• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
mattiasnyc

Need help with data recovery on HDD

52 posts in this topic

For the record, I'm not sure I fully comprehend the procedure in getting the PBR (unless it stands for Pabst Blue Ribbon, in which case I know how to but just don't want to).

Would it be unwise to move along to the next step with only a copy of the MBR and NOT the PBR?

Well, in your particular case you simply "cannot" (in the sense of "easily") get the PBR.

The MBR you just posted is partially corrupted, hence the disk manager cannot find any LogicalDrive (the PBR is first sector of the LogicalDrive) on the disk/image and HDhacker simply doesnt know which sector to get.

For whatever reasons, the Partition Tables in the MBR you posted are completely 00ed out.

At first sight the MBR CODE is seemingly that of 2K/XP.

You can try running Testdisk (remember to use the /log) since the original disk seems like having being partitioned under XP, reply N (No) to the question if the disk was partitioned under Vista.

Report BEFORE telling Testdisk to write anythng.

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks jaclaz,

I will try Testdisk today. Does it take hours to do its thing or is it a matter of minutes? (I have to work from home today because of the hurricane)

0

Share this post


Link to post
Share on other sites

Thanks jaclaz,

I will try Testdisk today. Does it take hours to do its thing or is it a matter of minutes? (I have to work from home today because of the hurricane)

The initial detection (if any is found :ph34r:) of the PBR/bootsector should take a few seconds.

If no bootsector is found where it normally is (sector 63 on XP - if I recall correctly it was just a single "huge" partiton) it may take much longer as it will have to scan the whole disk, on a perfectly functional SATA II 500 Gb disk I would say less than one hour, though, for the whole scan.

jaclaz

0

Share this post


Link to post
Share on other sites
The initial detection (if any is found :ph34r:) of the PBR/bootsector should take a few seconds.

If no bootsector is found where it normally is (sector 63 on XP - if I recall correctly it was just a single "huge" partiton) it may take much longer as it will have to scan the whole disk, on a perfectly functional SATA II 500 Gb disk I would say less than one hour, though, for the whole scan.

jaclaz

I will try this and NOT write anything until I've posted results here. One more thing:

You can try running Testdisk (remember to use the /log) since the original disk seems like having being partitioned under XP,

What do you refer to when you say "use the /log"? That particular sign/word ("/log") doesn't appear on the "testdisk step by step" guide page.

0

Share this post


Link to post
Share on other sites

What do you refer to when you say "use the /log"? That particular sign/word ("/log") doesn't appear on the "testdisk step by step" guide page.

I am more used to work on command line, it is simply faster, open a command prompt, navigate to the directory where TESTDISK is, type on command line

testdisk_win.exe /log

press [ENTER]

If you double click on testdisk_win.exe you will anyway be prompted to do that:

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step#Log_creation

you want to Create a log.

jaclaz

0

Share this post


Link to post
Share on other sites

I've now run test disk through the "Quick Search" function and it has found no partitions at all. My options at the bottom of the screen are:

"Keys A: add partition, L: load backup, Enter: to continue"

please advise, and thanks for all your time and help!

0

Share this post


Link to post
Share on other sites

I've now run test disk through the "Quick Search" function and it has found no partitions at all. My options at the bottom of the screen are:

"Keys A: add partition, L: load backup, Enter: to continue"

please advise, and thanks for all your time and help!

"Keys A: add partition, L: load backup, Enter: to continue"

You are between:

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step#Quick_Search_for_partitions

and:

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step#Save_the_partition_table_or_search_for_more_partitions.3F

i.e. since "Quick Search" failed, you want to do a "Deep Search".

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks. Can you tell I'm a noob at this?

It's at 12%. I will report back.

0

Share this post


Link to post
Share on other sites

Done. Still nothing. Same options; add partition, load backup or enter to continue...

0

Share this post


Link to post
Share on other sites

Done. Still nothing. Same options; add partition, load backup or enter to continue...

Hmmm.

It sounds like there are no traces that TESTDISK can find, which is unusual.

Get DMDE:

http://softdm.com/

And try opening the disk with it (Drive->Select Drive->choose the PhysicalDrive->NTFS search).

And report (post a screenshot)

If one (or more) NTFS volume(s) are found, you can access them by selecting and "Open Volume".

Another thing, you should try to get (and post in an archive) the first 100 sectors as detailed in

so that I can have a look at them.

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks. I've attached HDhacker again, sectors 1 through 16 as that's all it took in one go.

The DMDE result is pretty much zeroes in general and an NTFS search of the first 5GB shows nothing. I didn't really have time for anything else right now, but I'll try to do more in a by this evening.

Sector_1through16.7z

0

Share this post


Link to post
Share on other sites

Yes, hdhacker gets at the most 16 sectors, you need to use dsfo or a dd of some kind to get the 100 sectors.

