Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


Sign in to follow this  
Followers 0
onlit4regs

still no partition on Seagate after successful unbrick

63 posts in this topic

hi,

My 500Gb Seagate 7200.11 had the famous bug of BSY state, it wasn't seen in BIOS.

I have successfully made the unbrick trick with serial cable, hyper terminal and so on. Now the drive is seen in the BIOS (and with the right size).

But Windows see a RAW partition on it.

I've tried easus recovery, it has seen all my files, but any restore of any file results in an unreadable file. (nothing was writen on the faulty disk at the moment)

I've tried testdisk, it has seen the partition, I have made "WRITE PARTITION TABLE" to the faulty disk, and reboot. same thing under windows.

so now, what can I do ?

I attach the HDHACKER first sector of logical drive and first sector of physical drive, if this can help.

thanks a lot for your help :hello:

HDHACKER.zip

Edited by onlit4regs
0

Share this post


Link to post
Share on other sites

I attach the HDHACKER first sector of logical drive and first sector of physical drive, if this can help.

At first sight there is nothing "wrong" in them.

BUT how exactly (under which OS, with which tools) was the disk partitioned originally?

The sectors you posted seems like a "normal" XP partitioned (French), single NTFS:

#0 07 80 0 1 1 1023 254 63   63 976768002 

The data in the bootsector is as well "standard":

 3      0003   OEM String:    NTFS  
11 000B Bytes per sector: 0200 512
21 0015 Media type: F8 248
24 0018 Sectors per Head: 003F 63
26 001A Number of Heads: 00FF 255
28 001C Sectors Before: 0000003F 63
40 0028 Total Sectors: 000000003A384C01 976768001
48 0030 LCN for $MFT:: 00000000000C0000 786432
56 0038 LCN for $MFTMirr:: 0000000003A384C0 61048000
64 0040 Clusters per $MFT record: 000000F6 246
68 0044 Clusters per Index record: 00000001 1
72 0048 Volume Serial: 6424B80A24B7DD6C

Which OS are you running/can run?

Ideally you should try imaging the disk on a (larger) device as a file, first thing, do you have (or can buy) a 640 or 750 Gb disk?

You could check with a disk viewer/editor the presence at the designed addresses of the $MFT and of it's mirror.

$MFT is at 63+786432*8=sector 6,291,519

$MFT Mirror is at 63+61048000*8=sector 488,384,063

The first sector of both should begin with "File0" or in hex "46494C4530".

jaclaz

0

Share this post


Link to post
Share on other sites

I attach the HDHACKER first sector of logical drive and first sector of physical drive, if this can help.

At first sight there is nothing "wrong" in them.

BUT how exactly (under which OS, with which tools) was the disk partitioned originally?

The sectors you posted seems like a "normal" XP partitioned (French), single NTFS:

#0 07 80 0 1 1 1023 254 63   63 976768002 

The data in the bootsector is as well "standard":

 3      0003   OEM String:    NTFS  
11 000B Bytes per sector: 0200 512
21 0015 Media type: F8 248
24 0018 Sectors per Head: 003F 63
26 001A Number of Heads: 00FF 255
28 001C Sectors Before: 0000003F 63
40 0028 Total Sectors: 000000003A384C01 976768001
48 0030 LCN for $MFT:: 00000000000C0000 786432
56 0038 LCN for $MFTMirr:: 0000000003A384C0 61048000
64 0040 Clusters per $MFT record: 000000F6 246
68 0044 Clusters per Index record: 00000001 1
72 0048 Volume Serial: 6424B80A24B7DD6C

Which OS are you running/can run?

Ideally you should try imaging the disk on a (larger) device as a file, first thing, do you have (or can buy) a 640 or 750 Gb disk?

You could check with a disk viewer/editor the presence at the designed addresses of the $MFT and of it's mirror.

$MFT is at 63+786432*8=sector 6,291,519

$MFT Mirror is at 63+61048000*8=sector 488,384,063

The first sector of both should begin with "File0" or in hex "46494C4530".

jaclaz

thanks a lot for your message jaclaz.

it was originally parted in windows XP (French), with standard XP storage manager.

