need to recover mbr on ST950032 5AS seagate from HP HDX w/ Vista 32-bi

[jaclaz]

Ok, you are right on this. I do have a 2TB on the XP. hdhacker may have saved the results from the 2TB not the failing 500GB. I was sure I selected the 500GB but I may have made a mistake.

These could actually be "good" news, in the sense that if the MBR (as seen in diskpart and in disk management) contains "valid" data, it should be easier to find the backup bootsector...

BUT, there are some strings attached

IF (as it seems now) the disk has two valid partition entries, the "single" VBR you posted is only one half (which one? ) of the story:

1 disk drive=1 MBR

2 partitions/volumes/drives on it = 2 VBR's

Again you're right and sorry for the confusion. Thank you for being patient, as soon as the drdd finishes I will follow the steps you outlined and post back.

Actually I was wrong (but not on the main issue ) I checked and while:

• Hdhacker
  
• Tiny Hexer
  
• Diskpart
  
• Disk Management
  

number disks starting from 0

Datarescue does number them starting from 1

so the 4 that becomes 5 is OK .

STILL, one MUST be careful with the math :

jaclaz

Edited July 18, 2012 by jaclaz

[d8apzl]

Let's do it like this :

1. STOP whatever you are doing. (of course let datarescuedd finish the image)
   
2. use ONLY the XP (and NOT the Windows 7)
   
3. run again Hdhacker to save the MBR (first sector of PhysicalDrive) of the disk that you think is the failed one, save it like MBR_disk_n.hdh
   
4. run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
   
5. run tiny hexer, use the file->disk->open drive to open the disk that you think is the failed one (it will auto-set to load one sector at the time and will open on the first sector) choose File-> Save as and save it like MBR_disk_n.thx
   
6. compress the three resulting files into a zip and post it as attachment. (if the three files are not IDENTICAL there is an issue of some kind)
   

I followed the steps, here are the results:

[jaclaz]

The good news are that now that it s the "right" MBR, we have some data to check

#0 07 00 0 32 33 12 223 19   2048 204800
#1 07 80 12 223 20 1023 254 63   206848 976564224 

The bad news are that you are not (yet) doing EXACTLY what you are told to .

What I said:

4. run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd

what you did:

4. run ddrescue on the disk that you think is the failed one, saving only 1 sector Mb (lower upper fields Start=0, Size=1, End=1) to file image[0-512].dd

Of course there is no consequence in this instance, you just got more data than what were needed , but when you will get to direct disk access through Tiny Hexer or Testdisk, doing thing EXACTly or "almost exactly" may make a difference .

Now you need to access the disk with Tiny Hexer.

File ->Disk->Open drive -> (select the RIGHT PhysicalDrive) -> OK

File ->Disk-> Goto sector/position-> (enter 206848) ->OK

File ->Save as->Sector206848.bin

File ->Disk-> Goto sector/position-> (enter 976771071) ->OK

File ->Save as->Sector976771071.bin

Tools->Compare->Compare (You should find a number of bytes highlighted as different at the beginning of the sector)

In case you are wondering, 976771071 comes from 976564224+206848-1=976771071

the NTFS filesystem stores normally a backup of the first sector as last sector of the Partition/Volume allocated space or - if you prefer - as first sector after the end of the filesystem, which is always one sector less than the Partition/Volume allocated space.

Compress Sector206848.bin and Sector976771071.bin and post the .zip

jaclaz

[d8apzl]

The bad news are that you are not (yet) doing EXACTLY what you are told to .

What I said:

4. run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd

what you did:

]4. run ddrescue on the disk that you think is the failed one, saving only 1 sector Mb (lower upper fields Start=0, Size=1, End=1) to file image[0-512].dd

sorry about that, I was wondering why the filename was different from what you said it would be. I don't know why I thought the Sectors fields were above the MBs fields.

Ok

I saved the sectors, here they are below. it doesn't look good.