A "normal" NTFS volume has it's $MFT starting at cluster 786432, i.e. at 786432*4096=3,221,225,472 or around 3 Gb give or take a few sectors (sectors before) on the first partition.

Of the sectors you posted, only the first is non-zero (this is normal) and it does contain a MBR code but NO MBR data (all 4 partition entries are 00's or wiped"), it is identical (obviously) to the one you already posted.

This is most uncommon :w00t: , as it seems like NOT the result of a "random" corruption, but rather of an "intentional" wiping of just the partition table :ph34r: .

Additionally you have two bytes at 0X1BC that are normally 0000 (unused) set instead to A025, but this could be *something* related to XP64 or a "flag" placed there for *any* reason by almost *anything*.

Were you - by any chance and at *any* step - prompted to "initialize" the disk (in disk management or explorer)? :unsure:

(a just "initialized" disk does have the "right" MBR code but NO MBR partition data)

jaclaz

0

Share this post


Link to post
Share on other sites

Yes, hdhacker gets at the most 16 sectors, you need to use dsfo or a dd of some kind to get the 100 sectors.

A "normal" NTFS volume has it's $MFT starting at cluster 786432, i.e. at 786432*4096=3,221,225,472 or around 3 Gb give or take a few sectors (sectors before) on the first partition.

The above are two different things, right? The first addressing the first 16 sectors and the second talking about where the NTFS "lives", right? So I'm looking at re-running one of the tests over the whole drive to cover where NTFS "lives", and re-running the other test with dsfo or dd. Right?

Were you - by any chance and at *any* step - prompted to "initialize" the disk (in disk management or explorer)? :unsure:

(a just "initialized" disk does have the "right" MBR code but NO MBR partition data)

jaclaz

I'll have to get back to this later this evening, but "no", I was not prompted to "initialize" and I do not recall having changed the source or clone drives in any way (meaning their partitions). One day the darn thing wouldn't spin, that's all. The only thing I can think of is if I some how screwed up the de-bricking of the source (as far as me being the culprit is concerned).

I'll come back later with more info.

0

Share this post


Link to post
Share on other sites

The above are two different things, right? The first addressing the first 16 sectors and the second talking about where the NTFS "lives", right?

Yes. :)

I do not want 16 sectors (because I already know how in the best cases there is only one meaningful sector in the first 16 sectors - the MBR - which I already have), I want to have a look at the first 100 sectors because they will contain sector 63 and the following 16 sectors (up to 95) that may be non-zero.

If when the disk was originally partitioned the new Vista :ph34r: and later "partitioning paradigm" has taken place, I will need instead first 2100 sectors.

If you prefer by providing 16 sectors instead of the asked for 100 you didn't fulfill my request at a 16% rate, but rather at a 0% rate (or at the most at a 1% one) and I need it anyway fulfilled at 100% (or possibly even at 2100% :w00t:)

The reference to the normal location of the $MFT it was because you talked of having scanned first 5 Gb, the (bad :() news were that normally the $MFT is at around 3 Gb, so it should have been found (if it is still there).

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Yeah, I know, LoL, still with this issue right?

So, here's the deal: I've been busy with a bunch of stuff and was about to give up on this when I remembered files that I now need so I figured I'd give it a shot and got into my head to plug in the original un-bricked drive just to see if testdisk would find anything on it, as opposed to the clone.

In testdisk after the initial search I now found the following:

>L, FAT16, LBA, 22947, 1 , 1 , 60799 , 254 63 , 600108382

Basically I'm now jumping back in the thread in response to your post #26, reporting back before I do anything else...

...standing by...

PS. The commas in the string above are only there to give distance between numbers, they obviously don't appear in test disk.

Edited by mattiasnyc
0

Share this post


Link to post
Share on other sites

Well, what testdisk may have found is a partition image formatted as FAT, the disk, should have been partitioned (how?, most probably in one big partition :unsure:) and that partition formatted as NTFS.

It is like the FOURTH time that I am asking you to copy first 100 sectors and post them :realmad: , I won't ask for them a fifth one :no: .

For the record, I asked for them:

  1. in post #21 on 22 August 2012
  2. in post #35 on 02 November 2012
  3. in post #39 on 05 November 2012

Maybe it's time you just do it. :whistle:

jaclaz

0

Share this post


Link to post
Share on other sites

I believe what is attached is what you're looking for... Or hope rather...

Pulled a 17-hour overnight work session so my brain has been pure garbage for the past couple of days. The joy of working in television. Anyway, let me know if the file is what you were looking for. I had a hard time finding out how to operate the **** program. I love command prompts as long as I know what the hell I'm doing which is not the case here. So just so you know what I did...:

1. Searched for "dsfo", found and downloaded, put .exe file in new folder called "apps" on C

2. Went to command prompts and typed in:

C:\apps\dsfo \\.\PhysicalDrive6 0 51200 F:\drive6

where "PhysicalDrive6" was the damaged drive ID and "F" is a USB flash drive. I based the syntax off of what you wrote in a different thread, so I'm hoping it's accurate. I couldn't get rawcopy to work at first, probably because I screwed up the syntax.

drive6.7z

0

Share this post


Link to post
Share on other sites

Yep :), the command is correct, but the result is far from "good".

The first sector is the MBR (which you already have posted) with all it's code but with no DATA in the partition table.

All the rest are 00's sectors :(.

Here the A025 I mentioned has disappeared :w00t:

Questions:

  1. Is there any chance that that disk was originally partitioned under Vista :ph34r: or 7?
  2. Do you remember how it was partitioned originally? (Like a single NTFS volume, several volumes, which filesystems, etc.?)

jaclaz

0

Share this post


Link to post
Share on other sites

Q1: not really. I've never touched vista in my life, and 7 was just an os i messed sound with on the drive i have up and running now. It would be epic if it wasnt xp.

Q2: i only recall having worked with one partition. I have a system with at least 4 drives normally so my usage is pretty compartmentalized. So i think it was one partition only.

On it was xp x64, and it was fat or ntfs i suppose, but can unfortunately not recall which one.

0

Share this post


Link to post
Share on other sites

Q1: not really. I've never touched vista in my life, and 7 was just an os i messed sound with on the drive i have up and running now. It would be epic if it wasnt xp.

Q2: i only recall having worked with one partition. I have a system with at least 4 drives normally so my usage is pretty compartmentalized. So i think it was one partition only.

On it was xp x64, and it was fat or ntfs i suppose, but can unfortunately not recall which one.

Well, it cannot mathematically be FAT12 or 16 and logically it cannot be FAT32 either, since XP has dumbed down it to 32 Gb max size.

Which leaves us with NTFS.

So, if there was a single NTFS partition (or at least the first partition was NTFS and not very, very small) the $MFT must exist (and exist at a specific address).

This address is in these cases:

786432*8+63=6291456+63=6291519

Try getting Tiny Hexer and open the disk, then go to absolute sector 6291519. (and check a few sectors after it), but if DMDE didn't find anytihing it is really improbable that *something* exists.

http://www.softpedia.com/get/Others/Miscellaneous/tiny-hexer.shtml

I am starting to think that *somehow* the original disk has issues that were not solved by the "unbricking".

jaclaz

0

Share this post


Link to post
Share on other sites

Hi, downloaded and installed "tiny hexer". Again, this is an application that is way beyond intuitive for a non-programmer/hacker/whatever.

Could you tell me what to type and where in steps? I don't even know where to start. (or alternatively let me know if there's a quick guide and what its name would be so I could learn the stuff).

0

Share this post


Link to post
Share on other sites

Tiny hexer is GUI, not command line.

It works more or less like *any* editor, the main difference is that when you operate on a disk or on disk image to avoid using too much memory it loads by default a sector at a time.

  1. File->Disk->Open Drive
  2. Choose "right" \\.\PhysicalDriven
  3. Press OK
  4. File->Disk->Goto Sector
  5. Replace by typing or pasting the highlighted text "+0x100" with "6291519" (without quotes)
  6. Press OK
  7. Use Shift+F8 to go forward and Shift+F7 to go back (one sector at the time)

What do you see?

All 00's and "dots" or you can read at very beginning of sectors "FILE0" and some text here and there? (like "$.M.F.T.", "$.M.F.T.m.i.r.r.o.r.", etc.)?

Post a screenshot (if it is not all 00's) of sector 6291519 the windows should have a title like >\\.\PhysicalDriven , sector 6291519/xxxxxxxxxxx

Once you are there:

  1. Edit-> Find/Replace
  2. write (or copy from here) in the "Enter text or hex data to search for" box this: "46494C4530" (without quotes) that is the hex of FILE0, and every two sectors in the $MFT there is an occurrence of "FILE0"
  3. Click on Find button
  4. A new popup will appear asking you to "Search following sector(s)", click on Yes (a few times, for the first few sectors), then press "yes to all", if no hit is found within a few minutes, click on "Cancel"

jaclaz

0

Share this post


Link to post
Share on other sites

All zeroes..... :}

Hmmm.

I guess you are stuck, then :(

Without partition data, nor bootsector data, nor $MFT the only thing that may work is file-based recovery, but as said I start to suspect that your drive is either "really" "all 00's or *somehow* it went in some kind of "failure" mode and simply outputs 00ed sectors.

Try again from the start, describe what happened BEFORE you posted here:

Found this place, went through steps to get it back.

What symptoms did the drive have, which exact steps you performed, etc., etc.

jaclaz

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.