mattiasnyc

Need help with data recovery on HDD

52 posts in this topic

I've now run test disk through the "Quick Search" function and it has found no partitions at all. My options at the bottom of the screen are:

"Keys A: add partition, L: load backup, Enter: to continue"

please advise, and thanks for all your time and help!

0

Share this post


Link to post
Share on other sites

I've now run test disk through the "Quick Search" function and it has found no partitions at all. My options at the bottom of the screen are:

"Keys A: add partition, L: load backup, Enter: to continue"

please advise, and thanks for all your time and help!

"Keys A: add partition, L: load backup, Enter: to continue"

You are between:

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step#Quick_Search_for_partitions

and:

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step#Save_the_partition_table_or_search_for_more_partitions.3F

i.e. since "Quick Search" failed, you want to do a "Deep Search".

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks. Can you tell I'm a noob at this?

It's at 12%. I will report back.

0

Share this post


Link to post
Share on other sites

Done. Still nothing. Same options; add partition, load backup or enter to continue...

0

Share this post


Link to post
Share on other sites

Done. Still nothing. Same options; add partition, load backup or enter to continue...

Hmmm.

It sounds like there are no traces that TESTDISK can find, which is unusual.

Get DMDE:

http://softdm.com/

And try opening the disk with it (Drive->Select Drive->choose the PhysicalDrive->NTFS search).

And report (post a screenshot)

If one (or more) NTFS volume(s) are found, you can access them by selecting and "Open Volume".

Another thing, you should try to get (and post in an archive) the first 100 sectors as detailed in

so that I can have a look at them.

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks. I've attached HDhacker again, sectors 1 through 16 as that's all it took in one go.

The DMDE result is pretty much zeroes in general and an NTFS search of the first 5GB shows nothing. I didn't really have time for anything else right now, but I'll try to do more in a by this evening.

Sector_1through16.7z

0

Share this post


Link to post
Share on other sites

Yes, hdhacker gets at the most 16 sectors, you need to use dsfo or a dd of some kind to get the 100 sectors.

A "normal" NTFS volume has it's $MFT starting at cluster 786432, i.e. at 786432*4096=3,221,225,472 or around 3 Gb give or take a few sectors (sectors before) on the first partition.

Of the sectors you posted, only the first is non-zero (this is normal) and it does contain a MBR code but NO MBR data (all 4 partition entries are 00's or wiped"), it is identical (obviously) to the one you already posted.

This is most uncommon :w00t: , as it seems like NOT the result of a "random" corruption, but rather of an "intentional" wiping of just the partition table :ph34r: .

Additionally you have two bytes at 0X1BC that are normally 0000 (unused) set instead to A025, but this could be *something* related to XP64 or a "flag" placed there for *any* reason by almost *anything*.

Were you - by any chance and at *any* step - prompted to "initialize" the disk (in disk management or explorer)? :unsure:

(a just "initialized" disk does have the "right" MBR code but NO MBR partition data)

jaclaz

0

Share this post


Link to post
Share on other sites

Yes, hdhacker gets at the most 16 sectors, you need to use dsfo or a dd of some kind to get the 100 sectors.

A "normal" NTFS volume has it's $MFT starting at cluster 786432, i.e. at 786432*4096=3,221,225,472 or around 3 Gb give or take a few sectors (sectors before) on the first partition.

The above are two different things, right? The first addressing the first 16 sectors and the second talking about where the NTFS "lives", right? So I'm looking at re-running one of the tests over the whole drive to cover where NTFS "lives", and re-running the other test with dsfo or dd. Right?

Were you - by any chance and at *any* step - prompted to "initialize" the disk (in disk management or explorer)? :unsure:

(a just "initialized" disk does have the "right" MBR code but NO MBR partition data)

jaclaz

I'll have to get back to this later this evening, but "no", I was not prompted to "initialize" and I do not recall having changed the source or clone drives in any way (meaning their partitions). One day the darn thing wouldn't spin, that's all. The only thing I can think of is if I some how screwed up the de-bricking of the source (as far as me being the culprit is concerned).

I'll come back later with more info.

0

Share this post


Link to post
Share on other sites

The above are two different things, right? The first addressing the first 16 sectors and the second talking about where the NTFS "lives", right?

Yes. :)

I do not want 16 sectors (because I already know how in the best cases there is only one meaningful sector in the first 16 sectors - the MBR - which I already have), I want to have a look at the first 100 sectors because they will contain sector 63 and the following 16 sectors (up to 95) that may be non-zero.

If when the disk was originally partitioned the new Vista :ph34r: and later "partitioning paradigm" has taken place, I will need instead first 2100 sectors.

