Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Need help with data recovery on HDD

- - - - -

  • Please log in to reply
51 replies to this topic

#26
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag

For the record, I'm not sure I fully comprehend the procedure in getting the PBR (unless it stands for Pabst Blue Ribbon, in which case I know how to but just don't want to).

Would it be unwise to move along to the next step with only a copy of the MBR and NOT the PBR?

Well, in your particular case you simply "cannot" (in the sense of "easily") get the PBR.

The MBR you just posted is partially corrupted, hence the disk manager cannot find any LogicalDrive (the PBR is first sector of the LogicalDrive) on the disk/image and HDhacker simply doesnt know which sector to get.

For whatever reasons, the Partition Tables in the MBR you posted are completely 00ed out.

At first sight the MBR CODE is seemingly that of 2K/XP.

You can try running Testdisk (remember to use the /log) since the original disk seems like having being partitioned under XP, reply N (No) to the question if the disk was partitioned under Vista.
Report BEFORE telling Testdisk to write anythng.

jaclaz


How to remove advertisement from MSFN

#27
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Thanks jaclaz,

I will try Testdisk today. Does it take hours to do its thing or is it a matter of minutes? (I have to work from home today because of the hurricane)

#28
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag

Thanks jaclaz,

I will try Testdisk today. Does it take hours to do its thing or is it a matter of minutes? (I have to work from home today because of the hurricane)

The initial detection (if any is found :ph34r:) of the PBR/bootsector should take a few seconds.

If no bootsector is found where it normally is (sector 63 on XP - if I recall correctly it was just a single "huge" partiton) it may take much longer as it will have to scan the whole disk, on a perfectly functional SATA II 500 Gb disk I would say less than one hour, though, for the whole scan.

jaclaz

#29
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag

The initial detection (if any is found :ph34r:) of the PBR/bootsector should take a few seconds.

If no bootsector is found where it normally is (sector 63 on XP - if I recall correctly it was just a single "huge" partiton) it may take much longer as it will have to scan the whole disk, on a perfectly functional SATA II 500 Gb disk I would say less than one hour, though, for the whole scan.

jaclaz


I will try this and NOT write anything until I've posted results here. One more thing:

You can try running Testdisk (remember to use the /log) since the original disk seems like having being partitioned under XP,


What do you refer to when you say "use the /log"? That particular sign/word ("/log") doesn't appear on the "testdisk step by step" guide page.

#30
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag

What do you refer to when you say "use the /log"? That particular sign/word ("/log") doesn't appear on the "testdisk step by step" guide page.


I am more used to work on command line, it is simply faster, open a command prompt, navigate to the directory where TESTDISK is, type on command line
testdisk_win.exe /log
press [ENTER]

If you double click on testdisk_win.exe you will anyway be prompted to do that:
http://www.cgsecurit...ep#Log_creation
you want to Create a log.

jaclaz

#31
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
I've now run test disk through the "Quick Search" function and it has found no partitions at all. My options at the bottom of the screen are:

"Keys A: add partition, L: load backup, Enter: to continue"

please advise, and thanks for all your time and help!

#32
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag

I've now run test disk through the "Quick Search" function and it has found no partitions at all. My options at the bottom of the screen are:

"Keys A: add partition, L: load backup, Enter: to continue"

please advise, and thanks for all your time and help!


"Keys A: add partition, L: load backup, Enter: to continue"

You are between:
http://www.cgsecurit..._for_partitions
and:
http://www.cgsecurit...e_partitions.3F
i.e. since "Quick Search" failed, you want to do a "Deep Search".

jaclaz

#33
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Thanks. Can you tell I'm a noob at this?

It's at 12%. I will report back.

#34
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Done. Still nothing. Same options; add partition, load backup or enter to continue...

#35
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag

Done. Still nothing. Same options; add partition, load backup or enter to continue...

Hmmm.
It sounds like there are no traces that TESTDISK can find, which is unusual.

Get DMDE:
http://softdm.com/

And try opening the disk with it (Drive->Select Drive->choose the PhysicalDrive->NTFS search).
And report (post a screenshot)
If one (or more) NTFS volume(s) are found, you can access them by selecting and "Open Volume".

Another thing, you should try to get (and post in an archive) the first 100 sectors as detailed in
http://www.msfn.org/...dd/page__st__20

so that I can have a look at them.

jaclaz

#36
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Thanks. I've attached HDhacker again, sectors 1 through 16 as that's all it took in one go.

The DMDE result is pretty much zeroes in general and an NTFS search of the first 5GB shows nothing. I didn't really have time for anything else right now, but I'll try to do more in a by this evening.