It looks like the backup sectors are gone??

[jaclaz]

I saved the sectors, here they are below. it doesn't look good.

It looks like the backup sectors are gone??

Yep .

The backup sector is completely wiped and a "queer" B702 is written to it at the beginning.

Also the "main" bootsector has this strange B702 "incipit".

I wonder what the heck may have caused it.

DId the image complete successfully?

This is "vital" since we will start actually writing to the disk, and if the image is not good we will have "no way back" .

At this point easier would be to try writing a BPB, but before it I would try two things:

1. check if the $MFT main record is "where it should be"
   
2. check if it is valid (or if it has been overwritten)
   

The main $MFT should start at:

206848+786432*8=6498304

And it's Mirror at:

206848+61035263*8=488488952

So, open the disk in Tiny Hexer, open the Physicaldrive, goto sector 6498304, it should begin with "FILE0".

Goto sector 488488952, it should also begin with "FILE0".

IF (and ONLY if)the above is correct, then goto sector 206848 and overwrite it with the sector in the attachment (with the physical drive open, goto sector 20848, open file 206848mod.bin, "select all", copy, select the physicaldrive sector, select all, paste, then close the physical drive, and say yes to the prompt to save the change).

Now if you try opening the drive in Explorer, you should be able to browse it's contents (if there are not any further damages).

Report.

If you have ANY doubt, ask for clarifications BEFORE doing anything!

jaclaz

206848mod.zip

[d8apzl]

The image completed. Successfully? I cannot be positive it is an exact image because there were several errors that occurred before DRDD finished. However, DRDD did complete w/ errors.

25GB +/- 1GB was written to the image with DRDD.

The main $MFT should start at:

206848+786432*8=6498304

And it's Mirror at:

206848+61035263*8=488488952

The sectors do not match, see attachment.

Edited July 20, 2012 by d8apzl

[jaclaz]

The sectors do not match, see attachment.

Hmmm.

One of the sectors is all 00's that may mean almost anything including the effect of the same thing that wrote B702 that could have wiped it, but the other one does contain some binary data (though not a $MFT mirror) it is unprobable that the whatever happened wiped one sector and wrote garbage to it's mirror.

It is much more likely that we are going to a wrong address.

Could it be that the first "100 Mb" partition is an artifact (of some kind) created by any of your previous attempts?

If this is the case, than logically there was before a "single" partition and then it would have started at the "default" (for Vista ) 2048.

Try again with sectors:

$MFT:

2048+786432*8=6293504

And it's Mirror at:

2048+61035263*8=488284152

Otherwise, a good idea could be to open with Tiny Hexer the disk, goto sector 6280000 then Edit->Find/Replace->input "FILE0" (please note that tis is CaSeSeNsItIvE), make sure that you have Text mode checked and "Dos 8 bits", then click on the "Find" button, at the prompt click on "Yes to all".

This might be a very looong step before you get a "hit".

Compare with this thread:

jaclaz

Edited July 20, 2012 by jaclaz

[d8apzl]

The sectors do not match, see attachment.

Could it be that the first "100 Mb" partition is an artifact (of some kind) created by any of your previous attempts?

Yes, the 100MB looks like a Win7 PE partition when I tried BOOTREC w/o success w/ Win7.

Otherwise, a good idea could be to open with Tiny Hexer the disk, goto sector 6280000 then Edit->Find/Replace->input "FILE0" (please note that tis is CaSeSeNsItIvE), make sure that you have Text mode checked and "Dos 8 bits", then click on the "Find" button, at the prompt click on "Yes to all".

I followed the instructions you specified. It doesn't look good. No 'FILE0' found and I received an I/O error.

Also, I noticed when I plugged the HDD back in to the XP to do all the work, the HDD light on my HD enclosure is constantly lit up. Could this be causing the I/O errors?

I would really hate to tell my cousins gf her drive is toast, but it looks like it's completely corrupt. What do you think?

see attached .bin files and screenshot.

