[2Turtles]

Well long time no see! I hope spring is knocking loudly on everyones door

I seem to have lost my Win2k partition - and with it all my moms email - bad, bad - but even worse I need to recover a VERY important birthday project that I spent months creating as a surprise which resides in the now "vaporised" Documents folder of Win2k...

I am begging here....

The details: I recently learned how to set up a dual-boot system so that I might try and get used to a new o/s (I love my tweaked 98 shamelessly thank to axcel and the folks here!) All seemed good for the first few months but the other night after an unannounced shutdown when I tried to boot into my Win2K I got the "Windows 2000 can not start, <windows 2000 root>\system32\ntoskrnl.exe is missing or corrupt." error. Which I was not afraid of because I have learned a few things here and replacing a file in dos mode isn't as scary as it used to be... until I tried it, and it failed because apparently my Win2k is gone? At least that how it looked when I rebooted into my Win98 side and had a look at the drive. That drive is now called "♥+RPVæ5ө□Ė╦" and has two equally strangely named files on it.

I tried using my 4 floppies (Win2K Pro) to get to repair /recovery and run chkdsk but no luck - it just keeps telling me "program cannot be run in dos mode". I tried to run a copy of chkdsk from my Win98 side but that was a no go as well. So I ran scandisk from Win98 and got these:

I'm worried about letting scandisk fix the errors on that drive in case it deletes my project files and moms email.

The other thing I read was possibly the boot.ini was corrupt - I did try "fixboot" but it made no difference. I did not try "fixmbr" because I don't know if that could ruin my 98 install? My boot.ini does not look like the dual boot.ini's I have seen online - is it supposed to look like this?:

[boot loader]
timeout=30
default=signature(26cggbeg)disk(1)rdisk(0)partition(1)\WINNT
[operating systems]
signature(26cggbeg)disk(1)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
C:\="Microsoft Windows"

why does it say "signature(26cggbeg)" instead of multi(0)?

I could really use some guidance as I know absolutely nothing about Win2K Pro and it's issues, except reading that it didn't like being installed on partitions larger than 7.8GB... but if that was the case here wouldn't it have gotten corrupted sooner? Is this corruption?

I'm not sure what other information is relevant so here's what I can think of:

The Win98 install is unaffected, it is on a the first partition of a 40GB drive (2X20) as master. The Win2k is on the first partition of a 160GB drive(20X70X70) as slave. I have ran Powermax on the 160 and it tests fine.

System Specs:

AMD Sempron 2600
ECS 741GX-M
SIS Chipset 741GX/964L
Soundblaster Live! 24bit
Radeon Excalibur 7000 (HiS powered by ATI) 64mb DDR
1GB Kingston KVR400X64C3A Ram
Maxtor Diamondmax 40GB master C: 98se (20GB) E: storage (20GB)
Maxtor Diamondmax 160GB slave D: Win2k (20GB) F: storage (70GB) G: storage (70GB)
LG 4160B Super-Multi Drive master
Dual Booting Win98SE/Win2K Pro

Please please please someone help I am suddenly on a new learning curve without training wheels!!!

PS - in case anyone wonders how come the "crazy drive" has so many characters in the name, I named the C drive "Old Font" and the Win2K drive "Windows2000" to make finding stuff simpler for my mom since dual booting with 5 partitions wasn't an easy change for her

This post has been edited by 2Turtles: 11 April 2008 - 09:11 AM

[jaclaz]

OK, STOP fiddling with the drive NOW.

NEVER, NEVER and I mean NEVER use a win9x utility on a later OS formatted/partitioned HD unless you know what you are doing.

Try using TESTDISK:
http://www.cgsecurit...g/wiki/TestDisk
(the DOS version from your Win98 "side") to ONLY check what it sees and report.

If you are lucky the corruption may be limited to MBR/partition table only and thus fixable by TESTDISK.

Generally speaking, when you have such "random" letters on a drive name, there can also be a problem with the connection of the hard disk, trying re-seating the cable connectors or, better even, change the cable with a spare one, it won't make any harm anyway.

jaclaz

This post has been edited by jaclaz: 11 April 2008 - 09:27 AM

[2Turtles]

Thanks so much for the reply jaclaz - I tried right away a new cable but it did not work so I have downloaded and run the TestDisk as you said from Win98. But I do not really understand it I don't think. Analyze shows this:

1 * FAT32 LBA 0 1 1 3734 254 63 60002712 [NO NAME]
2 E extended LBA 3735 0 1 19928 254 63 260156610
5 L FAT32 3735 1 1 11831 254 63 130078242 [DSK1_VOL2]
X extended 11832 0 1 19928 254 63 130078305
6 L FAT32 11832 1 1 19928 254 63 130078242 [DSK1_VOL3]

When I selected [Deeper] It just shows 3 partitions all green - says the first is bootable with no name, the second fat32 Disk1_vol1, and the 3rd fat32 Disk2_Vol2.