Attached Files



#37
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag
Yes, hdhacker gets at the most 16 sectors, you need to use dsfo or a dd of some kind to get the 100 sectors.
A "normal" NTFS volume has it's $MFT starting at cluster 786432, i.e. at 786432*4096=3,221,225,472 or around 3 Gb give or take a few sectors (sectors before) on the first partition.

Of the sectors you posted, only the first is non-zero (this is normal) and it does contain a MBR code but NO MBR data (all 4 partition entries are 00's or wiped"), it is identical (obviously) to the one you already posted.

This is most uncommon :w00t: , as it seems like NOT the result of a "random" corruption, but rather of an "intentional" wiping of just the partition table :ph34r: .

Additionally you have two bytes at 0X1BC that are normally 0000 (unused) set instead to A025, but this could be *something* related to XP64 or a "flag" placed there for *any* reason by almost *anything*.

Were you - by any chance and at *any* step - prompted to "initialize" the disk (in disk management or explorer)? :unsure:
(a just "initialized" disk does have the "right" MBR code but NO MBR partition data)

jaclaz

#38
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag

Yes, hdhacker gets at the most 16 sectors, you need to use dsfo or a dd of some kind to get the 100 sectors.
A "normal" NTFS volume has it's $MFT starting at cluster 786432, i.e. at 786432*4096=3,221,225,472 or around 3 Gb give or take a few sectors (sectors before) on the first partition.


The above are two different things, right? The first addressing the first 16 sectors and the second talking about where the NTFS "lives", right? So I'm looking at re-running one of the tests over the whole drive to cover where NTFS "lives", and re-running the other test with dsfo or dd. Right?

Were you - by any chance and at *any* step - prompted to "initialize" the disk (in disk management or explorer)? :unsure:
(a just "initialized" disk does have the "right" MBR code but NO MBR partition data)

jaclaz


I'll have to get back to this later this evening, but "no", I was not prompted to "initialize" and I do not recall having changed the source or clone drives in any way (meaning their partitions). One day the darn thing wouldn't spin, that's all. The only thing I can think of is if I some how screwed up the de-bricking of the source (as far as me being the culprit is concerned).

I'll come back later with more info.

#39
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag

The above are two different things, right? The first addressing the first 16 sectors and the second talking about where the NTFS "lives", right?

Yes. :)

I do not want 16 sectors (because I already know how in the best cases there is only one meaningful sector in the first 16 sectors - the MBR - which I already have), I want to have a look at the first 100 sectors because they will contain sector 63 and the following 16 sectors (up to 95) that may be non-zero.
If when the disk was originally partitioned the new Vista :ph34r: and later "partitioning paradigm" has taken place, I will need instead first 2100 sectors.

If you prefer by providing 16 sectors instead of the asked for 100 you didn't fulfill my request at a 16% rate, but rather at a 0% rate (or at the most at a 1% one) and I need it anyway fulfilled at 100% (or possibly even at 2100% :w00t:)

The reference to the normal location of the $MFT it was because you talked of having scanned first 5 Gb, the (bad :() news were that normally the $MFT is at around 3 Gb, so it should have been found (if it is still there).

jaclaz

Edited by jaclaz, 05 November 2012 - 01:49 PM.


#40
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Yeah, I know, LoL, still with this issue right?

So, here's the deal: I've been busy with a bunch of stuff and was about to give up on this when I remembered files that I now need so I figured I'd give it a shot and got into my head to plug in the original un-bricked drive just to see if testdisk would find anything on it, as opposed to the clone.

In testdisk after the initial search I now found the following:

>L, FAT16, LBA, 22947, 1 , 1 , 60799 , 254 63 , 600108382

Basically I'm now jumping back in the thread in response to your post #26, reporting back before I do anything else...


...standing by...



PS. The commas in the string above are only there to give distance between numbers, they obviously don't appear in test disk.

Edited by mattiasnyc, 30 November 2012 - 04:52 PM.


#41
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag
Well, what testdisk may have found is a partition image formatted as FAT, the disk, should have been partitioned (how?, most probably in one big partition :unsure:) and that partition formatted as NTFS.

It is like the FOURTH time that I am asking you to copy first 100 sectors and post them :realmad: , I won't ask for them a fifth one :no: .

For the record, I asked for them:
  • in post #21 on 22 August 2012
  • in post #35 on 02 November 2012
  • in post #39 on 05 November 2012

Maybe it's time you just do it. :whistle:

jaclaz

#42
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
I believe what is attached is what you're looking for... Or hope rather...

Pulled a 17-hour overnight work session so my brain has been pure garbage for the past couple of days. The joy of working in television. Anyway, let me know if the file is what you were looking for. I had a hard time finding out how to operate the **** program. I love command prompts as long as I know what the hell I'm doing which is not the case here. So just so you know what I did...:

1. Searched for "dsfo", found and downloaded, put .exe file in new folder called "apps" on C
2. Went to command prompts and typed in:

C:\apps\dsfo \\.\PhysicalDrive6 0 51200 F:\drive6

where "PhysicalDrive6" was the damaged drive ID and "F" is a USB flash drive. I based the syntax off of what you wrote in a different thread, so I'm hoping it's accurate. I couldn't get rawcopy to work at first, probably because I screwed up the syntax.