EDIT: At this point, if I can read the files and transfer to a different drive it would be ok. If she set a pw the files may be inaccessible because of permission issues, yes?

When I ran a recovery program after trying the BOOTREC, it saved all the RAW files (11.9GB) by type,: FILE001.bmp; FILE002.bmp, etc.. but they are not accessible whatsoever, meaning you can open them and some have different file sizes but nothing shows up.

Edited July 24, 2012 by d8apzl

[jaclaz]

I followed the instructions you specified. It doesn't look good. No 'FILE0' found and I received an I/O error.

Also, I noticed when I plugged the HDD back in to the XP to do all the work, the HDD light on my HD enclosure is constantly lit up. Could this be causing the I/O errors?

I would really hate to tell my cousins gf her drive is toast, but it looks like it's completely corrupt. What do you think?

see attached .bin files and screenshot.

EDIT: At this point, if I can read the files and transfer to a different drive it would be ok. If she set a pw the files may be inaccessible because of permission issues, yes?

When I ran a recovery program after trying the BOOTREC, it saved all the RAW files (11.9GB) by type,: FILE001.bmp; FILE002.bmp, etc.. but they are not accessible whatsoever, meaning you can open them and some have different file sizes but nothing shows up.

I would be less pessimistic than you are, in the sense that from the few sectors you posted I don't have the feeling of a "toasted" disk, sure it may have had a few bad sectors but since the datarescuedd thing got to the end of the disk, it should be substantially "sound".

It seems to me like more probable that most of the "damages" have been made (for *any* reason) by the failed attempts at recovery, this is actually the reason why one should always - unless he/she is 100% sure that it is a trivial thing and he/she is positive that it can be solved with little effort - image the disk first thing, as in case of issues there is always a "way back".

I am not (yet) convinced that "everything" is lost.

You are now mentioning "password", I sincerely hope that you don't mean - by any chance - that the volume was encrypted .

I think I am missing something , a $MFT is a "not so little" amount of sectors, it would be queer it has been completely wiped.

The "786432*8" is the "default" address for it, if the disk was partitioned/formatted with the "standard" tools. If it is possible that some "non-standard" tool has been used, it may be at another address.

If I get right, you have now scanned starting from sector 6293504 all the way to the end of the disk.

The settings you have in Tiny Hexer seem correct .

Try this before giving up.

Do the scan from sector 20848 up to 6293504.

Try this time for the hex characters "46494C45" (they are the same as "FILE" in text).

Also, it may help me if you could gather (from your cousin) as many details on the "story" of this disk as you can get (like which OS was there, how many parittions, if he changed something, etc, etc.) and if you would provide a (synthetic) list of the actions you attempted on the disk (again with as much detail as you can remember) before making the image with datarescuedd, including the actual name of the apps you have used, and anything that you can remember about what they did or how they behaved.

Also, you should check the USB enclosure, it is possible that the "always lit" is the symptom of a problem .

But you can do the scan on the image, now that you have it .

Instead of File->Disk->Open Drive use File->Disk->Open disk image or large file as drive....

jaclaz

Edited July 21, 2012 by jaclaz

[d8apzl]

I am not (yet) convinced that "everything" is lost.

You are certainly optimistic. When I did the search for "46494C45" from 20848 I do notice that there is a lot of data there so the backup (& drive) still holds data.

Also, you should check the USB enclosure, it is possible that the "always lit" is the symptom of a problem .

I rebooted the XP and when it came back, the lit hdd light had stopped. After I opened the drive in drdd, the lit light was constant again. I rebooted again, it's fine now.

Also, it may help me if you could gather (from your cousin) as many details on the "story" of this disk as you can get (like which OS was there, how many parittions, if he changed something, etc, etc.)

She cannot recall all that much, and at this point she said, all she cares about is the photos on the drive.

