Sign in to follow this  
Followers 0
SkylineRB26DETT

Seagate 750Gb one partition is RAW after BSY fix

39 posts in this topic

So I do a bsy fix on another drive and everything seemed fine.

The drive showed up and I can see the files.

The problem is it showed up with one partition...the large one ~690Gb.

Now..this drive is from a system and they usually have a second small partition for backup.

So I run testdisk and it finds both partitions. I do a 'write' partition table.

Now both partitions show up and get drive letters assigned.

The problem...

The small 10Gb partition I can navigate through no problem, but the big partition is inaccessible and shows up as RAW in computer management.

Before the partition table 'write' I could navigate through the large partition no problem. I did not backup the partition table before doing the write.

Any ideas how to get the large partition to work again?

Edited by SkylineRB26DETT
0

Share this post


Link to post
Share on other sites

Before the partition table 'write' I could navigate through the large partition no problem. I did not backup the partition table before doing the write.

NOT a good idea.

Any ideas how to get the large partition to work again?

I assume this second partition was NTFS.

Run again TESTDISK.

See what it finds.

Check that the last sector in the NTFS (copy of bootsector) is the same of the actual bootsector (if any)

Otherwise get from it the "sectors before" and recreate a suitable partition entry.

If you post some actual DATA, I may be able to help you with actually helping advice.

See here for an example of a similar recovery:

http://www.msfn.org/board/index.php?showtopic=141687

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks for the quick reply. The hdd was running Win Vista 64.

Here is what it looked like before I 'wrote' the partition table...I should have left it alone since the 'recover partition' does not need a drive letter. I thought since it didn't come up as a viewable partition with a drive letter that there was something wrong.

http://img715.imageshack.us/img715/3140/partitionssk.jpg

Here is what it looks like now... :(

http://img180.imageshack.us/img180/3228/nowpu.jpg

Here are screenshots from test disk.

Originally the large partition was bootable, but now it states the small one is. I tried changing that, but it always reverts back.

62538263.jpg

The boot sectors are identical because I copied them.

33499903.jpg

71753250.jpg

25025573.jpg

I tried to list the files.

61762610.jpg

Tried repair MFT.

96367180.jpg

thanks for your time

0

Share this post


Link to post
Share on other sites
Here is what it looked like before I 'wrote' the partition table...I should have left it alone since the 'recover partition' does not need a drive letter. I thought since it didn't come up as a viewable partition with a drive letter that there was something wrong.

Next time use a "proper" tool :whistling::

http://www.boot-land.net/forums/index.php?showtopic=10169

Originally the large partition was bootable, but now it states the small one is. I tried changing that, but it always reverts back.

Changed "how"?

It seems like "something else".

You have not by any chance fiddled with XP on a Vista partitioned drive?

There are a few hiccups in doing that, though cannot say if they would apply to your current situation.

You seemingly have a correct partition entry for the partition in the MBR.

You seemingly have a valid bootsector (at least this is what testdisk reports).

But I need to have a look at them to make sure.

Get Tiny Hexer:

(and my small scripts for it)

http://www.boot-land.net/forums/index.php?showtopic=8734

Check the MBR with PTview.

Post the values you see.

Save a copy of the MBR and of the first sector of the bootsector, put it inside a .zip archive and attach it to your next post.

jaclaz

0

Share this post


Link to post
Share on other sites
Here is what it looked like before I 'wrote' the partition table...I should have left it alone since the 'recover partition' does not need a drive letter. I thought since it didn't come up as a viewable partition with a drive letter that there was something wrong.

Next time use a "proper" tool :whistling::

Are you talking about instead of Computer Management?

Originally the large partition was bootable, but now it states the small one is. I tried changing that, but it always reverts back.

Changed "how"?

In testdisk you can change from (P)rimary to (*)bootable with the right and left arrows.

It seems like "something else".

You have not by any chance fiddled with XP on a Vista partitioned drive?

There are a few hiccups in doing that, though cannot say if they would apply to your current situation.

NO, I'm using Win7 x64

You seemingly have a correct partition entry for the partition in the MBR.

You seemingly have a valid bootsector (at least this is what testdisk reports).

But I need to have a look at them to make sure.

Get Tiny Hexer:

(and my small scripts for it)

http://www.boot-land.net/forums/index.php?showtopic=8734

Check the MBR with PTview.

Post the values you see.

Save a copy of the MBR and of the first sector of the bootsector, put it inside a .zip archive and attach it to your next post.

jaclaz

I will do this when I get home. Thanks!

0

Share this post


Link to post
Share on other sites

Hi jaclaz,

In my second post when I posted this screenshot...

http://img715.imageshack.us/img715/3140/partitionssk.jpg

I didn't realize the recovery partition was hidden, which is why it didn't get a drive letter assigned. This is the whole reason I checked in testdisk and 'wrote' the partition...because I thought it was missing. Everything was fine and now there's a mess. I wonder why testdisk wrote wrong partition info.