I have a 1Tb hard drive available for imaging, and I am running actually Win 7 Pro x64, but I can also plug it again on my win XP.

I'll try to give a look at the MFT with disk editor and I'll tell you.

0

Share this post


Link to post
Share on other sites

hmmm, $MFT begins with the good code "File0". the problem is $MFT mirror, impossible to access :

"System Error: Code 1117 " and in french something like: I/O error, unable to satisfy query.

:}

0

Share this post


Link to post
Share on other sites

it was originally parted in windows XP (French), with standard XP storage manager.

Then the partition and the bootsector are seemingly OK.

I have a 1Tb hard drive available for imaging, and I am running actually Win 7 Pro x64, but I can also plug it again on my win XP.

Then a good idea would be to image it.

The reference app is Datarescuedd, see here:

http://reboot.pro/7783/

You might want to do a few tests with "smallish" parts of the disk , see this for a possible approach:

http://reboot.pro/15040/#entry133567

I have no idea if it works ok under 7 64 bit, it should, but cannot say.

If you have a XP available it should be "safer" (in the sense of "known to be working")

hmmm, $MFT begins with the good code "File0". the problem is $MFT mirror, impossible to access :

"System Error: Code 1117 " and in french something like: I/O error, unable to satisfy query.

:}

Hmmm, strange.

It is possible that there is a bunch of bad sectors (or a translation table in the disk that was cleared during the unbricking) but a failed $MFT Mirror should not prevent the filesystem to be recognized :unsure: .

Once you have the image done, we will see what TESTDISK finds about those....

jaclaz

0

Share this post


Link to post
Share on other sites

hello jaclaz

ok the image is done, it took a long time, a lot of I/O errors. the image is only 136Go :angry:

what should I do next, you were talking about something with testdisk, can you tell me more please ?

thanks a lot

0

Share this post


Link to post
Share on other sites

hello jaclaz

ok the image is done, it took a long time, a lot of I/O errors. the image is only 136Go :angry:

what should I do next, you were talking about something with testdisk, can you tell me more please ?

thanks a lot

Sorry, I missed your reply. :blushing:

Anyway if the "image" is 136 Gb it is very UNLIKE an image.

You seemingly did not follow the proposed approach:

You might want to do a few tests with "smallish" parts of the disk , see this for a possible approach:

http://reboot.pro/15040/#entry133567

I seem to remember to have read *somewhere* that there is a rather common issue (though I don't seem to remember affecting 7200.11 specifically) where after an unbricking the actually accessible data is about 1/3 of the total, maybe this is the case.

Now the whole point is:

does the "whatever" you have now, 136 Gb in size represent the first 136 Gb of the disk? :unsure:

If yes, most probably you can recover partially the data present in that part of the disk.

What I would do:

  1. create a sparse file (on a NTFS partition) sized 63+976768002=976,768,128 sectors x 512 = 500,105,281,536 bytes in size
  2. "dd to it" the 136 Gb *whatever* you have
  3. analyze it with TESTDISK

How to do that in practice (in a command prompt window, after having collected the tools and put them in a directory like C:\hdtools\, and navigating to that directory):

  1. mksparse <path>\my500GB.img 500105281536
  2. dsfi <path>\my500GB.img 0 0 <path>\thewhatever136GB.img
  3. testdisk <path>\my500GB.img

mksparse: see here:

http://reboot.pro/3191/page__st__25#entry70583

or:

http://wayback.archive.org/web/*/http://www.acc.umu.se/~bosse/mksparse.zip

dsfi (part of the dsfok toolkit), here (you can use instead any other "dd-like" tool yu may be more familiar with):

http://members.ozemail.com.au/~nulifetv/freezip/freeware/

testdisk, here:

http://www.cgsecurity.org/wiki/TestDisk_Download

Follow this EXACTLY (you want to create a log, Intel, analyse, N to "search for Vista created partitions", ):

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

see if pressing "P" you see (at least some of) the files .