* FAT32 LBA 0 1 1 3734 254 63 60002712 [NO NAME]
FAT32, 30 GB / 28 GiB
L FAT32 LBA 3735 1 1 11831 254 63 130078242 [DSK1_VOL2]
FAT32, 66 GB / 62 GiB
L FAT32 LBA 11832 1 1 19928 254 63 130078242 [DSK1_VOL3]
FAT32, 66 GB / 62 GiB


When I ask it to show me the files on the first partition it shows me the two "crazy folders" that I can see from win 98, plus the recycle bin and the ntoskrnl.exe file I put there hoping somehow it would be happy to see it! Moms emails and my missing project is on that first part with Win2k in Documents, the other two parts are just storage of music and photos and are still readable from Win98.

I have not done anything to the drive partition since it happened except copy that one file to it and attempt the "fixboot" as I said earlier and now changing the cable - I did not do anything else with Testdisk since I don't really know what I should do. Testdisk did say it must have the drive size correct to work and it saw this:

Disk 81 - 163 GB / 152 GiB - CHS 317632 16 63
LBA size=320173056

It is a 160GB Maxtor, I know that that is relative to more specific math - is TestDisk getting the right size do you think? I told Testdisk to make the log file if it would help - it might as well be those crazy characters for all I understand it though! I will post it or can email if you want to see it?

Thanks again for any advice, I am so grateful!

[fdv]

Get on a different machine and assemble a PE. Use it to copy data from the drive.
If you don't have an XP license, use the Microsoft trial version of Windows Server 2003.
I recommend Ultimate Boot CD 4 Win as your PE creator.
Trail of 2003.
Ultimate Boot CD for Windows.
There are also bootable Linux distros that could accomplish this as well... all you're looking to do is mine some data and copy what you can.

[DonDamm]

Ah, the joys of dual-booting! It appears that all your partitions are formatted in FAT. It also sounds like the partition table in your W2K installation got pooched. If so, it will give scrambled names like you see and would explain the bootlaoder failure. The W2K boot files reside on the first partition (the W98 one here) and the boot.ini file contains the information and pointers. First check that the info inside there is okay. If so, then where it is pointing is returning gobbled inforamation in the form of the crazy names.

If you have a copy of Acronis Disk Director or Disk Editor, you'll be able to copy the uncorrupted second FAT to the beginning of the partition and you should be able to read it again. Almost any disk editor can do this in cluding older versions of Norton tools (NOrton Disk Editor) and even UltraEdit. It is most likely in the first 512 bytes where the error is. Even if ScanDisk does fix the error, it will drive you crazy with file fragments renamed. A repair install is a possibility, but very well may not see any installation there and will just act like a new install, wiping previous data.

Follow the suggestion for recovering any usable data and get it off that drive first. You could try a utility like Recuva or SoftPerfect File Recovery, both free and non-invasive. R-Studio is another good one and may work in the trial mode, but is a paid program. Without a healthy partition table you will run into problems whatever you do, so I'd aim to restore that first if you can. It is one reason there is a second copy there in the first place.

Good luck with it. Let us know what happens.

[jaclaz]

Some good news, and some bad ones.

The good ones first, you seem to have NO problems with connection, the only REALLY "wrong" thing is the geometry of the drive:

Quote

Disk 81 - 163 GB / 152 GiB - CHS 317632 16 63
LBA size=320173056

you should get something like:

Quote

Disk 81 - 163 GB / 152 GiB - CHS 19930 255 63
LBA size=320173056

A large disk, actually ANY disk above 8Gb manufactured in the last few years, should be detected as having a CHS Geometry of nx255x63 geometry.

Please try correcting the geometry as above, re-run testdisk and report.

It is very rare that testdisk "sees" a wrong geometry, this makes me think that there is a problem in some BIOS setting, do check that detection if second hard disk is set to AUTO.

