"someone talking about it attacking the MFT of NTFS - that's a more severe attack than the MBR."
Providing the files themselves aren't corrupted something like photorec reads the sectors, tries to work out what they are and copies the results out to fresh media. Obviously it depends on the extent to which the files are fragmented. If the files are encrypted then it depends on whether they're overwritten. The only experience I had with this was with ransomware that wrote out the encrypts as new files and deleted the old ones which, of course, just marked the files' sectors as free but didn't do anything to the contents. The only problem was sorting out real images from junk heap of odds & sods from the browser cache.
Biting the hand that feeds IT
