mattiasnyc

Need help with data recovery on HDD

52 posts in this topic

Hi, downloaded and installed "tiny hexer". Again, this is an application that is way beyond intuitive for a non-programmer/hacker/whatever.

Could you tell me what to type and where in steps? I don't even know where to start. (or alternatively let me know if there's a quick guide and what its name would be so I could learn the stuff).

0

Share this post


Link to post
Share on other sites

Tiny hexer is GUI, not command line.

It works more or less like *any* editor, the main difference is that when you operate on a disk or on disk image to avoid using too much memory it loads by default a sector at a time.

  1. File->Disk->Open Drive
  2. Choose "right" \\.\PhysicalDriven
  3. Press OK
  4. File->Disk->Goto Sector
  5. Replace by typing or pasting the highlighted text "+0x100" with "6291519" (without quotes)
  6. Press OK
  7. Use Shift+F8 to go forward and Shift+F7 to go back (one sector at the time)

What do you see?

All 00's and "dots" or you can read at very beginning of sectors "FILE0" and some text here and there? (like "$.M.F.T.", "$.M.F.T.m.i.r.r.o.r.", etc.)?

Post a screenshot (if it is not all 00's) of sector 6291519 the windows should have a title like >\\.\PhysicalDriven , sector 6291519/xxxxxxxxxxx

Once you are there:

  1. Edit-> Find/Replace
  2. write (or copy from here) in the "Enter text or hex data to search for" box this: "46494C4530" (without quotes) that is the hex of FILE0, and every two sectors in the $MFT there is an occurrence of "FILE0"
  3. Click on Find button
  4. A new popup will appear asking you to "Search following sector(s)", click on Yes (a few times, for the first few sectors), then press "yes to all", if no hit is found within a few minutes, click on "Cancel"

jaclaz

0

Share this post


Link to post
Share on other sites

All zeroes..... :}

Hmmm.

I guess you are stuck, then :(

Without partition data, nor bootsector data, nor $MFT the only thing that may work is file-based recovery, but as said I start to suspect that your drive is either "really" "all 00's or *somehow* it went in some kind of "failure" mode and simply outputs 00ed sectors.

Try again from the start, describe what happened BEFORE you posted here:

Found this place, went through steps to get it back.

What symptoms did the drive have, which exact steps you performed, etc., etc.

jaclaz

0

Share this post


Link to post
Share on other sites

Went to boot my computer and it wouldn't go past POST. BIOS couldn't find OS or drive. This was as I mentioned the OS drive and I didn't touch it prior to shutting down. I never initialize drives "willy nilly". The words "initialize", "erase", "format" etc throw up red flags in my brain and I've yet to be dumb enough to clean a drive from data. I'm plenty dumb in other ways to make up for it though.

Then I went to the thread called " The Solution for Seagate 7200.11 HDDs" and went through the instructions and "unbricked" it. The symptoms of my drive conformed to the ones the "unbricking" would potentially solve.

The drive then spun up properly and got detected by the OS. After that I tried absolutely nothing else but instead posted in this thread.

I'm guessing "file based recovery" is some sort of time consuming scan where the software tries to intelligently piece together what binary constitutes a file, and what type of file that would be... Would that be the next step?

Thanks again for your help and patience.

0

Share this post


Link to post
Share on other sites

Went to boot my computer and it wouldn't go past POST. BIOS couldn't find OS or drive. This was as I mentioned the OS drive and I didn't touch it prior to shutting down. I never initialize drives "willy nilly". The words "initialize", "erase", "format" etc throw up red flags in my brain and I've yet to be dumb enough to clean a drive from data. I'm plenty dumb in other ways to make up for it though.

Yes, OK, but were BSY or LBA0 symptoms?

Then I went to the thread called " The Solution for Seagate 7200.11 HDDs" and went through the instructions and "unbricked" it. The symptoms of my drive conformed to the ones the "unbricking" would potentially solve.

Which EXACT commands did you send to it in the Hyperterminal (or whatever you used)?

The drive then spun up properly and got detected by the OS. After that I tried absolutely nothing else but instead posted in this thread.

Yes, the issue here is that your drive behaves "strangely".

The MBR CODE is there, exactly where it should be, but the data in it have been "00ed". <- this is "queer", usually either the "whole" MBR is there or it has been completely (not just 16 bytes of it) 00ed.

Also, it seems like all the sectors you accessed are all 00's (wiped).

I am suspecting that - for *any* reason - the disk has gone in some kind of "loop" :w00t: and - besides the MBR - only "provides" the same bunch of 00ed sectors :unsure: , no matter which sector you try to access.

I'm guessing "file based recovery" is some sort of time consuming scan where the software tries to intelligently piece together what binary constitutes a file, and what type of file that would be... Would that be the next step?

Yep, that is the idea, that has a big caveat, though.

Provided that the disk is not all 00's, any file that was contiguous should normally be retrieved without issues, whilst any file that was fragmented will most probably result as either corrupted or "partial".

The "reference" tool is PHOTOREC (the companion of TESTDISK):

http://www.cgsecurity.org/wiki/PhotoRec

(it is not just for photos)

Thanks again for your help and patience.

No prob. :)

Let's try again to see if some data can actually be read on that disk.

Open the disk in Tiny Hexer and search, starting from sector 0 the hex 4D5A90 (which equates to "MZ<nop>", i.e. the header for executable files, one of the most common filetypes on a "system" disk).

If you don't find a hit within (say) first 50000 sectors it is likely that there is the "all 00's issues.

Are you trying to access the "original, unbricked" disk or the clone of it? (can it be, if the latter, that the cloning failed?)

jaclaz

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.