggestions any one know of any tools? anyone know of some form of step by step process where i can directly use a Recovery software editor that works with the MFT file and the Bitmap so I can copy the HEX/decimal data from the Saved NTFS $files to the original drive to get my bloody NTFS Function back to the way it was?

Log Name: System
Source: Ntfs
Date: 4/3/2019 9:23:02 PM
Event ID: 50
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: MariaOman-PC
Description:
{Delayed Write Failed} Windows was unable to save all the data for the file \$Mft::$BITMAP. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Ntfs" />
<EventID Qualifiers="32772">50</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-04-04T02:23:02.290180800Z" />
<EventRecordID>480289</EventRecordID>
<Channel>System</Channel>
<Computer>MariaOman-PC</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>\$Mft::$BITMAP</Data>
<Binary>04000400020030000000000032000480000000006E0200C0000000000000000000000000000000006E0200C0</Binary>
</EventData>
</Event>

-----------------------------------

Log Name: System
Source: Application Popup
Date: 4/3/2019 9:23:02 PM
Event ID: 26
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: MariaOman-PC
Description:
Application popup: Windows - Delayed Write Failed : Exception Processing Message 0xc0000222 Parameters 0x7fffc7a01c38 0x7fffc7a01c38 0x7fffc7a01c38 0x7fffc7a01c38
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Popup" Guid="{47BFA2B7-BD54-4FAC-B70B-29021084CA8F}" />
<EventID>26</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-04-04T02:23:02.290662500Z" />
<EventRecordID>480290</EventRecordID>
<Correlation />
<Execution ProcessID="688" ThreadID="2004" />
<Channel>System</Channel>
<Computer>MariaOman-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Caption">Windows - Delayed Write Failed</Data>
<Data Name="Message">Exception Processing Message 0xc0000222 Parameters 0x7fffc7a01c38 0x7fffc7a01c38 0x7fffc7a01c38 0x7fffc7a01c38</Data>
</EventData>
</Event>

----------------------------------

A corruption was discovered in the file system structure on volume T:.

A corruption was found in a file system index structure. The file reference number is 0x5000000000005. The name of the file is "<unable to determine file name>". The corrupted index attribute is ":$I30:$INDEX_ALLOCATION".

Log Name: System
Source: Ntfs
Date: 4/3/2019 9:23:02 PM
Event ID: 55
Task Category: None
Level: Error
Keywords:
User: N/A
Computer: MariaOman-PC
Description:
A corruption was discovered in the file system structure on volume T:.

A corruption was found in a file system index structure. The file reference number is 0x5000000000005. The name of the file is "<unable to determine file name>". The corrupted index attribute is ":$I30:$INDEX_ALLOCATION".

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Ntfs" Guid="{DD70BC80-EF44-421B-8AC3-CD31DA613A4E}" />
<EventID>55</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-04-04T02:23:02.416882000Z" />
<EventRecordID>480342</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="8668" />
<Channel>System</Channel>
<Computer>MariaOman-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="DriveName">T:</Data>
<Data Name="DeviceName">\Device\HarddiskVolume11</Data>
<Data Name="CorruptionState">0x0</Data>
<Data Name="HeaderFlags">0x922</Data>
<Data Name="Severity">Critical</Data>
<Data Name="Origin">File System Driver</Data>
<Data Name="Verb">Index Subtree</Data>
<Data Name="Description">A corruption was found in a file system index structure. The file reference number is 0x5000000000005. The name of the file is "&lt;unable to determine file name&gt;". The corrupted index attribute is ":$I30:$INDEX_ALLOCATION".
</Data>
<Data Name="Signature">0xf0db1b11</Data>
<Data Name="Outcome">Spot Verifier Bypassed On Critical</Data>
<Data Name="SampleLength">0</Data>
<Data Name="SampleData">
</Data>
<Data Name="SourceFile">0x14</Data>
<Data Name="SourceLine">4351</Data>
<Data Name="SourceTag">351</Data>
<Data Name="AdditionalInfo">0x10000000</Data>
<Data Name="CallStack">Ntfs+0x18275d, Ntfs+0xd42e8, Ntfs+0xc1e3c, Ntfs+0xc1359, Ntfs+0xc0dfa, Ntfs+0x145929, Ntfs+0x1450f8, Ntfs+0x1427eb, Ntfs+0x114300, Ntfs+0x20109, ntoskrnl+0xb5b05, ntoskrnl+0x1302d7, ntoskrnl+0x1b1516</Data>
</EventData>
</Event>