Report what happens.

jaclaz

0

Share this post


Link to post
Share on other sites

hi,

thanks for your reply and your time !

testdisk have seen the NTFS partition of 500Go, said structure OK.

when pressing "P", there is only one directory displayed, and when entering it, it's empty .... :angry:

I think I'll try again the image processing of the hard drive this week-end, I've done it with USB connexion, but I'll try with direct SATA connexion, to see if it can go up to 500gb image. I'll tell you what.

thanks again ;)

0

Share this post


Link to post
Share on other sites

testdisk have seen the NTFS partition of 500Go, said structure OK.

when pressing "P", there is only one directory displayed, and when entering it, it's empty .... :angry:

Try having a look at the "my500GB.img" with dmde:

http://softdm.com/

even if it is a tool that is not ( like TESTDISK) suitable to be used with a less then advanced knowledge of the NTFS filesystem, you should be able to understand if there is an issue with the $MFT or with the actual filesystem contents. :unsure:

Another thing that you could do is to extrract some sectors starting from 6,291,519 and use on them this tool:

http://www.forensicfocus.com/Forums/viewtopic/t=8010/

http://code.google.com/p/mft2csv/

just to understand if the $MFT contains valid data or if it is "the issue".

If this latter is the case, PHOTOREC may still be able to find many files....

jaclaz

0

Share this post


Link to post
Share on other sites

testdisk have seen the NTFS partition of 500Go, said structure OK.

when pressing "P", there is only one directory displayed, and when entering it, it's empty .... :angry:

Try having a look at the "my500GB.img" with dmde:

http://softdm.com/

even if it is a tool that is not ( like TESTDISK) suitable to be used with a less then advanced knowledge of the NTFS filesystem, you should be able to understand if there is an issue with the $MFT or with the actual filesystem contents. :unsure:

Another thing that you could do is to extrract some sectors starting from 6,291,519 and use on them this tool:

http://www.forensicfocus.com/Forums/viewtopic/t=8010/

http://code.google.com/p/mft2csv/

just to understand if the $MFT contains valid data or if it is "the issue".

If this latter is the case, PHOTOREC may still be able to find many files....

jaclaz

softdm shows me all the files and directories of my hard drive, but trying to recover a dozen of files results with unreadable files. :angry:

I tried making a new image with ddrescue, with direct SATA connection in my PC. it started faster than the previous one on USB, but it is still running, since 72 hours !!! :blink:

only 24,5Go done .... so much errors: "unable to satisfy request because of an I/O error".

I have stopped the process.

about the last thing you asked, I'm not sure to understand what you really want me to do. Extract how many sectors from 6291519 ? and then, mft decode ? or mft2csv ?

thanks a lot for your help. I'm getting less and less hope to recover anything :unsure:

0

Share this post


Link to post
Share on other sites

testdisk have seen the NTFS partition of 500Go, said structure OK.

when pressing "P", there is only one directory displayed, and when entering it, it's empty .... :angry:

Try having a look at the "my500GB.img" with dmde:

http://softdm.com/

even if it is a tool that is not ( like TESTDISK) suitable to be used with a less then advanced knowledge of the NTFS filesystem, you should be able to understand if there is an issue with the $MFT or with the actual filesystem contents. :unsure:

Another thing that you could do is to extrract some sectors starting from 6,291,519 and use on them this tool:

http://www.forensicfocus.com/Forums/viewtopic/t=8010/

http://code.google.com/p/mft2csv/

just to understand if the $MFT contains valid data or if it is "the issue".

If this latter is the case, PHOTOREC may still be able to find many files....

jaclaz

softdm shows me all the files and directories of my hard drive, but trying to recover a dozen of files results with unreadable files. :angry:

I tried making a new image with ddrescue, with direct SATA connection in my PC. it started faster than the previous one on USB, but it is still running, since 72 hours !!! :blink:

only 24,5Go done .... so much errors: "unable to satisfy request because of an I/O error".

I have stopped the process.

about the last thing you asked, I'm not sure to understand what you really want me to do. Extract how many sectors from 6291519 ? and then, mft decode ? or mft2csv ?

thanks a lot for your help. I'm getting less and less hope to recover anything :unsure:

0

Share this post


Link to post
Share on other sites

softdm shows me all the files and directories of my hard drive, but trying to recover a dozen of files results with unreadable files. :angry:

This should mean that the $MFT is OK (i.e. no need to analyze it manually with mft2csv).

