[d8apzl]

Hi, I'm trying to fix my cousins gf laptop. She needs to get at the data and back it up.
I don't know how it originally occurred, but the laptop can get pretty hot, maybe an abrupt shutdown from overheating caused the original error.

Boots directly to the error:
"A Disk Read Error Occurred Press Ctrl-Alt-Del to Reboot"

I tried the Vista DVD, repair, Bootrec.exe to no avail.
Also numerous partition recovery sw w/o success.
I figured I tried the rest and now I'll try the best, you folks at msfn.

The file system is currently in the RAW state.
As far as I know I did not completely delete or format the partition w/ the Vista OS from using any tools. (diskpart, trial versions of recovery sw, acronis, etc.) The OS should still exist on the drive.
This is what I would like to find out and potentially overwrite/rewrite the MBR (to get Vista to function normally again).

I saw a post w/ jaclaz using tools like TESTDISK to help solve the issue but I do not want to further complicate the matter if I happen to make an unreversible change. Can you help diagnose and recover the Vista OS Boot Record? Please let me know of any information I can provide to help w/ this problem/resolution.

Thank you kindly in advance.

This post has been edited by d8apzl: 17 July 2012 - 11:19 PM

[jaclaz]

d8apzl, on 17 July 2012 - 09:51 PM, said:

I saw a post w/ jaclaz using tools like TESTDISK to help solve the issue but I do not want to further complicate the matter if I happen to make an unreversible change. Can you help diagnose and recover the Vista OS Boot Record? Please let me know of any information I can provide to help w/ this problem/resolution.

Before test disk, it would be interesting to understand what actually is on the disk.
What are you running (I mean which os on which machine) to access that disk?

Best would be a "plainer" OS, like XP, and use Hdhacker:
http://dimio.altervi.../eng/index.html
and use it to save as files:

• First sector of Physicaldrive
  
• First sector of LogicalDrive

You are saying that you see a drive as RAW, this should mean that at least the Magic Bytes in the MBR are there and that *something* is mapped as a partition (otherwise you would have a prompt asking to "initialize the disk" and you would see NO volumes in Explorer).

Once you get the two sectors above, compress them to a .zip file and attach them to your next post.

jaclaz

[d8apzl]

First off, I would just like to say you are THE Man jaclaz and thank you because I saw some other posts in which you helped folks recover their data/drives.
Attached is the zip containing the .dat results from hdhacker.

I used XP 32-bit w/ hdhacker

This post has been edited by d8apzl: 18 July 2012 - 06:21 AM

[d8apzl]

hmm, thought I attached the zip to the previous post.. here it is.

[jaclaz]

d8apzl, on 18 July 2012 - 06:19 AM, said:

Attached is the zip containing the .dat results from hdhacker.

I used XP 32-bit w/ hdhacker

Good.
There are THREE (separate) issues

• the (only one, NTFS ID) partition in the MBR partition table is NOT active <-trivial to solve
  
• the partition has data #0 07 00 0 32 33 1023 254 63 2048 3907024896 (which means that it is an almost 2 Tb partition)
  
• the bootsector (VBR) is strange: the WHOLE BPB has been wiped out with a a B7 02 + a number of 00's (82 of them) <. I wonder what could have caused this, any possibility of a Virus? )

Let's leave #1 alone for the moment (as it is a non-problem).

Important question:
How big is the actual hard disk?

Explanation:
the data in the MBR is seemingly senseless, the data in the VBR is non-existing, if we know what is the total size of the hard disk we should be able to find "quickly" the second (or backup) copy of the VBR.
In this case TESTDISK is of little use as it has only "wrong" or "missing" information to work with, I prefere to chack for that sector manually.

Additionally:
How familiar are you with a hex/disk editor?
Get TinyHexer (and possibly my scripts for it, so that you will be able to "view" the same things I do)
http://reboot.pro/8734/

Can you find another disk bigger than this one so that you can make a DD-like copy of the disk (better be safe than sorry) before starting fiddling with the failed disk?

jaclaz

[d8apzl]

The failing drive is 500GB, there possibly could've been a virus, but I cannot say for sure.

not very familiar with hex but I can hack it.

Luckily I have a 750GB I never opened. It better not be DOA.

What can I use to duplicate the drive?
Technically, I have 908GB free on my XP drive, can I make an image of the 500GB drive using some tool(s)? Ghost?