Now the bad ones, this wrong geometry should not affect the First partition, that starts at CHS 0/1/1, so there might also be problems in the bootsector of that partition.

I think that partitions can still be recovered, but I suspect that it might be a long and tricky process.

Have you got or can download a hex editor (or, BETTER, viewer) capable of accessing directly the HD from Win9x or DOS and saving single sectors as a file ?

Here you can find some links:
http://mirror.href.c.../FreeTools.html

Even a screenshot of the bootsector taken in either PTEDIT32 (link on the listed page) or beeblebrox:
http://students.cs.byu.edu/~codyb/
could be enough for the moment, but I actually would like to have a look at (i.e. have a copy of) sector 64 on the disk, (aka bootsector of first partition).
Since it is a FAT32 partition, if it was originally formatted by a "proper" program, there is a copy of the bootsector at relative sector 6, aka absolute sector 70, I'd like to see that one too.

On the other hand, if you have only little valuable data on the drive, you can try using PHOTOREC (included in TESTDISK) to recover just the files....

jaclaz

[2Turtles]

Hi everyone, thank you for all of your input I am so glad there are people who are willing to help and not just say "Stoping using all the old stuff and get XP or Vista!" Changing o/s wouldn't get my files back nor would it miraculously help me to suddenly understand a new o/s and all it's quirks!

Quote

fdv
Get on a different machine and assemble a PE. Use it to copy data from the drive.

Sorry to sound dumb here but I don't know what a "PE" is...

Quote

DonDamm
The W2K boot files reside on the first partition (the W98 one here) and the boot.ini file contains the information and pointers. First check that the info inside there is okay. If so, then where it is pointing is returning gobbled inforamation in the form of the crazy names.

I did put my boot.ini file up in my first post - I don't know if that is what it is supposed to look like or not though - this is my first time with dual-boot and I don't remember at all what it originally looked like when I changed the timeout to 30 secs so my mom would have time to remember where she wanted to work.

I have to fix this because I 'm the one who told her we could use newer software if we switched (this is all because I really wanted google earth and it won't work with 98) and that Win2K would be more secure if we were going to be online more! I thought the transition would be smooth(er) - it sort of was, until this...

jaclaz: I think I am to blame for the wrong geometry report as I copied it from the log file here (red) when it should have likely been here (green)

Dos version (ext2fs lib: 1.40.2, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: none)
Disk 80 - 8414 MB / 8024 MiB - CHS 1023 255 63
Disk 80 Enhanced BIOS 1.x - R/W/I
Computes C from number of sectors
LBA 80293248, computed 80293248 (CHS=79655,15,63)
hd_identify_enh_bios
Disk 80 - 41 GB / 38 GiB - CHS 79656 16 63
LBA size=80293248
Disk 81 - 8414 MB / 8024 MiB - CHS 1023 255 63
Disk 81 Enhanced BIOS 1.x - R/W/I
Computes C from number of sectors
LBA 320173056, computed 320173056 (CHS=317631,15,63)
hd_identify_enh_bios
Disk 81 - 163 GB / 152 GiB - CHS 317632 16 63
LBA size=320173056
disk_read_aux: Don't read after the end of the disk
disk_read_aux: Don't read after the end of the disk
Hard disk list
Disk 80 - 41 GB / 38 GiB - CHS 4998 255 63, sector size=512
Disk 81 - 163 GB / 152 GiB - CHS 19929 255 63, sector size=512

Disk 81 - 163 GB / 152 GiB
Partition table type: Intel
disk_read_aux: Don't read after the end of the disk

Analyse Disk 81 - 163 GB / 152 GiB - CHS 19929 255 63
Geometry from i386 MBR: head=255 sector=63
FAT32 at 0/1/1

When I checked the bios it was set to AUTO for the 160GB and LBA for the 40GB. I changed the 160 to [CHS] but all the numbers remained the same as in [AUTO] so I changed it to [LBA] just to see, then the numbers were different. So I ran Testdisk like that - it was exactly the same report, when I compared the 2 logfiles side by side I see you are right Testdisk did not see the wong geometry it must have been my error from above.

Sorry to have to say that I don't understand a lot of what you guys are saying because on a scale of 1-10 my computer language skills are around about 2. What I am really, is good at following directions very precisely - which is how I got my RollsRoyce98 - created by reading MdgX pages and coming here when I hit a road block

Quote

but I actually would like to have a look at (i.e. have a copy of) sector 64 on the disk, (aka bootsector of first partition).
Since it is a FAT32 partition, if it was originally formatted by a "proper" program, there is a copy of the bootsector at relative sector 6, aka absolute sector 70, I'd like to see that one too.