Sincerely yours,
EJ
 

Brickstin

PCHF Member
PCHF Member
Apr 6, 2019
4
0
35
Hello

Hopefully some of our members will chime in soon.

@jmarket @phillpower2
I hope so because I could definately use some advice, I mean... this is just crazy that this has happened.. I am not sure if this happened to anyone else but to have your entire MFT area just ghosted onto by another is just bad...

My entire File map is damaged and I lost over 550 GBs of Data.
 

Rustys

Escaped Mental Patient
Administrator
Support Team
Jul 22, 2016
1,836
588
127.0.0.1
pchelpforum.net
I would suggest using a live Linux and maybe that way you can retrieve you data.

You should also think about making more that just one backup of your data just for these unfortunate reasons.
 

Brickstin

PCHF Member
PCHF Member
Apr 6, 2019
4
0
35
I would suggest using a live Linux and maybe that way you can retrieve you data.

You should also think about making more that just one backup of your data just for these unfortunate reasons.
I haven't used Linux Live before, what format does it come in? Like a Live CD? Or is it a Install of Linux? What do I need to do ?
Also I plan to use Bootice from now on to backup my partition tables, MBR and the likes. In case of a disaster like this again. as well as a compression backup of my data it self.
 

Rustys

Escaped Mental Patient
Administrator
Support Team
Jul 22, 2016
1,836
588
127.0.0.1
pchelpforum.net
You can use Mint or Ubuntu both I have found work just fine. No you do not need to install ither one for the live version to work just need a blank DVD and or 16 GB USB drive.

Most installs of Linux come as a Live version so you can test them and make sure that they work properly prior to install.
 

Brickstin

PCHF Member
PCHF Member
Apr 6, 2019
4
0
35
You can use Mint or Ubuntu both I have found work just fine. No you do not need to install ither one for the live version to work just need a blank DVD and or 16 GB USB drive.

Most installs of Linux come as a Live version so you can test them and make sure that they work properly prior to install.
ok how do I go about using linux to recover my data? Does it have some kind of Directory and partition accesses more than windows allows?

I recal reading somewhere that windows API prevents access to the medat data files like $MFT
i the Volume Root DIrectory
Ive only used linux once, so any advice and walkthroughs would be great.
Kind thanks
 

Rustys

Escaped Mental Patient
Administrator
Support Team
Jul 22, 2016
1,836
588
127.0.0.1
pchelpforum.net
I apologize about the delay my allergies have been horrible.

Other may come in with other ideas as well @Bruce

@phillpower2 to assist since my vision is still wonky at this time so if I am not able to help much he will be here to assist.

Ive only used linux once, so any advice and walkthroughs would be great.
Do you still have that version of Linux on an install disk? If yes which one and version?

Download Mint if you do not still have the other Linux available.
Create the install disk for the downloaded ISO
Boot to Linux

Double click (on the desktop) the Computer icon.
With the external drive attach open the file explorer and see if you can move files from that drive to another working drive.
Start out copying small amounts of files to make sure it works

Once we find out that it works and we get the files transferred to a working storage and or two
My opinion would be to wipe the drive and transfer the data back to it.
 

phillpower2

Autonomous Admin
Administrator
Support Team
Sep 9, 2016
2,467
413
55
Hello Brickstin,

Not sure of your computer specs so have included steps for disabling secure boot on computers that have UEFI BIOS, please disregard if your notebook has legacy as opposed to UEFI BIOS.

