What, and where, is the NTFS CRC windows complains about?

Question

I'm trying to come up with an answer for a question of mine involving recovering a file when Windows' APIs complain about a "CRC error". I know this is because of a bad block.

But my theory is:

• If I disable S.M.A.R.T., and hence ECC, I should be able to read the "raw data", without ECC applied, thus having a block with "uncertain data" in the file's stream (instead of a blank block with ECC applied).
• This data should not match its NTFS' CRC, while other file's data should match theirs.
• I should be able to brute force the whole file's "correct data" by flipping bits one by one of the block with "uncertain data" (I suspect corruption affects a bit or two in a bad block, not a whole block, hence it falls within the recoverability threshold of a 32-bit checksum and brute force).

Now, the problem is, I have no idea what this CRC is, or where it is. I Googled a lot, but I can't find about it. I imagine it is an NTFS feature, and as far as I know, NTFS doesn't have a complete, official documentation, and really I don't like the idea of looking for this in NTFS-3G's C++ source code.

So: I want to make a small utility or script to recover a files in this kind of scenario. An answer that tells me where to get this CRC and what algorithm it uses will be accepted.

Also: I suspect the CRC is for allocation units, not whole files. Maybe it's in the MFT?

Answer 1

The CRC errors you are seeing are not coming from NTFS. They are coming from the device driver.