On the other hand, if you have only little valuable data on the drive, you can try using PHOTOREC (included in TESTDISK) to recover just the files....

I don't have a hex editor or viewer but I will get which ever program you want me to so you can see sector 64 or anything else you need - if you tell me which program to use to copy it for you I will do it tonight.

I don't know if the formatting program was a "proper" program - I used Powermax as that is what I used for my other Maxtor drive, I did select Win2k as the o/s when Powermax asked.

I do know that all the partitions are FAT32 because I always choose that option. Here is exactly how this dual boot was set up.

Original 40GB drive, 2x20 Fat32 partitions. C: [Win98se and Programs] ---------- D: [storage]

Then I added a brand new 160GB drive partitioned into 3 Fat32 - 20x70x70 by Powermax (seagate tool for new maxtor drives)E:,F:,G:

Next Installed Win2k Pro from Win98 onto the first partition (E:) of the 160GB drive (which was renamed (D:) by one of the o/s once the install finished)

So now I have Old Front [win98] (C:) ?+RPVæ5??Ė- [win2k] (D:) Old Back[storage] (E:) DISK1_VOL2[storage] (F:) DISK1_VOL3[storage] (G:)

When I read to leave win98 first and then install win2k it did not say they had to reside on the same drive - so I assumed it was ok, and since it has worked it must have been... or was that a fluke? I test drove it for a few weeks, then added SP4. Other than 4 or 5 random reboots without warning over about 4 months it seemed to be fine. I blamed the reboots on the computer but it never happens when I'm using win98 so now I think that was a mistake. Explorer says the partition is full with only 199MB free space, that is impossible - it is a 20GB partition and so far there is only Win2k, a few small programs and my 70 pages which are 90% text and 10% jpgs. There can't be more than 2 or 3GB on there and I doubt even that much.

The most important data are moms email (thunderbird) and even more my 70 pages of Open Office files, a project I have worked on for months and do not have anywhere else - I am so dumb for keeping them in the Win2k "My Documents" folder but I wanted it to be a suprise so I didn't want anyone else to see them before I was finished - I am the administrator and everyone else has access to all the other partitions. The Open Office files are ".odt" extention and it looks like PHOTOREC can only see .doc files?

If you are willing jaclaz then I am prepared to do whatever it takes to save those files - just give me your orders

You are all quite wonderful, I thank you so much for trying to help!

[2Turtles]

I have downloaded both programs, Beeblebox and PTEDIT32 - the link for original Beeblebox download was not working so I got the one from sourceforge I tried to run it but obviously I am doing something wrong. PTEDIT32 seemed to work but all the boxes are grayed out so I am not sure how to get the information you want to see. Here are the screenshots:
the runlog.txt for beeblebox is blank after the error...

Is this because I should do it in DOS mode?

[jaclaz]

It's strange, I just tested the download you should have made for beeblebrox:
http://students.cs.byu.edu/~codyb/
http://students.cs.b...bbdownload.html
http://students.cs.b...brox9xsetup.zip
and it works for me, however PTEDIT32 seems to be working allright.
The project on sourceforge is Java (sic) rewrite of the original beeblebrox, left unfinished.

Geometry is confirmed 19929/255/63

The MBR data appears to be NOT correct.

The LBA data of first partition 60002712 corresponds to a partition of about 30 Gbytes, more exactly to 30.721.388.544 bytes.
The CHS data of the same partition leads to a size of about 5 Gbytes, more exactly 5.453.328.384 bytes.

Please re-run PTEDIT 32 and post screenshots:
1) after having selected the first (primary) partition and pressed the "BOOT Record" button
2) after having selected second (extended)partition and pressed the "GOTO EPBR" button
3) after having selected first of the two lofical partitions and pressed the "BOOT Record" button
4) after having selected first of the two logical partitions and pressed the "BOOT Record" button
Make sure, when using the BOOT record to select the proper partition type, FAT16 (type 06 or 0e) FAT32 (type 0b or 0c) or NTFS (type 07)

jaclaz

[2Turtles]

I have looked at explorer to confirm the win2k 160GB drive partition sizes - it reports as 28.5x62x62 so I must have remembered wrong - I am very sorry for that error. I opened the computer up and for sure the maxtor says 160GB though, that part is correct. I have re-run PTEDIT and collected the screenshots - they are of the 160GB drive - is this the (primary) partition you mean or was I supposed to do this from the win98 partition because it was the first o/s I had?

jaclaz, on Apr 15 2008, 02:34 PM, said:

Please re-run PTEDIT 32 and post screenshots:
1) after having selected the first (primary) partition and pressed the "BOOT Record" button

Quote

2) after having selected second (extended)partition and pressed the "GOTO EPBR" button

Quote

3) after having selected first of the two lofical partitions and pressed the "BOOT Record" button
4) after having selected first of the two logical partitions and pressed the "BOOT Record" button

I don't think you meant for 3) and 4) to say the same thing? If #4 is "select 2nd of the two logical partitions..." then the "Boot Record" button goes greyed-out...

Quote

Make sure, when using the BOOT record to select the proper partition type, FAT16 (type 06 or 0e) FAT32 (type 0b or 0c) or NTFS (type 07)

PTEDIT says all partitions on all drives are FAT32X until I click "EPBR" then they say FAT32, I did not change the FAT32X- should I have?


Today finally was able to connect after a long wait and I have downloaded the proper beeblebox now - so if you prefer that one I can run it.

[jaclaz]

Yes, sorry, I copied and pasted line above and failed to correct it :blush:, I meant
4) "select 2nd partition", press the "GOTO EPBR" and press the "BOOT Record" button.

Partition data appears to be a bit mixed on the CHS side, but since access is through LBA, that should not cause problems.

The good news is that the 1st partition boot sector of first partition appears to hold correct data.

So, the problem has to lie in FAT.

I will check and get back to you with (hopefully) some tests to make.

Should it be necessary (it is however advisable) could you afford buying a new drive 160 Gb or more to make a copy of the corrupted hard drive data?

Do you have any other machine wth Windows 2K or Windows XP installed where you can attach the corrupted drive?

Or could you if needed build a PE (Pre-install Environment) CD through BartPE Pebuilder or Winbuilder on some machine running 2K or XP?

jaclaz

P.S.: .odt seems to be on the list of "known" files for Photorec:
http://www.cgsecurity.org/wiki/File_Format...red_By_PhotoRec
http://www.cgsecurity.org/wiki/File_Format...PhotoRec#Office

P.P.S.:it seems like the Convar utility File Recovery can run on win98 too:
http://www.pcinspector.de/Sites/file_recov....htm?language=1
it would be next thing to try.

Both Photorec and PC File Recovery are "safe" (unless you copy/install them on the corrupted drive) as they will recover data on "another" drive.

Another thing that you can try is using the "FAT recovery" feature of TESTDISK, but ONLY after you have a backup copy of the whole drive:
http://www.cgsecurity.org/wiki/Advanced_FA...pair_FAT_tables

This post has been edited by jaclaz: 16 April 2008 - 03:34 AM

[2Turtles]

here it is
I am glad to hear some good news as I have been a bit down about this business. Unfortunately I cannot afford another drive, I had to beg for this 160 last year and was none too popular when it could be had for nearly half price 6 months later My aunt does have an XP machine that I may be able to connect the corrupted drive to - but that depends on how long she would have to be without her computer, she is on it about 10 hours a day/7 days a week and won't be willing to let it go for more than 1 day. I don't know how to make one yet, but would be willing to learn to build a Pre-install Environment if needed - I would try to make it from my aunts XP(Pro) computer.

Thank you for the PHOTOREC link (I had only read the readme that came with the program which did not have such an extensive list!) I am more hopeful now - I have started it but then stopped it because I didn't know if it was a bad idea to save the recovered files to a different partition on the same drive. I don't have enough space on my 40GB left to recover the whole 28GB partition - but I think I know why it says there is so much stuff on there when there shouldn't be hardly any at all. The first 7 files PHOTOREC recovered (before running out of space on C: drive) were 6 mpgs and 1 cab. I never put or even had any mpgs on the win2k partition so I opened 1 with IrfanView to see what it was - it was a piece of a dvd I had burned, I'm not sure why it should be on the o/s partition when my NERO temp folders are deliberately redirected to the storage partitions. Anyway I changed PHOTOREC options to ignore mpg files since I don't care about them. Also interesting - I extracted the .cab file PHOTOREC found and it had ntoskrnl.exe in it? But possibly that is just the file I put on the drive and PHOTOREC just packed it up... I am hoping now that there will be plenty of room on my C: drive for the missing email and documents if they aren't mangled. I am worried about having written those 2 files to that partition when I was first trying to put ntoskrnl back, as PHOTOREC says specifically NOT to write to it - hopefully they weren't big enough to wreck too much.

Going to try PHOTOREC again, wish me luck!

[cdob]

Just a side note:
Win98 and Win2000 may not support fully a 160 GB drive out of the box.
Massstorage driver has to use 48-bit LBA.
E.g. Win2000 atapi.sys require a registry setting http://support.micro....com/kb/305098/
Without this, data corruption is possible.

[2Turtles]

cdob, on Apr 16 2008, 04:20 PM, said:

Just a side note:
Win98 and Win2000 may not support fully a 160 GB drive out of the box.
Massstorage driver has to use 48-bit LBA.
E.g. Win2000 atapi.sys require a registry setting http://support.micro....com/kb/305098/
Without this, data corruption is possible.

Yes I knew about win98 and have long ago fixed up this system with the solution found here on this forum - it has worked perfectly for me
here is the link for anyone who might need the fix-up ---> http://www.msfn.org/board/Enable48BitLBA-Break-the-137Gb-barrier-t78592.html

I didn't know that Win2K had similar issues however so thank you for the link I shall read up on it - cheers!

So I let PHOTOREC do it's thing - it ran for about 5 hours and then shut itself down with this error:
it has recovered a few thousand files but only 3.odt files and they aren't readable. There seems to be some issues - for instance it finds html files and labels them as such but it also found hundreds of text files only when I look at them they are in fact html code not documents. It has found a few .doc files but they are not readable either... Mostly the files look like the scrambled characters in my wrecked drives name and long rows of black rectangles. A few of the unknowns sort of look like they might be email format but I'm only guessing. There are even some .gif files that are 50,000KB in size and when I opened them in Paintshop Pro they were just tiny arrow images only 14x14 pixels - impossible for them to be more than a few KB in reality, so something is wonky.

Is autochek for XP the same as Win2k? If I were to slave the drive over there could it fix the errors enough to help PHOTOREC finish the recovery and maybe get the files readable? I will wait for directions as I am unsure what best to try next...

[jaclaz]

Most part of the success rate of recovery on a drive at file level (i.e. when File Allocation Table or other indexing structure has gone beserk) is related to how fragmented was the volume, if the volume was heavily fragmented, chances are smaller.

Basically such programs "catalog" anything from a known header up to the next known header as a file of given type....making some checks and "guessing" a lot...

...each program has it's own better or worse feature, as they use different algorithms.

I asked about a 2K/XP as most "recent" Commercial software will not work on 9x, though there are quite a few Linux ones, but I have no experience with them.

As said, trying the Convar free program won't make any harm and may be able to succeed where Photorec failed.

There are lots of programs, most Commercial, but the pre-requisite is to be able to have at least one (better if two) images of the drive and work on them, as some may change filesystem structure and if the result is not working there is no way back.

Here are some listed:
http://www.msfn.org/...ool-t84345.html

There are also chances for a "manual" recovery of a few files, but it needs "professional" skills and lots of time...if you do not succeed (without altering the data) you may want to consider the use of a data recovery service.

jaclaz

[2Turtles]

Still trying...

I had to stop trying the Convar recovery tool as it is writing the recovered files right to the partition I'm trying to recover?? I cannot find where it would allow me to redirect where it puts recovered files - do you know? It is installed and run from win98 c: drive but once I tell it to scan the d: drive it created FOUND.000, FOUND.001 folders and was writing them to d: so I stopped the scan.

Also today was trying the program R-Studio but it does not mention document types other than mostly Microsoft and zero Open Office files in it's list and since it wants $80 to get out of demo mode well if I had $80 for a "maybe" then I'd be buying a new hard drive for sure instead. Plus it seems to use all the resources and then conks out on my old pc so maybe too big a program.

I have read sometimes you can copy the data from the partition to cd or dvd and then work on those - is this possible in my case or is that only if the o/s is good and the data bad? I have many blank cd and dvd and a burner that can do both if that would maybe work? Except that win98 says there is nothing there to copy so how does one make a copy? I am confused about that part.