But if you ran the DMDE on the (incomplete) image, this may still be "normal".

I tried making a new image with ddrescue, with direct SATA connection in my PC. it started faster than the previous one on USB, but it is still running, since 72 hours !!! :blink:

only 24,5Go done .... so much errors: "unable to satisfy request because of an I/O error".

I have stopped the process.

And, AGAIN, you are using a WRONG approach (attempting to image the whole disk at once).

For the THIRD time, please read again this:

You might want to do a few tests with "smallish" parts of the disk , see this for a possible approach:

http://reboot.pro/15040/#entry133567

You might want to try with even smaller "chunks".

Another test (but be careful):

What happens with DMDE on the original disk?

I find it strange that the $MFT is "perfect" (as it seemingly is) but *all* the disk is unreadable (I could understand some areas, but not the large majority of the disk) :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

ok, will try that sorry for not understanding this approach :unsure:

I've just read the post indicated, I just have a question about reassembling the different parts ? how to do that ? it says to create an empty file (with which tool ?) of the size of the disk and then merge all parts.

thanks

0

Share this post


Link to post
Share on other sites

ok, will try that sorry for not understanding this approach :unsure:

I've just read the post indicated, I just have a question about reassembling the different parts ? how to do that ? it says to create an empty file (with which tool ?) of the size of the disk and then merge all parts.

thanks

Normally I would use fsz.exe (part of the dsfok toolkit):

http://members.ozemail.com.au/~nulifetv/freezip/freeware/

that is if you have the space available to create a "whole" file, but It should be more convenient to use instead mksparse, here:

http://reboot.pro/3191/page__st__25#entry70583

this way the file will grow only with the actual "chunks" that you write to it.

And the reference app to write these chunks is dsfi (still part of the dsfok toolkit).

I can give you specific instructions if this other approachs actual succeeds in getting more data.

But if the test with DMDE on the original disk gives the same results, than there is a more serious issue somewhere "before" (partial unbricking or "failed" unbricking) though as said it sounds "strange".

jaclaz

0

Share this post


Link to post
Share on other sites

hi jaclaz

so, I have tried DMDE on the original hard drive, It couldn't display the directory/file structure , it was so long on "reading MFT", more than 4 days to complete only 3% !! so I aborted

on this disk, there is a dozen of "most wanted" files for me, which may represents 2 or 3go. I've made my recovery tests on these files. maybe other are readable, but they are not necessary for the moment.

so, do you think I should try to image the disk in smaller chunks ?

thanks

0

Share this post


Link to post
Share on other sites

so, I have tried DMDE on the original hard drive, It couldn't display the directory/file structure , it was so long on "reading MFT", more than 4 days to complete only 3% !! so I aborted

I am confused by your reports:

softdm shows me all the files and directories of my hard drive, but trying to recover a dozen of files results with unreadable files. :angry:

Were you previously using dmde to look at the $MFT of the "image" you made?

If yes, that image - even if partial - actually holds a seemingly valid $MFT.

You can try the following:

  1. open the (partial) image with dmde
  2. check in it's directory structure the names of the fiiles you most value
  3. try using this tool getFileExtents
    http://www.wd-3.com/archive/luserland.htm
    to understand the location of the files (one by one) and/or of the various fragments of them
  4. try imaging just the relevant sectors found above with ddrescue from the original disk to new files
  5. re-assemble the new files into the "original" ones

If this strategy works, you will be able to get just the "strictly needed" files in a smaller time.

jaclaz

0

Share this post


Link to post
Share on other sites

I can't get "getfileextents" to work

should I use it on my hard drive or on my image ?

how to tell it to search on the drive or image ? parameter seems to be only the filename

thanks

0

Share this post


Link to post
Share on other sites

I can't get "getfileextents" to work

should I use it on my hard drive or on my image ?

how to tell it to search on the drive or image ? parameter seems to be only the filename

thanks

On the image (I mean if the dmde can access the $MFT entries of the image, as I seem to understand, asked you but had no specific answer about).

The image must be mounted to a drive letter (using a virtual disk driver) in order to let getfilextents work. <- Sorry :blushing: I omitted this piece of info.

