Recovering a file from A NTFS partition damaged after Quick format

When a quik format action is run on a NTFS volume, the previous MFT is overwrite by then new one .

As the volume size, location and the Operation System File Driver are the same as before, the newly created MFT is saved from the same cluster (block) as the previous one. However, a fresh new MFT includes only a few records, some used for the system files, others free and available. Consequence is that lot of the previous MFT file, containing records from the system before the quick format, are still recoverable.

Going on the MFT bookmark for this volume, the cursor will then allow to get file size for the first MFT record (record 0 -> MFT file).  Using this bookmark as locked reference, a simple Tyrhex jump will locate the cursor on the last byte of this file. 

Next step is to look after this position. You will find there former MFT records still available but in the unallocated space (new MFT « reserved »  space for future growth avoiding MFT fragmentation). All files records discovered in this unallocated space are easy to decode using Tyrhex.

Last step is to ask to recover the clusters … Tyrhex will allow you to save the file content.     

tyrhex © Yves Vandermeer  2015-2017   #tyrhex