Last question: am I not to use the other 2 partitions on that drive either? There is much space left on the F: and G: partitions (over 60GB) so should I NOT let recovery programs put what they find on those parts? So far I haven't used that drive but my win98 drive is not enough left to put the whole scrambled 28GB partition on...

[jaclaz]

2Turtles, on Apr 19 2008, 09:16 AM, said:

Still trying...

I had to stop trying the Convar recovery tool as it is writing the recovered files right to the partition I'm trying to recover?? I cannot find where it would allow me to redirect where it puts recovered files - do you know? It is installed and run from win98 c: drive but once I tell it to scan the d: drive it created FOUND.000, FOUND.001 folders and was writing them to d: so I stopped the scan.

I think there should be one, but cannot say for sure, and yes, writing on the same partition is a NO NO.

2Turtles, on Apr 19 2008, 09:16 AM, said:

I have read sometimes you can copy the data from the partition to cd or dvd and then work on those - is this possible in my case or is that only if the o/s is good and the data bad? I have many blank cd and dvd and a burner that can do both if that would maybe work? Except that win98 says there is nothing there to copy so how does one make a copy? I am confused about that part.

It is possible ONLY if you make a "RAW" image, i.e. a byte-by-byte copy, something you cannot do as the resulting file will be 3 Gb in size, exactly like the partition.

2Turtles, on Apr 19 2008, 09:16 AM, said:

Last question: am I not to use the other 2 partitions on that drive either? There is much space left on the F: and G: partitions (over 60GB) so should I NOT let recovery programs put what they find on those parts? So far I haven't used that drive but my win98 drive is not enough left to put the whole scrambled 28GB partition on...

Theoretically, there should be no problem, as the other partitions are separately addressed spacces, but the rule of the thumb is to never write on same drive because you do not know how and why it got messed the first time, thus it is possible that due to the problem that originally corrupted the drive writing to it, even on a different partition, may cause problems.

But of course it's always a matter of probabilities a rough estimate would be, talking of probability of recover, since the "simple" things did not work:
1) Sending the drive to a professional 80% to 100%
2) Do it yourself on an imaged drive with professional (read Commercial) tools 60% to 80% (but this still allows for #1)
3) Do it yourself on original drive with professional tools 60% to 80%
4) Do it yourself on an imaged drive with Freeware tools 40% to 60% (but this still allows for #1)
5) Do it yourself on original drive with Freeware tools 30% to 40%

If you are determined to go on, before trying again a file based recovery, I would try TESTDISK again, trying to repair the FAT tables:
http://www.cgsecurity.org/wiki/Advanced_FA...pair_FAT_tables
if it fails, it will alter just the FAT tables, probably in such a way that a further FAT based recovery with a professional tool will be made impossible, but will not alter the files in any way, so the possibility of a file based one will remain untouched.

Also, it is possible that PHOTOREC or other file based utility recovers the files in a slightly incorrect way, enough for the original app to be not able to open it, but still containing most (or a large part) of the data within the file, that may be later "extracted" or "corrected" by specialized utilities or manually with a hex editor, but it would be a long, prone to errors and troublesome path that requires very advanced file formats knowledge and lots of experience.

jaclaz

[2Turtles]

Quote

If you are determined to go on, before trying again a file based recovery, I would try TESTDISK again, trying to repair the FAT tables:
http://www.cgsecurit...pair_FAT_tables
if it fails, it will alter just the FAT tables, probably in such a way that a further FAT based recovery with a professional tool will be made impossible, but will not alter the files in any way, so the possibility of a file based one will remain untouched.

I was reading something about that the other day (I think on starman pages) and used Testdisk to compare FAT Tables - it reports 2 of them and as identical - am I wrong in thinking Testdisk will be unable to repair since it does not have a better one to choose from?

I keep trying but I do have trouble grasping and holding on to such mental complexities - now, if this drive needed physical repair - even with tiny tools under a microscope then all I'd need is a diagram because mechanical dexterity is where my skills are!



...time to shovel some snow
.............yes, it snows here in April!

[2Turtles]

Have looked at the partition with another recovery tool - this program says there are NTFS, FAT16 and FAT32 on the partition - can this just happen? I was under the impression that a disk had to be formatted NTFS in order to have NTFS filesystem. Plus how did FAT16 get on there? Am posting the screenshot of the programs scan of my missing D: drive and the *13* whatever they are it sees on there!

I have not told Testdisk to fix the FAT table yet, I am going to look at it again today. I re-read my first post and win98 scandisk reported the fat tables as different so I must make sure that I did not run/read the Testdisk info wrong.

EDIT: ok am back, my inability to keep all the sectors and tables etc distinct and clear in my mind is obvious - this is what I saw/read in Testdisk
so now I am imagining there are TWO copies of boot sectors and TWO copies of FAT tables and they are two different things.... is this correct? If so my mission now is to have a look at the FAT tables, if that is possible. If I understand correctly, Testdisk will "repair" the fat just by coping the FAT2 over the FAT1 which may only help if they are different (and FAT2 isn't mangled as well).

On the lighter side, I have retrieved 10 of 70 pages that are not mutilated beyond repair. I had to look through over 8,000 txt files that PHOTOREC generated so it was time consuming but for anyone who is poor and has lost important documents - we are not completely without hope. Although PHOTOREC says it recognizes .odt file types it must need them to be less corrupted than mine are to find them - for me it found only 1 as type.odt but many thousands of .txt files - a few of which turned out to be slightly mashed .odt files and parts of .odt files.

My hunting method is to save all the txt files PHOTOREC found to a single folder, point at it using win98's "find files" "containing text" and then inserting the most uncommon words from the document I could think of - words you wouldn't expect to see in O/S or program txt files which were overwhelmingly plentiful.

I must stress that even this has it's limitations - for instance I used "Vegas" because a story about Las Vegas was in one part of my papers - and I never imagined that 300 pages of what appeared to be computer code-ish or something like that turned up using that word! Plus you may find a 100 page text file that looks like unrelated garble but if you were to use "find in this document" and go to all instances of the word you may find that on page 80 and 81 are parts of what you are actually searching for which is how most of my stuff is being located. Anyway it is a matter of sifting and straining, persistence and patience - not for the short tempered or easily discouraged that's for sure! I am hoping to use all the programs available to get as many pieces as I can first and then try to repair the drive - obviously if one has the money than you would be smarter to copy the drive and try and repair it first before searching for needles in haystacks

As yet I have not found a way to recover Thunderbird e-mail so the sequel to "the Wrath of Mahm" is still being written...

This post has been edited by 2Turtles: 20 April 2008 - 04:04 PM

[jaclaz]

Basically:
FAT16 has one bootsector (first sector of partition) and two copies of the FAT
FAT32 has one bootsector (first sector of partition) a backup copy of it (in sector 6 of partition) and two copies of the FAT

The bootsector is just 512 bytes long i.e. one sector and contains (mainly) only:
1) Name of the partition
2) Volume serial number
3) Extents (size) of the partition
4) Code for booting (invoking the OS loader or system files)

The backup of the bootsector is "static" meaning that is never changed/updated, unless explicitly, or by running programs like scandisk or checkdisk, or similar utilities, whilst the 1st or 2nd FAT are used during normal disk operations (for example copying, creating or deleting files). Changes are written to one of the two tables, then once the operation has been carried on successfully the second table is updated to reflect the changes on the other one.

The FAT, expecially on big volumes are huge, spanning over hundreds of disk sectors, and they contain one entry for each cluster on the disk, you have to think at them as the index of a book, where there is one entry for each page of the book.

In other words, the two copies of the FAT are always the same unless something went wrong and prevented from the "mirroring" to happen. (a power shortage, a problem in the HD controller, malicious code, whatever).

In a perfectly defragged volume, a FAT is just a sequential number of "addresses" and it is rather easy to be repaired, in a fragmented volume, there is no predictable "sequence", but some errors, like duplicated addresses, overlapping ones, and similar can still be fixed.

You must think at your volume as is now as the photocopies of a book, where each page is a disk cluster of sectors, made omitting the pages numbers, that have been shuffled, and you have not anymore an index to access them.

What you compared with testdisk are just the bootsector and it's backup copy, it is possible that if the two FAT's are different TESTDISK can choose the "least wrong" data from both and fix them.

About the report by the demo of Active Recovery, you must understand that these kind of programs have heuristic engines that try to "guess" from a number of parameters they search in data how the partition was before corruption.

Hence the need for working on copies, you try choosing one of the "guesses", maybe it works, if it does not, you re-create the data as it was before and re-run chosing another "guess" or another recovery program.

If you are going to try and extract text from "recovered" files, there are utilities that automate the work, here is one:
ftp://ftp.elf.stuba....ext/bintext.zip

jaclaz