Anyway...attached are zip folders of files from tiny hexer. I wasn't sure if you wanted me to run it on the drive itself or the partition that is not showing up. I did it for both.

Here are screenshots...

The drive itself...

ptview.jpg

firstsector.jpg

The partition coming up as RAW...

firstsectorpartition2.jpg

partitiontabledataparti.jpg

drive0 partition2.zip

drive0.zip

0

Share this post


Link to post
Share on other sites

The MBR DATA seems correct. The code is "strange" at first sight, but it shouldn't matter and can anyway be fixed allright with MBRFIX.

There was a misunderstanding. :(

I meant "post the actual sectors", not the view of them.

I.E. in the normal Tinyhexer view choose "Save as" and post the two resulting 512 bytes files (MBR and bootsector).

The Partition table viewer only applies to a MBR (with partition table ;) ) and not to a boot sector (as you can see in the second "beeblebrox like" screenshot, numbers are "random".

Once I have the bootsector data I can point you to other locations to check.

After you have these sectors saved:

To reset the initial status (before the changes) in the MBR:

In the "PTview" view, click on the 07 in row #0 column "Type", a 07 in the hex view will be highlighted, overwrite it with 12.

In the "PTview" view, click on the 80 in row #0 column "Boot", a 80 in the hex view will be highlighted, overwrite it with 00.

In the "PTview" view, click on the 00 in row #0 column "Boot", a 00 in the hex view will be highlighted, overwrite it with 80.

jaclaz

0

Share this post


Link to post
Share on other sites

I.E. in the normal Tinyhexer view choose "Save as" and post the two resulting 512 bytes files (MBR and bootsector).

Attached is a zip with the 'save as' files from tinyhexer. One is for the entire drive and the other for partition 2.

After you have these sectors saved:

To reset the initial status (before the changes) in the MBR:

In the "PTview" view, click on the 07 in row #0 column "Type", a 07 in the hex view will be highlighted, overwrite it with 12.

In the "PTview" view, click on the 80 in row #0 column "Boot", a 80 in the hex view will be highlighted, overwrite it with 00.

In the "PTview" view, click on the 00 in row #0 column "Boot", a 00 in the hex view will be highlighted, overwrite it with 80.

Before I change anything this is what it looks like now after I started the computer...the 80h is in row two now.

partitiontabledata.jpg

Should I still change the 07h to 12h?

drive1.zip

0

Share this post


Link to post
Share on other sites

Before I change anything this is what it looks like now after I started the computer...the 80h is in row two now.

Which means that the changes you did before are now effective. :thumbup

Should I still change the 07h to 12h?

Well, that's entirely up to you, hidden partitions should stay hidden (they are meant to stay hidden by design).

You can use the apps in the given link if you want to temporarily mount it in order to access it, but there should be no reason normally to fiddle with it.

The bootsector data seems ok.

The $MFT should be at absolute sector (786432*8 + 20482875) if accessing the Physical drive or 786432*8=6291456 if accessing partition.

The first thing you should see there is "FILE*" or "FILE0".

if opened the whole disk:

File->Disk->Goto Sector->26774331

or if opened the partition:

File->Disk->Goto Sector->6291456

Test disk should be able to check and fix this kind of errors:

http://www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair

Try running it as per above, and see what it reports.

jaclaz

0

Share this post


Link to post
Share on other sites

Which means that the changes you did before are now effective. :thumbup

Jaclaz, I did not change anything yet... ever. The 80h swapped spots by itself after restarting the computer.

Test disk should be able to check and fix this kind of errors:

http://www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair

Try running it as per above, and see what it reports.

I've tried this twice already with negative results. It takes like 6 hours to complete and nothing changes.

This is what you wrote a few posts ago...

To reset the initial status (before the changes) in the MBR:

In the "PTview" view, click on the 07 in row #0 column "Type", a 07 in the hex view will be highlighted, overwrite it with 12.

In the "PTview" view, click on the 80 in row #0 column "Boot", a 80 in the hex view will be highlighted, overwrite it with 00.

In the "PTview" view, click on the 00 in row #0 column "Boot", a 00 in the hex view will be highlighted, overwrite it with 80.

Did you want to say row #1 in any of those lines above or are all changes in row #0?

0

Share this post


Link to post
Share on other sites

Jaclaz, I did not change anything yet... ever. The 80h swapped spots by itself after restarting the computer.

Well, no, things don't get swapped by themselves, most probably you did not refresh the whatever you were viewing it with after the TESTDISK change,

I've tried this twice already with negative results. It takes like 6 hours to complete and nothing changes.

