Sign in to follow this  
Followers 0
smstroble

Reading an NTFS disk in raw mode

10 posts in this topic

I had an idea, since i'm kinda bored, i thought it would be cool to create a program for recovering deleted files (yes i know there are many out there but most look very questionable). So anyway i figured i would read the NTFS data in RAW and pick out deleted folders in the mess of data.. Well i dumped a portion of my disk to a txt file in raw

$file = FileOpen("\\.\C:", 4)
FileWrite( "D:\Test.txt", FileRead($file, 512*1000))

and i got a fair amount of very strange data

CODE

ëRNTFS ø ? ÿ ? ú`b && ö ¾Ñ ß L ú3Àм |û¸ÀØè ¸

À3ÛÆ èS h

hjË$ ´Ís¹ÿÿñf¶Æ@f¶Ñâ?÷âÍÀíAf·Éf÷áf£ ôA»ªU$ ÍrûUªu öÁtþ Ãf`f¡ f f; : fj fPSfh > è³ÿ> a ´B$ ôÍfX[fXfXë-f3Òf· f÷ñþÂÊfÐfÁê÷6 Ö$ èÀä

Ì¸Í À Àfÿ ÿ oÿfaà øè ûè ûëþ´ð¬< t ´» ÍëòÃ

A disk read error occurred

NTLDR is missing

NTLDR is compressed

Press Ctrl+Alt+Del to restart

that bit is right at the start

CODE

¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ÿÿÿ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × ÿÿÿÙ Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ÿÿÿÿÿÿô õ ö ÷ ø ù ú û ü ý þ ÿ

! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s ÿÿÿu v w x y z { | } ~ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ

! " # $ % & ' ( ) * ÿÿÿ, - . / 0 1 2 3 ÿÿÿ5 6 7 8 9 : ; < = > ? @ A B C D E F ÿÿÿH I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º ÿÿÿ¼ ½ ¾ ¿ À Á ÿÿÿÃ Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß ÿÿÿá â ã ä å æ ç ÿÿÿé ê ë ì í î ï ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿö ÷ ø ù ú û ü ý þ ÿ

ÿÿÿÿÿÿ ÿÿÿ ! " # $ % & ' ( ) * + , - . / 0 ÿÿÿº4 3 4 5 6 7 8 9 : ; < = > ? @ A B C D ÿÿÿF G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h ÿÿÿj k l m ÿÿÿo p q r s t u ÿÿÿw x y z { | } ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ ÿÿÿÁ Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ÿÿÿè é ê ÿÿÿì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ

ÿÿÿ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c ÿÿÿe f g h i j k ÿÿÿÿÿÿÿÿÿÿÿÿp ÿÿÿr s ÿÿÿÿÿÿÿÿÿw x ÿÿÿz { | ÿÿÿ~ ÿÿÿÿÿÿ ÿÿÿÿÿÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª ÿÿÿ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ÿÿÿ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê ÿÿÿÌ Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ

! " # $ % & ' ( ) * + , - . / 0 ÿÿÿ2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | ÿÿÿ~ ÿÿÿ

this is not far below it

below that is data and i can recognize some text and ini files from by drive and i know where they are located (in the file structure) and their file names but i cant find the file names in the data. I figure i need to find and read the master file table but i have no clue where it is at and or how to read it.

So if someone could point be in the direction of some helpful information that would be great.

Thanks.


MUHAHAHAHAHA

Share this post


Link to post
Share on other sites



I had an idea, since i'm kinda bored, i thought it would be cool to create a program for recovering deleted files (yes i know there are many out there but most look very questionable). So anyway i figured i would read the NTFS data in RAW and pick out deleted folders in the mess of data.. Well i dumped a portion of my disk to a txt file in raw

$file = FileOpen("\\.\C:", 4)
FileWrite( "D:\Test.txt", FileRead($file, 512*1000))

and i got a fair amount of very strange data

CODE

ëRNTFS ø ? ÿ ? ú`b && ö ¾Ñ ß L ú3Àм |û¸ÀØè ¸

À3ÛÆ èS h

hjË$ ´Ís¹ÿÿñf¶Æ@f¶Ñâ?÷âÍÀíAf·Éf÷áf£ ôA»ªU$ ÍrûUªu öÁtþ Ãf`f¡ f f; : fj fPSfh > è³ÿ> a ´B$ ôÍfX[fXfXë-f3Òf· f÷ñþÂÊfÐfÁê÷6 Ö$ èÀä

Ì¸Í À Àfÿ ÿ oÿfaà øè ûè ûëþ´ð¬< t ´» ÍëòÃ

A disk read error occurred

NTLDR is missing

NTLDR is compressed

Press Ctrl+Alt+Del to restart

that bit is right at the start

CODE

¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ÿÿÿ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × ÿÿÿÙ Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ÿÿÿÿÿÿô õ ö ÷ ø ù ú û ü ý þ ÿ

! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s ÿÿÿu v w x y z { | } ~ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ

! " # $ % & ' ( ) * ÿÿÿ, - . / 0 1 2 3 ÿÿÿ5 6 7 8 9 : ; < = > ? @ A B C D E F ÿÿÿH I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º ÿÿÿ¼ ½ ¾ ¿ À Á ÿÿÿÃ Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß ÿÿÿá â ã ä å æ ç ÿÿÿé ê ë ì í î ï ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿö ÷ ø ù ú û ü ý þ ÿ