DL'd:

• tinyhex 1.8.1.6 (installed on the XP)
  
• BSview.zip
  
• MBRview.zip
  
• PTview.zip

This post has been edited by d8apzl: 18 July 2012 - 08:45 AM

[jaclaz]

Sure , as long as the disk is around 500 Gb, a dd-like image will take 500 Gb.
Since I presume that the disk is fully functional, you can do a single image, in any case I recommend using this app:
http://reboot.pro/7783/
so that in case of *need* you can use it to do a set of "separate images", as in here:
http://reboot.pro/15040/#entry133567
Try with imaging the whole disk drive, and if you have issues, you can adopt "plan B" .

Open the files you posted in tinyhexer (after having added to it's installation the structure viewer scripts).
Try looking at the MBR (first sector of Physicaldrive) with both MBRview and PTview.
Try looking at the VBR (first sector of LogicalDrive) with BSview (you will see something a lot like "a suffusion of yellow" ) and with the built-in "NTFS boot structure" (you will see a number of 0 values)

jaclaz

[d8apzl]

Not sure if this information helps but, on the failing disk I have a drive letter that shows up "System Reserved" 70MB free of 99.9MB, it could be windows PE when I tried bootrec before.

Looks like ddrd found errors but it's slowly still in progress and continues to find errors of the same type.

Running this with admin rights. Should I be running this on the XP? I'm using W7.

see attached png.

This post has been edited by d8apzl: 23 July 2012 - 05:58 PM

[jaclaz]

d8apzl, on 18 July 2012 - 09:38 AM, said:

Not sure if this information helps but, on the failing disk I have a drive letter that shows up "System Reserved" 70MB free of 99.9MB, it could be windows PE when I tried bootrec.

NO. (meaning not that it doesn't help, meaning that I do not believe you )
There is no corresponding entry in the partition table of the MBR, so that thingy must be a "leftover" of some kind, or it belongs to ANOTHER disk, that looks a lot like the Windows 7 "default install on new media" partition, nothing to do with the XP you are running and the Vista that should have been on the failed disk.

d8apzl, on 18 July 2012 - 09:38 AM, said:

Looks like ddrd found errors but it's slowly still in progress and continues to find errors of the same type.
see attached png.

Let's see how it evolves

jaclaz

[d8apzl]

I swear, I'm not kidding you.
Please see the pngs.
I will let ddrd continue.

[jaclaz]

d8apzl, on 18 July 2012 - 09:49 AM, said:

I swear, I'm not kidding you.
Please see the pngs.

Yep , but that is diskpart on disk 4.
You are seemingly using ddrescue on disk 5
The difference between 4 and 5 is ALMOST as important as the one between 5 and 6

Spoiler

unless diskpart and ddrescue use a different numbering scheme which - from memory - I doubt, but in any case you should always test two different items with the SAME tool, to see differences, or the SAME item with two different tools, as is, it seems to me like you are comparing diferent items with different tools....

EDIT:
Are you positive that the MBR you posted was from the actual disk in question?
and is it disk 4 or disk 5 (or what)?

jaclaz

This post has been edited by jaclaz: 18 July 2012 - 10:12 AM

[d8apzl]

jaclaz, on 18 July 2012 - 09:49 AM, said:

unless diskpart and ddrescue use a different numbering scheme which - from memory - I doubt, but in any case you should always test two different items with the SAME tool, to see differences, or the SAME item with two different tools, as is, it seems to me like you are comparing diferent items with different tools....

It must be a different schema because I only have one 500GB drive connected. Maybe diskpart starts from disk 0

ddrd was still reading errors and stopped erroring about 10 minutes ago, but the 750GB has more than 17GB written so far.

This post has been edited by d8apzl: 18 July 2012 - 10:17 AM

[d8apzl]

jaclaz, on 18 July 2012 - 10:06 AM, said:

EDIT:
Are you positive that the MBR you posted was from the actual disk in question?
and is it disk 4 or disk 5 (or what)?

Yes, the MBR was posted from the disk in question. 500GB using hdhacker on WinXP.
I started the ddrd w/ the 500GB & 750GB on a W7 system because I thought it would be faster using USB 3.0
It looks like ddrd picked it up as Drive 5, but diskpart picked it up as Disk 4.



p.s. nice spoiler

This post has been edited by d8apzl: 18 July 2012 - 11:11 AM

[jaclaz]

d8apzl, on 18 July 2012 - 10:28 AM, said:

It looks like ddrd picked it up as Drive 5, but diskpart picked it up as Disk 4.