Well, no, usually TESTDISK asks what you want it to do, then reports something and then asks for a confirmation before doing potentially destructive things.

I need to know what happens, what TESTDISK reports, as I cannot see your screen from this distance ;).

If you already ran it maybe that is the thing that created the problem.

Did you want to say row #1 in any of those lines above or are all changes in row #0?

Yep, typo :blushing: third is row #1, but since the boot has already swithced all you want (eventually) to do is to chqnge the 07 of the hidden partition back to 12.

Let's try to sum up:

  • the MBR DATA (the only thing that is actually needed for the moment) seems OK
  • the first sector of the bootsector seems OK
  • the first MFT entry ( the one on absolute sector 26774331) needs still to be checked

The only other things that may have gone "beserk" are:

  1. the other 15 sectors of the NTFS bootsector (possible, but unlikely)
  2. the MBR CODE (but that should be completely irrelevant)

For the 1st you can try repairing the bootsector with bootsect.exe.

For the 2nd you can restore a "standard" MBR with MBRFIX:

http://www.sysint.no/nedlasting/mbrfix.htm

OF COURSE, you should always make a backup of the things you are going to change (the two files you saved are already a backup, but you should also backup the other 15 sectors, i.e. access the partition, loading this time 16 sectors in Tiny Hexer instead of the default one, and do the Save as).

A seemingly stupid question, have you tried connecting that hard disk to another PC (or after having booted to another OS)?

Can it not be that you have something running (or in the Registry) that prevents the mounting of that partiton?

jaclaz

0

Share this post


Link to post
Share on other sites

This is what it looks like now, which is correct.

ptd.jpg

Here is absolute sector 26774331...

26774331.jpg

When trying to repair the MFT it says 'MFT and MFT mirror are bad. Failed to repair them'.

When I said the process takes 6 hours I was talking about the 'rebuild BS' command. Sorry.

When saving the 15 sectors do I just click 'next sector' 15 times while doing a 'save as' every sector?

I will try the tools mentioned.

Thank you very much for your help thus far btw. :hello:

Edited by SkylineRB26DETT
0

Share this post


Link to post
Share on other sites

The only other things that may have gone "beserk" are:

  1. the other 15 sectors of the NTFS bootsector (possible, but unlikely)
  2. the MBR CODE (but that should be completely irrelevant)

For the 1st you can try repairing the bootsector with bootsect.exe.

For the 2nd you can restore a "standard" MBR with MBRFIX:

http://www.sysint.no/nedlasting/mbrfix.htm

Which commands do I use in those tools?

This one ??...

MbrFix /drive <num> /partition <part> fixbootsector <os> 

As for bootsect I am unsure.

A seemingly stupid question, have you tried connecting that hard disk to another PC (or after having booted to another OS)?

Can it not be that you have something running (or in the Registry) that prevents the mounting of that partiton?

I have tried a different PC with same results. :(

0

Share this post


Link to post
Share on other sites

When saving the 15 sectors do I just click 'next sector' 15 times while doing a 'save as' every sector?

you should also backup the other 15 sectors, i.e. access the partition, loading this time 16 sectors in Tiny Hexer instead of the default one, and do the Save as).

Check thoroughfully the pop-up when you want to mount a disk or large image file as disk, you can choose how many sectors you want to load.

I will re-check the calculations, but maybe we have found somehow the culprit.

The $MFT should be there, according to the data in the bootsector.

Now what could have happened? :unsure:

Possibilities:

  1. the $MFT Mirror was corrupt and somehow you overwrote the $MFT with it
  2. BOTH the $MFT and $MFT Mirror were somehow corrupt
  3. the bootsector got corrupt somehow and now holds incorrect data about the location of the $MFT

more of the above together.

I just re-checked (doing also a check with a virtual drive) and the location of the $MFT is correct, as well as the whole first sector of the bootsector.

I wonder what can have happened. :unsure:

You can try loading the disk in Tiny Hexer (the whole disk), load just one sector (the MBR), then go to Edit->Find/Replace set the box "Text", in the dropdown box choose "DOS 8 bits" and enter the search text "FILE0" (without quotes, that's FILE with appended a 0 - zero) it will tell you it didn't find it in current loaded sector, press "Yes to all" it will load and scan the whole hard disk until it finds the searched text, it will take a lot of time, be warned.

If it is found, please save the sector on which it is found and post it in a .zip, post also the sector number where it's found.

If we can understand WHAT happened maybe we may be able to rebuild the structure, otherwise you will have to use file-based recovery, I'm afraid :(.

jaclaz

0

Share this post


Link to post
Share on other sites

it will take a lot of time, be warned.