ÿÿÿÿÿÿ ÿÿÿ ! " # $ % & ' ( ) * + , - . / 0 ÿÿÿº4 3 4 5 6 7 8 9 : ; < = > ? @ A B C D ÿÿÿF G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h ÿÿÿj k l m ÿÿÿo p q r s t u ÿÿÿw x y z { | } ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ ÿÿÿÁ Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ÿÿÿè é ê ÿÿÿì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ

ÿÿÿ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c ÿÿÿe f g h i j k ÿÿÿÿÿÿÿÿÿÿÿÿp ÿÿÿr s ÿÿÿÿÿÿÿÿÿw x ÿÿÿz { | ÿÿÿ~ ÿÿÿÿÿÿ ÿÿÿÿÿÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª ÿÿÿ¬ ­ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ÿÿÿ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê ÿÿÿÌ Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ

! " # $ % & ' ( ) * + , - . / 0 ÿÿÿ2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | ÿÿÿ~ ÿÿÿ

this is not far below it

below that is data and i can recognize some text and ini files from by drive and i know where they are located (in the file structure) and their file names but i cant find the file names in the data. I figure i need to find and read the master file table but i have no clue where it is at and or how to read it.

So if someone could point be in the direction of some helpful information that would be great.

Thanks.

I think what happens is the data cannot be displayed as plain text.

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Any data can bee seen in plain text as far as i know, though it wont be of any use because it was not meant to be text. Though often some more information can be gotten from HEX because pretty much anything that is not standard ASCII is shown as a square or a blank spot.

Give me a minute writing a program to parse some of it into hex for you guys to look at.

Edited by smstroble

MUHAHAHAHAHA

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

ok got some HEX, its everything from the start into a little bit of stange area which is shown rather well in the screen shot attached.

HEX_Start_of_drive.txt

post-9526-1177203103_thumb.gif

Edited by smstroble

MUHAHAHAHAHA

Share this post


Link to post
Share on other sites

Any data can bee seen in plain text as far as i know, though it wont be of any use because it was not meant to be text. Though often some more information can be gotten from HEX because pretty much anything that is not standard ASCII is shown as a square or a blank spot.

Give me a minute writing a program to parse some of it into hex for you guys to look at.

What I meant was the data was not suppose to be shown as plain text, of course you can view anything with notepad but it won't show anything helpful.

Sidenote: I am not good at this but maybe you can look up some method in google and see how it works.

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

I have been looking around Google for a couple hours now, i starting to think that this may be way over my ability's. I'm having trouble finding anything on the NTFS file system other than in general how its setup nothing specific enough to work with, i think I'm going to have to look at the source of another undelete program but that hasn't been terribly easy to find either.

EDIT: Ha! I think I found something http://www.ntfs.com/disk-scan.htm

Edited by smstroble

MUHAHAHAHAHA

Share this post


Link to post
Share on other sites

You are going to have to peek quite low down in the NTFS subroutines to get to where you want. For a bit of background, why not get one of the older versions of Norton utilities for DOS (over 10 years old) and read how the partitions table, boot file sector, FAT table and directory/folder structures are constructed for a FAT system and work your way up from there. As additional useful reading, you may find open source code for drivers that mount NTFS drives under Linux.

Somehow I strongly suspect AutoIT is not the appropriate language to be using to do this type of work. As you knowledge increases, you will come to understand why...

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

Thanks for the advice, looks like this is going to take a lot of work, sounds like a project for this summer, along with learning C++.

Even if autoit is not a good language for this i think it would still be interesting to make one in autoit, if possible, even if it was slow as can be.

Edited by smstroble

MUHAHAHAHAHA

Share this post


Link to post
Share on other sites

smstroble,

Just seen your post whilst browsing, hope you have not given up with your project cos your on the right tracks

This Text:

-------------------------------------------------------------------------------------------------

ëRNTFS ø ? ÿ ? ú`b && ö ¾Ñ ß L ú3Àм |û¸ÀØè ¸

À3ÛÆ èS h

hjË$ ´Ís¹ÿÿñf¶Æ@f¶Ñâ?÷âÍÀíAf·Éf÷áf£ ôA»ªU$ ÍrûUªu öÁtþ Ãf`f¡ f f; : fj fPSfh > è³ÿ> a ´B$ ôÍfX[fXfXë-f3Òf· f÷ñþÂÊfÐfÁê÷6 Ö$ èÀä

Ì¸Í À Àfÿ ÿ oÿfaà øè ûè ûëþ´ð¬< t ´» ÍëòÃ

A disk read error occurred

NTLDR is missing

NTLDR is compressed

Press Ctrl+Alt+Del to restart

-------------------------------------------------------------------------------------------------

Is the start of your drive identifying the File format as NTFS and later giving text error messages that it may need to display .

The information in between is all machine code and you are right that it is best viewed in HEX.

Without going into to much detail (it gets boring after a bit) for doing data recovery you either need to search for a given file types Signature (ie Jpeg = YoYa, exe = MZ) and then extract that data to another file or, if your intention is to a corrupted drive then you read the Master File Table and work out where the Partition locations are and write that data back to the drive.

If you have a look on Data Recovery Books or Forensic Forums they are a great help.

Question: Have you worked out how to write the data back to the drive at the location it was copied from?

Gingerbloke

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0