Again, NO.
The MBR you posted DOES NOT contain info about two partitions, one around 100 Mb and one around 465 Mb, the one you posted, that I have NO WAY to verify it belongs to the "problematic" disk, has a SINGLE partition, evidently with a wrong size (around 2 Tb) OR it is the MBR of ANOTHER DISK!

I cannot say if the disk that ddrescue is imaging is the SAME disk that you accessed first with diskpart and then with disk management, what I can tell you is that these latter tools BOTH show a VALID partition table WHILST the MBR you posted did not.

You have right now:

• too many OS's (XP and 7)
  
• too many disks (seemingly 8 of them)
  
• and you are using too many different tools (possibly under the two different OS's)

this is likely to create confusion .

Let's do it like this :

• STOP whatever you are doing. (of course let datarescuedd finish the image)
  
• use ONLY the XP (and NOT the Windows 7)
  
• run again Hdhacker to save the MBR (first sector of PhysicalDrive) of the disk that you think is the failed one, save it like MBR_disk_n.hdh
  
• run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
  
• run tiny hexer, use the file->disk->open drive to open the disk that you think is the failed one (it will auto-set to load one sector at the time and will open on the first sector) choose File-> Save as and save it like MBR_disk_n.thx
  
• compress the three resulting files into a zip and post it as attachment. (if the three files are not IDENTICAL there is an issue of some kind)

jaclaz

This post has been edited by jaclaz: 18 July 2012 - 11:20 AM

[d8apzl]

jaclaz, on 18 July 2012 - 11:19 AM, said:

The MBR you posted DOES NOT contain info about two partitions, one around 100 Mb and one around 465 Mb, the one you posted, that I have NO WAY to verify it belongs to the "problematic" disk, has a SINGLE partition, evidently with a wrong size (around 2 Tb) OR it is the MBR of ANOTHER DISK!

Ok, you are right on this. I do have a 2TB on the XP. hdhacker may have saved the results from the 2TB not the failing 500GB. I was sure I selected the 500GB but I may have made a mistake.

jaclaz, on 18 July 2012 - 11:19 AM, said:

Let's do it like this :

• STOP whatever you are doing. (of course let datarescuedd finish the image)
  
• use ONLY the XP (and NOT the Windows 7)
  
• run again Hdhacker to save the MBR (first sector of PhysicalDrive) of the disk that you think is the failed one, save it like MBR_disk_n.hdh
  
• run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
  
• run tiny hexer, use the file->disk->open drive to open the disk that you think is the failed one (it will auto-set to load one sector at the time and will open on the first sector) choose File-> Save as and save it like MBR_disk_n.thx
  
• compress the three resulting files into a zip and post it as attachment. (if the three files are not IDENTICAL there is an issue of some kind)

Again you're right and sorry for the confusion. Thank you for being patient, as soon as the drdd finishes I will follow the steps you outlined and post back.

[jaclaz]

d8apzl, on 18 July 2012 - 11:32 AM, said:

Ok, you are right on this. I do have a 2TB on the XP. hdhacker may have saved the results from the 2TB not the failing 500GB. I was sure I selected the 500GB but I may have made a mistake.

These could actually be "good" news, in the sense that if the MBR (as seen in diskpart and in disk management) contains "valid" data, it should be easier to find the backup bootsector...
BUT, there are some strings attached
IF (as it seems now) the disk has two valid partition entries, the "single" VBR you posted is only one half (which one? ) of the story:
1 disk drive=1 MBR
2 partitions/volumes/drives on it = 2 VBR's

d8apzl, on 18 July 2012 - 11:32 AM, said:

Again you're right and sorry for the confusion. Thank you for being patient, as soon as the drdd finishes I will follow the steps you outlined and post back.

Actually I was wrong (but not on the main issue ) I checked and while:

• Hdhacker
  
• Tiny Hexer
  
• Diskpart
  
• Disk Management

number disks starting from 0
Datarescue does number them starting from 1
so the 4 that becomes 5 is OK .