I can tell you the OS was always the Vista that came w/ the laptop. Microsoft Windows Vista Home Premium 64-bit Edition. Very sorry, I didn't think it was 64-bit, I thought it was 32-bit.

She also said that one day it just stopped working probably due to the laptop overheating, she cannot be sure if there was a virus or not, the drive was probably not encrypted unless it was a default setting. It should've been a standard Vista OS as a single partition, unless HP had a hidden recovery partition.

and if you would provide a (synthetic) list of the actions you attempted on the disk (again with as much detail as you can remember) before making the image with datarescuedd, including the actual name of the apps you have used, and anything that you can remember about what they did or how they behaved.

Again, I'm very sorry. I did try a few things w/o success before I posted here.

Tried Bootrec commands from Win7 w/ failing disk as enclosure..

- /fixmbr /fixboot, but this must have been run on the PE partition because I could not access the single partition w/ Vista OS on it.

Next, I tried the Vista PE w/ the failing drive in the laptop

- /fixmbr /fixboot, also on the PE partition because I couldn't access the OS partition.

Next I tried a few apps w/o success like MbrFix, EasyBCD, Stellar Phoenix Windows Data Recovery - Home, EASEUS Data Recovery Wizard Professional 4.0.1, Kernel for Windows Data Recovery.

MbrFix

MbrFix /drive <num> fixmbr /vista

EasyBCD

I tried the BCD Backup/Repair w/o success

I even tried am ubuntu LiveCD to access and restore the boot record but I couldn't download the MS-SYS program to do anything so I scraped the idea.

http://www.ehow.com/how_6807559_fix-windows-mbr-ubuntu.html

Please do not be upset, I know I s*ck because I didn't know how to make a backup of the drive before using these tools. This is when I saw your posts on msfn.org and decided to post here. Thank you for all your help w/ this and for not giving up.

The backup is still scanning at 203000

EDIT: found boot sectors?!?

Edited July 27, 2012 by d8apzl

[jaclaz]

The backup is still scanning at 203000

EDIT: found boot sectors?!?

My bad , I was not clear enough.

You are now searching for a "hex string", so you need to DE-select the "Find text" checkbox.

Sorry for the misunderstanding , you'll need to redo starting from 20848 .

At first sight the only thing that may have caused a serious data corruption is the Windows 7 bootrec command (I am not familiar with it, but - as a general rule - never use a tool designed to recover a given OS or another OS), but this does not yet explains the kind of issue you are having.

If all the thing that needs to be recovered are the photos, you may ( if nothing works) still try Photorec, but from what you posted about the "poor" quality of the recovered files by the other application, I cannot swear that it could be any better for a "file recovery" approach.

HP normally does use a recovery partition, but cannot say right now if this could have influenced anything, I mean that partition, if it was before the "mian" one would probably have been bigger than the current stoopid WIndows 7 partition, so the $MFT should have been at the most "after" the calculated addresses.

If there was a HP recovery partition and it was before the main partiton and it was less than 100 MB, then the addresses calculated woould be wrong.

Let's see what happens with the search.....

jaclaz

Edited July 21, 2012 by jaclaz

[d8apzl]

this looks like a false positive I will keep searching.

she did mention that there could've been XP on it then Vista was loaded on top of that, but she said that it could've been a different laptop she was thinking of so I just dismissed it.

Edited July 24, 2012 by d8apzl

[jaclaz]

this looks like a false positive I will keep searching.

Yes, that is the problem when searchig for "FILE" or "46494C45".

On second thought, you could change the hex string to "46494C4530" (same as "FILE0"), it would avoid false positives.

If you get t the "right" sector, the string "FILE0" will be, see the mentioned thread:

in the top row of the viewed sector.

jaclaz

[d8apzl]

would this be it?!

[jaclaz]

would this be it?!

NO.

If you get t the "right" sector, the string "FILE0" will be, see the mentioned thread:

in the top row of the viewed sector.

but anyway jolt down the number of sectors where you find a hit.

jaclaz