Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Seagate 750Gb one partition is RAW after BSY fix

- - - - -

  • Please log in to reply
38 replies to this topic

#1
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag
So I do a bsy fix on another drive and everything seemed fine.

The drive showed up and I can see the files.

The problem is it showed up with one partition...the large one ~690Gb.

Now..this drive is from a system and they usually have a second small partition for backup.

So I run testdisk and it finds both partitions. I do a 'write' partition table.

Now both partitions show up and get drive letters assigned.

The problem...

The small 10Gb partition I can navigate through no problem, but the big partition is inaccessible and shows up as RAW in computer management.

Before the partition table 'write' I could navigate through the large partition no problem. I did not backup the partition table before doing the write.

Any ideas how to get the large partition to work again?

Edited by SkylineRB26DETT, 29 July 2010 - 07:35 AM.



How to remove advertisement from MSFN

#2
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Before the partition table 'write' I could navigate through the large partition no problem. I did not backup the partition table before doing the write.

NOT a good idea.

Any ideas how to get the large partition to work again?

I assume this second partition was NTFS.

Run again TESTDISK.

See what it finds.

Check that the last sector in the NTFS (copy of bootsector) is the same of the actual bootsector (if any)

Otherwise get from it the "sectors before" and recreate a suitable partition entry.

If you post some actual DATA, I may be able to help you with actually helping advice.

See here for an example of a similar recovery:
http://www.msfn.org/...howtopic=141687

jaclaz

#3
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag
Thanks for the quick reply. The hdd was running Win Vista 64.

Here is what it looked like before I 'wrote' the partition table...I should have left it alone since the 'recover partition' does not need a drive letter. I thought since it didn't come up as a viewable partition with a drive letter that there was something wrong.

http://img715.images...artitionssk.jpg

Here is what it looks like now... :(

http://img180.images.../3228/nowpu.jpg

Here are screenshots from test disk.

Originally the large partition was bootable, but now it states the small one is. I tried changing that, but it always reverts back.
Posted Image

The boot sectors are identical because I copied them.
Posted Image
Posted Image

Posted Image

I tried to list the files.
Posted Image

Tried repair MFT.
Posted Image

thanks for your time

#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Here is what it looked like before I 'wrote' the partition table...I should have left it alone since the 'recover partition' does not need a drive letter. I thought since it didn't come up as a viewable partition with a drive letter that there was something wrong.

Next time use a "proper" tool :whistling::
http://www.boot-land...showtopic=10169

Originally the large partition was bootable, but now it states the small one is. I tried changing that, but it always reverts back.

Changed "how"?

It seems like "something else".
You have not by any chance fiddled with XP on a Vista partitioned drive?
There are a few hiccups in doing that, though cannot say if they would apply to your current situation.

You seemingly have a correct partition entry for the partition in the MBR.

You seemingly have a valid bootsector (at least this is what testdisk reports).

But I need to have a look at them to make sure.

Get Tiny Hexer:
(and my small scripts for it)
http://www.boot-land...?showtopic=8734

Check the MBR with PTview.
Post the values you see.

Save a copy of the MBR and of the first sector of the bootsector, put it inside a .zip archive and attach it to your next post.

jaclaz

#5
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag

Here is what it looked like before I 'wrote' the partition table...I should have left it alone since the 'recover partition' does not need a drive letter. I thought since it didn't come up as a viewable partition with a drive letter that there was something wrong.

Next time use a "proper" tool :whistling::


Are you talking about instead of Computer Management?

Originally the large partition was bootable, but now it states the small one is. I tried changing that, but it always reverts back.

Changed "how"?


In testdisk you can change from (P)rimary to (*)bootable with the right and left arrows.

It seems like "something else".
You have not by any chance fiddled with XP on a Vista partitioned drive?
There are a few hiccups in doing that, though cannot say if they would apply to your current situation.


NO, I'm using Win7 x64

You seemingly have a correct partition entry for the partition in the MBR.

You seemingly have a valid bootsector (at least this is what testdisk reports).

But I need to have a look at them to make sure.

Get Tiny Hexer:
(and my small scripts for it)
http://www.boot-land...?showtopic=8734

Check the MBR with PTview.
Post the values you see.

Save a copy of the MBR and of the first sector of the bootsector, put it inside a .zip archive and attach it to your next post.

jaclaz


I will do this when I get home. Thanks!

#6
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag
Hi jaclaz,

In my second post when I posted this screenshot...

http://img715.images...artitionssk.jpg

I didn't realize the recovery partition was hidden, which is why it didn't get a drive letter assigned. This is the whole reason I checked in testdisk and 'wrote' the partition...because I thought it was missing. Everything was fine and now there's a mess. I wonder why testdisk wrote wrong partition info.