If you prefer by providing 16 sectors instead of the asked for 100 you didn't fulfill my request at a 16% rate, but rather at a 0% rate (or at the most at a 1% one) and I need it anyway fulfilled at 100% (or possibly even at 2100% :w00t:)

The reference to the normal location of the $MFT it was because you talked of having scanned first 5 Gb, the (bad :() news were that normally the $MFT is at around 3 Gb, so it should have been found (if it is still there).

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Yeah, I know, LoL, still with this issue right?

So, here's the deal: I've been busy with a bunch of stuff and was about to give up on this when I remembered files that I now need so I figured I'd give it a shot and got into my head to plug in the original un-bricked drive just to see if testdisk would find anything on it, as opposed to the clone.

In testdisk after the initial search I now found the following:

>L, FAT16, LBA, 22947, 1 , 1 , 60799 , 254 63 , 600108382

Basically I'm now jumping back in the thread in response to your post #26, reporting back before I do anything else...

...standing by...

PS. The commas in the string above are only there to give distance between numbers, they obviously don't appear in test disk.

Edited by mattiasnyc
0

Share this post


Link to post
Share on other sites

Well, what testdisk may have found is a partition image formatted as FAT, the disk, should have been partitioned (how?, most probably in one big partition :unsure:) and that partition formatted as NTFS.

It is like the FOURTH time that I am asking you to copy first 100 sectors and post them :realmad: , I won't ask for them a fifth one :no: .

For the record, I asked for them:

  1. in post #21 on 22 August 2012
  2. in post #35 on 02 November 2012
  3. in post #39 on 05 November 2012

Maybe it's time you just do it. :whistle:

jaclaz

0

Share this post


Link to post
Share on other sites

I believe what is attached is what you're looking for... Or hope rather...

Pulled a 17-hour overnight work session so my brain has been pure garbage for the past couple of days. The joy of working in television. Anyway, let me know if the file is what you were looking for. I had a hard time finding out how to operate the **** program. I love command prompts as long as I know what the hell I'm doing which is not the case here. So just so you know what I did...:

1. Searched for "dsfo", found and downloaded, put .exe file in new folder called "apps" on C

2. Went to command prompts and typed in:

C:\apps\dsfo \\.\PhysicalDrive6 0 51200 F:\drive6

where "PhysicalDrive6" was the damaged drive ID and "F" is a USB flash drive. I based the syntax off of what you wrote in a different thread, so I'm hoping it's accurate. I couldn't get rawcopy to work at first, probably because I screwed up the syntax.

drive6.7z

0

Share this post


Link to post
Share on other sites

Yep :), the command is correct, but the result is far from "good".

The first sector is the MBR (which you already have posted) with all it's code but with no DATA in the partition table.

All the rest are 00's sectors :(.

Here the A025 I mentioned has disappeared :w00t:

Questions:

  1. Is there any chance that that disk was originally partitioned under Vista :ph34r: or 7?
  2. Do you remember how it was partitioned originally? (Like a single NTFS volume, several volumes, which filesystems, etc.?)

jaclaz

0

Share this post


Link to post
Share on other sites

Q1: not really. I've never touched vista in my life, and 7 was just an os i messed sound with on the drive i have up and running now. It would be epic if it wasnt xp.

Q2: i only recall having worked with one partition. I have a system with at least 4 drives normally so my usage is pretty compartmentalized. So i think it was one partition only.

On it was xp x64, and it was fat or ntfs i suppose, but can unfortunately not recall which one.

0

Share this post


Link to post
Share on other sites

Q1: not really. I've never touched vista in my life, and 7 was just an os i messed sound with on the drive i have up and running now. It would be epic if it wasnt xp.

Q2: i only recall having worked with one partition. I have a system with at least 4 drives normally so my usage is pretty compartmentalized. So i think it was one partition only.

On it was xp x64, and it was fat or ntfs i suppose, but can unfortunately not recall which one.

Well, it cannot mathematically be FAT12 or 16 and logically it cannot be FAT32 either, since XP has dumbed down it to 32 Gb max size.

Which leaves us with NTFS.

So, if there was a single NTFS partition (or at least the first partition was NTFS and not very, very small) the $MFT must exist (and exist at a specific address).

This address is in these cases:

786432*8+63=6291456+63=6291519

Try getting Tiny Hexer and open the disk, then go to absolute sector 6291519. (and check a few sectors after it), but if DMDE didn't find anytihing it is really improbable that *something* exists.

http://www.softpedia.com/get/Others/Miscellaneous/tiny-hexer.shtml

I am starting to think that *somehow* the original disk has issues that were not solved by the "unbricking".

jaclaz

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.