STILL, one MUST be careful with the math :

Spoiler

jaclaz

This post has been edited by jaclaz: 18 July 2012 - 12:19 PM

[d8apzl]

jaclaz, on 18 July 2012 - 11:19 AM, said:

Let's do it like this :

• STOP whatever you are doing. (of course let datarescuedd finish the image)
  
• use ONLY the XP (and NOT the Windows 7)
  
• run again Hdhacker to save the MBR (first sector of PhysicalDrive) of the disk that you think is the failed one, save it like MBR_disk_n.hdh
  
• run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
  
• run tiny hexer, use the file->disk->open drive to open the disk that you think is the failed one (it will auto-set to load one sector at the time and will open on the first sector) choose File-> Save as and save it like MBR_disk_n.thx
  
• compress the three resulting files into a zip and post it as attachment. (if the three files are not IDENTICAL there is an issue of some kind)

I followed the steps, here are the results:

[jaclaz]

The good news are that now that it s the "right" MBR, we have some data to check

#0 07 00 0 32 33 12 223 19   2048 204800
#1 07 80 12 223 20 1023 254 63   206848 976564224 

The bad news are that you are not (yet) doing EXACTLY what you are told to .
What I said:

Quote

4. run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd

what you did:

Quote

4. run ddrescue on the disk that you think is the failed one, saving only 1 sector Mb (lower upper fields Start=0, Size=1, End=1) to file image[0-512].dd

Of course there is no consequence in this instance, you just got more data than what were needed , but when you will get to direct disk access through Tiny Hexer or Testdisk, doing thing EXACTly or "almost exactly" may make a difference .

Now you need to access the disk with Tiny Hexer.
File ->Disk->Open drive -> (select the RIGHT PhysicalDrive) -> OK
File ->Disk-> Goto sector/position-> (enter 206848) ->OK
File ->Save as->Sector206848.bin
File ->Disk-> Goto sector/position-> (enter 976771071) ->OK
File ->Save as->Sector976771071.bin
Tools->Compare->Compare (You should find a number of bytes highlighted as different at the beginning of the sector)

In case you are wondering, 976771071 comes from 976564224+206848-1=976771071
the NTFS filesystem stores normally a backup of the first sector as last sector of the Partition/Volume allocated space or - if you prefer - as first sector after the end of the filesystem, which is always one sector less than the Partition/Volume allocated space.

Compress Sector206848.bin and Sector976771071.bin and post the .zip

jaclaz

[d8apzl]

Quote

The bad news are that you are not (yet) doing EXACTLY what you are told to .
What I said:
4. run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
what you did:
]4. run ddrescue on the disk that you think is the failed one, saving only 1 sector Mb (lower upper fields Start=0, Size=1, End=1) to file image[0-512].dd

sorry about that, I was wondering why the filename was different from what you said it would be. I don't know why I thought the Sectors fields were above the MBs fields.

Ok

I saved the sectors, here they are below. it doesn't look good.
It looks like the backup sectors are gone??

[jaclaz]

d8apzl, on 19 July 2012 - 05:13 PM, said:

I saved the sectors, here they are below. it doesn't look good.
It looks like the backup sectors are gone??

Yep .
The backup sector is completely wiped and a "queer" B702 is written to it at the beginning.
Also the "main" bootsector has this strange B702 "incipit".
I wonder what the heck may have caused it.

DId the image complete successfully?
This is "vital" since we will start actually writing to the disk, and if the image is not good we will have "no way back" .

At this point easier would be to try writing a BPB, but before it I would try two things:

• check if the $MFT main record is "where it should be"
  
• check if it is valid (or if it has been overwritten)

The main $MFT should start at:
206848+786432*8=6498304
And it's Mirror at:
206848+61035263*8=488488952


So, open the disk in Tiny Hexer, open the Physicaldrive, goto sector 6498304, it should begin with "FILE0".
Goto sector 488488952, it should also begin with "FILE0".

IF (and ONLY if)the above is correct, then goto sector 206848 and overwrite it with the sector in the attachment (with the physical drive open, goto sector 20848, open file 206848mod.bin, "select all", copy, select the physicaldrive sector, select all, paste, then close the physical drive, and say yes to the prompt to save the change).

Now if you try opening the drive in Explorer, you should be able to browse it's contents (if there are not any further damages).

Report.

If you have ANY doubt, ask for clarifications BEFORE doing anything!

jaclaz

Attached File(s)

•  206848mod.zip (623bytes)
  Number of downloads: 3