Anyway...attached are zip folders of files from tiny hexer. I wasn't sure if you wanted me to run it on the drive itself or the partition that is not showing up. I did it for both.

Here are screenshots...

The drive itself...
Posted Image
Posted Image

The partition coming up as RAW...
Posted Image
Posted Image

Attached Files



#7
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
The MBR DATA seems correct. The code is "strange" at first sight, but it shouldn't matter and can anyway be fixed allright with MBRFIX.

There was a misunderstanding. :(

I meant "post the actual sectors", not the view of them.

I.E. in the normal Tinyhexer view choose "Save as" and post the two resulting 512 bytes files (MBR and bootsector).

The Partition table viewer only applies to a MBR (with partition table ;) ) and not to a boot sector (as you can see in the second "beeblebrox like" screenshot, numbers are "random".

Once I have the bootsector data I can point you to other locations to check.

After you have these sectors saved:

To reset the initial status (before the changes) in the MBR:
In the "PTview" view, click on the 07 in row #0 column "Type", a 07 in the hex view will be highlighted, overwrite it with 12.
In the "PTview" view, click on the 80 in row #0 column "Boot", a 80 in the hex view will be highlighted, overwrite it with 00.
In the "PTview" view, click on the 00 in row #0 column "Boot", a 00 in the hex view will be highlighted, overwrite it with 80.


jaclaz

#8
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag

I.E. in the normal Tinyhexer view choose "Save as" and post the two resulting 512 bytes files (MBR and bootsector).


Attached is a zip with the 'save as' files from tinyhexer. One is for the entire drive and the other for partition 2.

After you have these sectors saved:

To reset the initial status (before the changes) in the MBR:
In the "PTview" view, click on the 07 in row #0 column "Type", a 07 in the hex view will be highlighted, overwrite it with 12.
In the "PTview" view, click on the 80 in row #0 column "Boot", a 80 in the hex view will be highlighted, overwrite it with 00.
In the "PTview" view, click on the 00 in row #0 column "Boot", a 00 in the hex view will be highlighted, overwrite it with 80.


Before I change anything this is what it looks like now after I started the computer...the 80h is in row two now.

Posted Image

Should I still change the 07h to 12h?

Attached Files



#9
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Before I change anything this is what it looks like now after I started the computer...the 80h is in row two now.

Which means that the changes you did before are now effective. :thumbup

Should I still change the 07h to 12h?

Well, that's entirely up to you, hidden partitions should stay hidden (they are meant to stay hidden by design).
You can use the apps in the given link if you want to temporarily mount it in order to access it, but there should be no reason normally to fiddle with it.

The bootsector data seems ok.
The $MFT should be at absolute sector (786432*8 + 20482875) if accessing the Physical drive or 786432*8=6291456 if accessing partition.
The first thing you should see there is "FILE*" or "FILE0".
if opened the whole disk:
File->Disk->Goto Sector->26774331
or if opened the partition:
File->Disk->Goto Sector->6291456

Test disk should be able to check and fix this kind of errors:
http://www.cgsecurit..._and_MFT_Repair

Try running it as per above, and see what it reports.

jaclaz

#10
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag

Which means that the changes you did before are now effective. :thumbup


Jaclaz, I did not change anything yet... ever. The 80h swapped spots by itself after restarting the computer.

Test disk should be able to check and fix this kind of errors:
http://www.cgsecurit..._and_MFT_Repair

Try running it as per above, and see what it reports.


I've tried this twice already with negative results. It takes like 6 hours to complete and nothing changes.


This is what you wrote a few posts ago...

To reset the initial status (before the changes) in the MBR:
In the "PTview" view, click on the 07 in row #0 column "Type", a 07 in the hex view will be highlighted, overwrite it with 12.
In the "PTview" view, click on the 80 in row #0 column "Boot", a 80 in the hex view will be highlighted, overwrite it with 00.
In the "PTview" view, click on the 00 in row #0 column "Boot", a 00 in the hex view will be highlighted, overwrite it with 80.


Did you want to say row #1 in any of those lines above or are all changes in row #0?

#11
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Jaclaz, I did not change anything yet... ever. The 80h swapped spots by itself after restarting the computer.


Well, no, things don't get swapped by themselves, most probably you did not refresh the whatever you were viewing it with after the TESTDISK change,

I've tried this twice already with negative results. It takes like 6 hours to complete and nothing changes.