My calculations...about 130 days if it has to scan the whole drive. :blink:

If we can understand WHAT happened maybe we may be able to rebuild the structure, otherwise you will have to use file-based recovery, I'm afraid :(.

You mean like photorec? Where all files are just dumped into folders while losing the file name?

0

Share this post


Link to post
Share on other sites

Is this amazing or what?!?!?!?

sector 1081543

1081543.jpg

Although something seems odd. :unsure:

0

Share this post


Link to post
Share on other sites

You mean like photorec? Where all files are just dumped into folders while losing the file name?

Yep, but there also several apps that may be able to get the filename.

But we need a $MFT, for this. :(

http://memberwebs.com/stef/software/scrounge/

http://memberwebs.com/stef/software/scrounge/guessing.html

The sector you found is definitely part of the $MFT or of it's mirror.

However it's position makes no sense to me, right now.

Was the disk originally "Vista" or "Windows 7"?

Maybe the $MFT position has been shifted on these systems? And somehow the position was reverted in the bootsector to the default XP ones?

Try going on searching and take note of which sectors have this leading "FILE0" tag, maybe we can find a pattern. :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

Was the disk originally "Vista" or "Windows 7"?

Maybe the $MFT position has been shifted on these systems? And somehow the position was reverted in the bootsector to the default XP ones?

The disk was Vista 64, but I'm nit sure if it was XP before that.

Try going on searching and take note of which sectors have this leading "FILE0" tag, maybe we can find a pattern. :unsure:

I will search starting that that sector.

0

Share this post


Link to post
Share on other sites

Ok I found the next 13 sectors with FILE0.

1081543

1081545

1081547

1081549

1081551

1081553

1081555

1081557

1081559

1081561

1081563

1081565

I attached a file showing 50 sectors starting at 1081543. I will continue searching for more FILE0's.

1081543-1081582.zip

0

Share this post


Link to post
Share on other sites

They're everywhere...

1083587

1083589

1083591

1083593

1083595

1083597

1083599

1083601

1083603

1083605

1083607

1083609

1083611

1083613

1083615

Then starting at sector 10833634 they show up somewhere in the middle of sectors (always somewhere different) not at the beginning...and not every other sector. Sometimes the next sector or sometimes 3-4 away.

Then they start having multiple FILE0's in the sectors.

If you need all the sector number I can do that...there's probably like 50 more. It's just scanning now and has not found anything in a while.

Edited by SkylineRB26DETT
0

Share this post


Link to post
Share on other sites

It's very strange.

The sectors you posted do contain some references to $Quota, $ObjId, $Reparse (i.e. typical objects of a $MFT):

http://www.ntfs.com/ntfs-system-files.htm

Now, with reference to your posted file:

$Quota is on sector #16 which translates to Record #8 (should be Record #24)

$ObjId is on sector #18 which translates to Record #9 (should be Record #25)

$Reparse is on sector #20 which translates to Record #10 (should be Record #26)

Which should mean that the actual $MFT beginning is 24-8=16*2=32 sectors before the chunk of sectors you posted, i.e.

1081543-32= 1081511 (which still makes very little sense) :unsure:

To be on the safe side, try saving 200 sectors (100 sectors before first found occurrence and 100 sectors after it).

I.e.:

Sectors 1081443~1081643

Sectors 1083487~1083687

etc.

jaclaz

0

Share this post


Link to post
Share on other sites

Sectors 1081443~1081643

Sectors 1083487~1083687

Attached are the sectors...two files with 200 sectors each.

Also...more FILE0 sightings...

6185824.jpg

Sectors

6185824(pictured)

6185837

6191570

6193371

6193386

maybe more...it's scanning

sectors.zip

0

Share this post


Link to post
Share on other sites

Sectors 1081443~1081643 seem like being NOT the real thing/not usable.

Sectors 1083487~1083687 seem better, at offset 50176 (sector 98/200 of "1083585" file) there is a "full" $MFT.

Only it seems like having been created on 15/02/2005, would it be possible? :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

Only it seems like having been created on 15/02/2005, would it be possible? :unsure:

So it would mean that all files created after that date will not show up?

Are the other sectors irrelevant? There got to be about 100 sectors with FILE0 in them.

How do we proceed?

Edited by SkylineRB26DETT
0

Share this post


Link to post
Share on other sites

So it would mean that all files created after that date will not show up?

No, it simply means that the found $MFT was created on that date, which translates - IF that is the "right" $MFT - to the fact that the volume was formattted on that day (which I am presuming to be unlikely).

Knowing the "history" of that system/drive may give hints to understand if this is likely or not.

Are the other sectors irrelevant? There got to be about 100 sectors with FILE0 in them.

How do we proceed?

Continue gathering them, it is possible that the one till now found is part of something else, and that we find later the "real" one. :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.