===================

***Required Hardware***

CD Burner (CDRW) Drive,

Blank CD,

Extra Storage Device (USB Flash Drive, External Hard Drive)


===================



1. Save these files to your Desktop/Burn Your Live CD:2. Set your boot priority in the BIOS to CD-ROM first, Hard Drive Second

    • Start the computer/press the power button
    • Immediately start tapping the appropriate key to enter the BIOS, aka "Setup"

      (Usually shown during the "Dell" screen, or "Gateway" Screen)
    • Once in the BIOS, under Advanced BIOS Options change boot priority to:

      CD-ROM 1st, Hard Drive 2nd
    • Open your ROM drive and insert the disk
    • Press F10 to save and exit
    • Agree with "Y" to continue
    • Your computer will restart and boot from the Puppy Linux Live CD






3. Recover Your Data

  • Once Puppy Linux has loaded, it is actually running in your computer's Memory (RAM). You will see a fully functioning Graphical User Interface similar to what you normally call "your computer". Internet access may or may not be available depending on your machine, so it is recommended you print these instructions before beginning. Also, double clicking is not needed in Puppy. To expand, or open folders/icons, just click once. Puppy is very light on resources, so you will quickly notice it is much speedier than you are used to. This is normal. Ready? Let's get started.



    3a. Mount Drives
    • Click the Mount Icon located at the top left of your desktop.

    • A Window will open. By default, the "drive" tab will be forward/highlighted. Click on Mount for your hard drive.
    • Assuming you only have one hard drive and/or partition, there may be only one selection to mount.
    • USB Flash Drives usually automatically mount upon boot, but click the "usbdrv" tab and make sure it is mounted.
    • If using an external hard drive for the data recovery, do this under the "drive" tab. Mount it now.
    3b. Transfer Files.
    • At the bottom left of your desktop a list of all hard drives/partitions, USB Drives, and Optical Drives are listed with a familiar looking hard drive icon.
    • Open your old hard drive i.e. sda1
    • Next, open your USB Flash Drive or External Drive. i.e. sdc or sdb1
    • If you open the wrong drive, simply X out at the top right corner of the window that opens. (Just like in Windows)
    • From your old hard drive, drag and drop whatever files/folders you wish to transfer to your USB Drive's Window.
    For The Novice: The common path to your pictures, music, video, and documents folders for XP is: Documents and Settings >> All Users (or each individual name of each user, for Vista and above C:\Users\$USERNAME\[...]. CHECK All Names!) >> Documents >> You will now see My Music, My Pictures, and My Videos.



    Remember to only click once! No double clicking! Once you drag and drop your first folder, you will notice a small menu will appear giving you the option to move or copy. Choose COPY each time you drag and drop.



    YOU ARE DONE!!! Simply click Menu >> Mouse Over Shutdown >> Reboot/Turn Off Computer. Be sure to plug your USB Drive into another working windows machine to verify all data is there and transferred without corruption. Congratulations!









For computers that have UEFI as opposed to legacy BIOS, to be able to boot from your USB device you may need to disable secure boot and change UEFI to CSM Boot, not all computers and BIOS are the same, please refer to your user manual if you have one as the following steps are only one such example.

Restart the computer, Windows 8 and 8.1 from the Start or desktop screen move your mouse pointer over the upper or lower right corner of the screen, when the Windows Charms appear click the Settings Charm, click on Power and then the Restart option.

Windows 10, Click on Start,Power and then Restart.

While the computer is re-starting,you will need to continually tap or hold down the particular key that will allow you to access the BIOS on your computer, we will use the F2 key as an example here;

After restarting the computer, when the screen goes black, press and hold down the F2 key, wait for the BIOS to load.

Select Security -> Secure Boot and then Disabled.

Select Advanced -> System Configuration and then Boot Mode.

Change UEFI Boot to CSM Boot.

Save the changes and Exit the BIOS, commonly F10.

If your computer will not boot into Windows at all, power up or restart the computer continually tap or hold down the key that will allow you to access the BIOS on your computer and then do the following;

Select Security -> Secure Boot and then Disabled.

Select Advanced -> System Configuration and then Boot Mode.

Change UEFI Boot to CSM Boot.

Save the changes and Exit the BIOS, commonly F10.