Well, no, usually TESTDISK asks what you want it to do, then reports something and then asks for a confirmation before doing potentially destructive things.
I need to know what happens, what TESTDISK reports, as I cannot see your screen from this distance ;).
If you already ran it maybe that is the thing that created the problem.


Did you want to say row #1 in any of those lines above or are all changes in row #0?

Yep, typo :blushing: third is row #1, but since the boot has already swithced all you want (eventually) to do is to chqnge the 07 of the hidden partition back to 12.

Let's try to sum up:
  • the MBR DATA (the only thing that is actually needed for the moment) seems OK
  • the first sector of the bootsector seems OK
  • the first MFT entry ( the one on absolute sector 26774331) needs still to be checked

The only other things that may have gone "beserk" are:
  • the other 15 sectors of the NTFS bootsector (possible, but unlikely)
  • the MBR CODE (but that should be completely irrelevant)

For the 1st you can try repairing the bootsector with bootsect.exe.
For the 2nd you can restore a "standard" MBR with MBRFIX:
http://www.sysint.no...ting/mbrfix.htm

OF COURSE, you should always make a backup of the things you are going to change (the two files you saved are already a backup, but you should also backup the other 15 sectors, i.e. access the partition, loading this time 16 sectors in Tiny Hexer instead of the default one, and do the Save as).

A seemingly stupid question, have you tried connecting that hard disk to another PC (or after having booted to another OS)?
Can it not be that you have something running (or in the Registry) that prevents the mounting of that partiton?

jaclaz

#12
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag
This is what it looks like now, which is correct.
Posted Image

Here is absolute sector 26774331...
Posted Image

When trying to repair the MFT it says 'MFT and MFT mirror are bad. Failed to repair them'.

When I said the process takes 6 hours I was talking about the 'rebuild BS' command. Sorry.

When saving the 15 sectors do I just click 'next sector' 15 times while doing a 'save as' every sector?

I will try the tools mentioned.

Thank you very much for your help thus far btw. :hello:

Edited by SkylineRB26DETT, 30 July 2010 - 11:17 AM.


#13
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag

The only other things that may have gone "beserk" are:

  • the other 15 sectors of the NTFS bootsector (possible, but unlikely)
  • the MBR CODE (but that should be completely irrelevant)

For the 1st you can try repairing the bootsector with bootsect.exe.
For the 2nd you can restore a "standard" MBR with MBRFIX:
http://www.sysint.no...ting/mbrfix.htm


Which commands do I use in those tools?

This one ??...
MbrFix /drive <num> /partition <part> fixbootsector <os>

As for bootsect I am unsure.


A seemingly stupid question, have you tried connecting that hard disk to another PC (or after having booted to another OS)?
Can it not be that you have something running (or in the Registry) that prevents the mounting of that partiton?

I have tried a different PC with same results. :(

#14
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

When saving the 15 sectors do I just click 'next sector' 15 times while doing a 'save as' every sector?

you should also backup the other 15 sectors, i.e. access the partition, loading this time 16 sectors in Tiny Hexer instead of the default one, and do the Save as).

Check thoroughfully the pop-up when you want to mount a disk or large image file as disk, you can choose how many sectors you want to load.

I will re-check the calculations, but maybe we have found somehow the culprit.

The $MFT should be there, according to the data in the bootsector.

Now what could have happened? :unsure:

Possibilities:
  • the $MFT Mirror was corrupt and somehow you overwrote the $MFT with it
  • BOTH the $MFT and $MFT Mirror were somehow corrupt
  • the bootsector got corrupt somehow and now holds incorrect data about the location of the $MFT
more of the above together.

I just re-checked (doing also a check with a virtual drive) and the location of the $MFT is correct, as well as the whole first sector of the bootsector.

I wonder what can have happened. :unsure:

You can try loading the disk in Tiny Hexer (the whole disk), load just one sector (the MBR), then go to Edit->Find/Replace set the box "Text", in the dropdown box choose "DOS 8 bits" and enter the search text "FILE0" (without quotes, that's FILE with appended a 0 - zero) it will tell you it didn't find it in current loaded sector, press "Yes to all" it will load and scan the whole hard disk until it finds the searched text, it will take a lot of time, be warned.

If it is found, please save the sector on which it is found and post it in a .zip, post also the sector number where it's found.

If we can understand WHAT happened maybe we may be able to rebuild the structure, otherwise you will have to use file-based recovery, I'm afraid :(.

jaclaz

#15
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag

it will take a lot of time, be warned.

My calculations...about 130 days if it has to scan the whole drive. :blink:

If we can understand WHAT happened maybe we may be able to rebuild the structure, otherwise you will have to use file-based recovery, I'm afraid :(.