Attached Files



#43
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag
Yep :), the command is correct, but the result is far from "good".

The first sector is the MBR (which you already have posted) with all it's code but with no DATA in the partition table.
All the rest are 00's sectors :(.

Here the A025 I mentioned has disappeared :w00t:

Questions:
  • Is there any chance that that disk was originally partitioned under Vista :ph34r: or 7?
  • Do you remember how it was partitioned originally? (Like a single NTFS volume, several volumes, which filesystems, etc.?)

jaclaz

#44
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Q1: not really. I've never touched vista in my life, and 7 was just an os i messed sound with on the drive i have up and running now. It would be epic if it wasnt xp.

Q2: i only recall having worked with one partition. I have a system with at least 4 drives normally so my usage is pretty compartmentalized. So i think it was one partition only.

On it was xp x64, and it was fat or ntfs i suppose, but can unfortunately not recall which one.

#45
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag

Q1: not really. I've never touched vista in my life, and 7 was just an os i messed sound with on the drive i have up and running now. It would be epic if it wasnt xp.

Q2: i only recall having worked with one partition. I have a system with at least 4 drives normally so my usage is pretty compartmentalized. So i think it was one partition only.

On it was xp x64, and it was fat or ntfs i suppose, but can unfortunately not recall which one.

Well, it cannot mathematically be FAT12 or 16 and logically it cannot be FAT32 either, since XP has dumbed down it to 32 Gb max size.
Which leaves us with NTFS.
So, if there was a single NTFS partition (or at least the first partition was NTFS and not very, very small) the $MFT must exist (and exist at a specific address).
This address is in these cases:
786432*8+63=6291456+63=6291519

Try getting Tiny Hexer and open the disk, then go to absolute sector 6291519. (and check a few sectors after it), but if DMDE didn't find anytihing it is really improbable that *something* exists.
http://www.softpedia...iny-hexer.shtml

I am starting to think that *somehow* the original disk has issues that were not solved by the "unbricking".

jaclaz

#46
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
thanks, will do.

#47
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Hi, downloaded and installed "tiny hexer". Again, this is an application that is way beyond intuitive for a non-programmer/hacker/whatever.

Could you tell me what to type and where in steps? I don't even know where to start. (or alternatively let me know if there's a quick guide and what its name would be so I could learn the stuff).

#48
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag
Tiny hexer is GUI, not command line.
It works more or less like *any* editor, the main difference is that when you operate on a disk or on disk image to avoid using too much memory it loads by default a sector at a time.

  • File->Disk->Open Drive
  • Choose "right" \\.\PhysicalDriven
  • Press OK
  • File->Disk->Goto Sector
  • Replace by typing or pasting the highlighted text "+0x100" with "6291519" (without quotes)
  • Press OK
  • Use Shift+F8 to go forward and Shift+F7 to go back (one sector at the time)

What do you see?
All 00's and "dots" or you can read at very beginning of sectors "FILE0" and some text here and there? (like "$.M.F.T.", "$.M.F.T.m.i.r.r.o.r.", etc.)?
Post a screenshot (if it is not all 00's) of sector 6291519 the windows should have a title like >\\.\PhysicalDriven , sector 6291519/xxxxxxxxxxx

Once you are there:
  • Edit-> Find/Replace
  • write (or copy from here) in the "Enter text or hex data to search for" box this: "46494C4530" (without quotes) that is the hex of FILE0, and every two sectors in the $MFT there is an occurrence of "FILE0"
  • Click on Find button
  • A new popup will appear asking you to "Search following sector(s)", click on Yes (a few times, for the first few sectors), then press "yes to all", if no hit is found within a few minutes, click on "Cancel"

jaclaz

#49
mattiasnyc

mattiasnyc

    Newbie

  • Member
  • 27 posts
  • OS:Windows 7 x64
  • Country: Country Flag
All zeroes..... :}

#50
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,376 posts
  • OS:none specified
  • Country: Country Flag

All zeroes..... :}


Hmmm.
I guess you are stuck, then :(

Without partition data, nor bootsector data, nor $MFT the only thing that may work is file-based recovery, but as said I start to suspect that your drive is either "really" "all 00's or *somehow* it went in some kind of "failure" mode and simply outputs 00ed sectors.

Try again from the start, describe what happened BEFORE you posted here:

Found this place, went through steps to get it back.

What symptoms did the drive have, which exact steps you performed, etc., etc.

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN