Next, open the DeletedFile.txt.
Then let try to recover a file.
From the DeletedFile.txt, we choose one file. In this case, TECHNOTE.TXT (with index 416394). Then we re-run the program with the index and file name as the arguments.
The recovered file should be stored under the project's Debug folder.
The next task is to delete the file reference in MFT. By using the index we re-run the program with the index as an argument.
Then, let verify the previous task. Re-run the program to recover the same file as done previously.
Re-open the recovered file. As shown in the following Figure, the files content is filled with 0. Just zeroing out the 'content' huh?
More information for Windows MFT can be found in the following links:
1. NTFS On-Disk Structures - Visual Basic NTFS Programmer’s Guide by Alex Ionescu (pdf)
2. NTFS Documentation - the Linux NTFS driver by Richard Russon and Yuval Fledel (pdf)
3. ReactOS – The Windows clone project.
5. NTFS On-Disk Structures – C code and older version compared to no. 1 (pdf).
Windows Master Boot Record (MBR)
There is 'no' information to extract or manipulate the Windows MBR data in MSDN. Many people use Hex editor to view the MBR. Most of the headers dealing with MBR are available in Windows Driver Kit (WDK). However, there are many headers and libraries created by third party and individual for Windows MBR. For Windows 7 and Server 2008 R2, FSCTL_GET_BOOT_AREA_INFO control code can be used together with BOOT_AREA_INFO structure to retrieve the locations of boot sectors for a volume. Hopefully, the libraries will be expanded for more features in the future. The following list redirects you for more information on Windows MBR.