You mean like photorec? Where all files are just dumped into folders while losing the file name?

#16
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag
Is this amazing or what?!?!?!?

sector 1081543
Posted Image

Although something seems odd. :unsure:

#17
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

You mean like photorec? Where all files are just dumped into folders while losing the file name?

Yep, but there also several apps that may be able to get the filename.

But we need a $MFT, for this. :(
http://memberwebs.co...tware/scrounge/
http://memberwebs.co...e/guessing.html

The sector you found is definitely part of the $MFT or of it's mirror.
However it's position makes no sense to me, right now.


Was the disk originally "Vista" or "Windows 7"?
Maybe the $MFT position has been shifted on these systems? And somehow the position was reverted in the bootsector to the default XP ones?

Try going on searching and take note of which sectors have this leading "FILE0" tag, maybe we can find a pattern. :unsure:

jaclaz

#18
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag

Was the disk originally "Vista" or "Windows 7"?
Maybe the $MFT position has been shifted on these systems? And somehow the position was reverted in the bootsector to the default XP ones?

The disk was Vista 64, but I'm nit sure if it was XP before that.

Try going on searching and take note of which sectors have this leading "FILE0" tag, maybe we can find a pattern. :unsure:

I will search starting that that sector.

#19
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag
Ok I found the next 13 sectors with FILE0.

1081543
1081545
1081547
1081549
1081551
1081553
1081555
1081557
1081559
1081561
1081563
1081565

I attached a file showing 50 sectors starting at 1081543. I will continue searching for more FILE0's.

Attached Files



#20
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag
They're everywhere...

1083587
1083589
1083591
1083593
1083595
1083597
1083599
1083601
1083603
1083605
1083607
1083609
1083611
1083613
1083615

Then starting at sector 10833634 they show up somewhere in the middle of sectors (always somewhere different) not at the beginning...and not every other sector. Sometimes the next sector or sometimes 3-4 away.

Then they start having multiple FILE0's in the sectors.

If you need all the sector number I can do that...there's probably like 50 more. It's just scanning now and has not found anything in a while.

Edited by SkylineRB26DETT, 31 July 2010 - 07:36 AM.


#21
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
It's very strange.
The sectors you posted do contain some references to $Quota, $ObjId, $Reparse (i.e. typical objects of a $MFT):
http://www.ntfs.com/...ystem-files.htm

Now, with reference to your posted file:
$Quota is on sector #16 which translates to Record #8 (should be Record #24)
$ObjId is on sector #18 which translates to Record #9 (should be Record #25)
$Reparse is on sector #20 which translates to Record #10 (should be Record #26)

Which should mean that the actual $MFT beginning is 24-8=16*2=32 sectors before the chunk of sectors you posted, i.e.
1081543-32= 1081511 (which still makes very little sense) :unsure:

To be on the safe side, try saving 200 sectors (100 sectors before first found occurrence and 100 sectors after it).

I.e.:
Sectors 1081443~1081643
Sectors 1083487~1083687
etc.

jaclaz

#22
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag

Sectors 1081443~1081643
Sectors 1083487~1083687


Attached are the sectors...two files with 200 sectors each.

Also...more FILE0 sightings...

Posted Image

Sectors
6185824(pictured)
6185837
6191570
6193371
6193386

maybe more...it's scanning

Attached Files



#23
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Sectors 1081443~1081643 seem like being NOT the real thing/not usable.
Sectors 1083487~1083687 seem better, at offset 50176 (sector 98/200 of "1083585" file) there is a "full" $MFT.
Only it seems like having been created on 15/02/2005, would it be possible? :unsure:

jaclaz

#24
SkylineRB26DETT

SkylineRB26DETT

    Newbie

  • Member
  • 29 posts
  • Joined 22-December 09
  • OS:Windows 7 x64
  • Country: Country Flag

Only it seems like having been created on 15/02/2005, would it be possible? :unsure:


So it would mean that all files created after that date will not show up?

Are the other sectors irrelevant? There got to be about 100 sectors with FILE0 in them.

How do we proceed?

Edited by SkylineRB26DETT, 01 August 2010 - 06:41 PM.


#25
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,411 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

So it would mean that all files created after that date will not show up?

No, it simply means that the found $MFT was created on that date, which translates - IF that is the "right" $MFT - to the fact that the volume was formattted on that day (which I am presuming to be unlikely).
Knowing the "history" of that system/drive may give hints to understand if this is likely or not.

Are the other sectors irrelevant? There got to be about 100 sectors with FILE0 in them.

How do we proceed?

Continue gathering them, it is possible that the one till now found is part of something else, and that we find later the "real" one. :unsure:

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN