The subject might be similar, but the problem as such is not the same. https://www.wilderssecurity.com/thr...ble-volume-file-system-not-accessible.443563/ - If I say "corrupt", I don't know if the data I see is trash or encrypted. - If I say "TrueCrypt" (TC), it might be VeryCrypt (CV) - not relevant for this problem. The disk: - External using USB bay - Size 300 GB - 1 NTFS partition (no hidden partition) - Encrypted with TC back in 2008 - Password and keyfile are present - partition mounts correctly - I did a dd image to experiment The problem: After mounting. the partition, I see checked the 2 MFTs 0x0000000030 : 0x00000C000000000049F52E0200000000 MFT : 0x00C0000000 : first 16 sectors are corrupt MFT Mirror : 0x22ef549000 : first 8 sectors are corrupt After the corrupted sectors, I see FILE0 entries (correct MFT data) at the 0x1000 boundaries. Trying to access the mounted partition via Windows Explorer, I get: "The disk structure is corrupted and unreadable." Windows Event Log confirms the trouble: The Master File Table (MFT) contains a corrupted file record. The file reference number is 0x1000000000000. The name of the file is "<unable to determine file name>". How it probably happened: After initially putting the disk (after years) into the USB bay (TC mount as r/w), I was able to verify all (!) stored files since I have an md5sum file of the entire disk. No, I didn't read/copy the data, just read/verified the data (#*%$§& !!!). But then, I probably (not sure ?!) didn't TC dismount properly, or (?!) I ejected the disk prior TC dismount. A subsequent mount showed the NTFS errors above. What I then did: Since could not rely on MFT data, I wrote some C code to check for the cluster starts (0x1000 boundaries). I only have 3 filetypes. .iso, .gz and .tgz on the disk. Scanning the entire disk, I managed to recover >50%. Data integrity could be guaranteed due md5 checksums. >50% is already very good, but I need all (important data)! I don't give up until all possibilities are exhausted. What I believe: I think that only the MFT is corrupted. Some files however show bad md5s, which is confirmed for .tgz files by "tar -tzf <file> > /dev/null". This could be due fragmentation since my restoration binary assumes contiguous sectors. Questions: 1. What I really don't get is, how the beginning of both MFTs could become corrupted, while the data payload seems intact. 2. Is there a possibility to scan the entire disk in order to "rebuild/repair" the MFT. If there is no tool, I can code it myself, but first I need to know by principle whether it's feasible or not. 3. Some of the files seem to be non-contiguous. Is the MFT the only place on the partition where details about file fragments are stored? Any help would be greatly appreciated.