Possibly the most easy to use one (and "good enough" for the task) could be IMDISK:

http://www.ltr-data.se/opencode.html/

http://reboot.pro/forum/59/

See if it can mount the image to a drive letter.

jaclaz

0

Share this post


Link to post
Share on other sites

yes dmde has no problem seeing the directory/file structure on the image file, I see all my favorite files.

I've mounted it with IMDisk, with default parameters of size of virtual disk, etc. It showed a new letter, but impossible to browse this letter ! (no filesystem type indicated in IMDisk, and windows can't see the size of partition, file or directory unreable or corrupted ...) :realmad:

so, can't get fileextents to work on it too.

??

thanks

0

Share this post


Link to post
Share on other sites

yes dmde has no problem seeing the directory/file structure on the image file, I see all my favorite files.

Good. :)

I've mounted it with IMDisk, with default parameters of size of virtual disk, etc. It showed a new letter, but impossible to browse this letter ! (no filesystem type indicated in IMDisk, and windows can't see the size of partition, file or directory unreable or corrupted ...) :realmad:

so, can't get fileextents to work on it too.

Wait a minute, are you still using the "resulting" image as ddrescue created it, or did you "grow" it to it's full size (creating a new file with mksparse and dd-ing to it the image)?

jaclaz

0

Share this post


Link to post
Share on other sites

I'm working with the "grown" image (mkparse + dd-ing) - 500go

I should test dmde or IMDisk with the small image made by Drdd ?

0

Share this post


Link to post
Share on other sites

I'm working with the "grown" image (mkparse + dd-ing) - 500go

I should test dmde or IMDisk with the small image made by Drdd ?

The grown image, the NTFS filesystem driver is likely to throw errors on a "less-than-declared-size" one.

The "grown" image should mount, the only issue being (hopefully) the backup of the bootsector, which shouldn't be checked by the NTFS filesystem driver when mounting :unsure:.

It is very possible that - for any reason - the partial image that you have is not an image of the first 134 or so Gb of the original hard disk (and consequently the "grown" image is "invalid") or that somehow the $MFT is "misplaced" in the "grown" image or that - again for *any* reason the making of the sparse file or the dd-ing to it of the partial image produced an invalid image.

How EXACTLY did you create the "grown" image?

Please list EXACTLY, in DETAIL, EACH and EVERY step you performed to make that image.

jaclaz

0

Share this post


Link to post
Share on other sites

hi Jaclaz,

I was so busy the last days that I completly forgot my hard drive issue ! :blushing:

so, here is what I've done for this grown image:

- datarescuedd the faulty drive in a single image of all sectors (with a lot of reading errors)

- mksparse <path>\my500GB.img 500105281536

- dsfi <path>\my500GB.img 0 0 <path>\thewhatever136GB.img

thanks a lot

0

Share this post


Link to post
Share on other sites

I was so busy the last days that I completly forgot my hard drive issue ! :blushing:

so, here is what I've done for this grown image:

- datarescuedd the faulty drive in a single image of all sectors (with a lot of reading errors)

- mksparse <path>\my500GB.img 500105281536

- dsfi <path>\my500GB.img 0 0 <path>\thewhatever136GB.img

Good. :thumbup

And if you access this "my500GB.img" with dmde you can actually see the $MFT, but if you try opening/mounting it with IMDISK you have issues (like being prompted to format it and/or in the IMDISK control panel NOT seeing NTFS as "filesystem")?

Do I get this right?

If yes, you can try the following, using TESTDISK on the "my500GB.img" as follows:

TESTDISK <path>\my500GB.img

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

be sure to choose to Create a log, follow the above and post the log and a description of what it says on screen (since the disk was originally partitioned on XP, do reply "No" to the question about it having been partitioned under Vista as it should speed up things).

It is also possible that (for any reason) the IMDISK (which works at a "somewhat higher level" than other virtual drivers) have different kinds of issues with the image, it is possible that *somehow* it fails to detect the offset to the partition (BTW are you prompted to choose an offset when mounting the image?), another thing you may want to try is (on XP, NOT on 7) the VDK driver:

https://sites.google.com/site/chitchatvmback/vdk

optionally using my pseudo-GUI for it:

http://jaclaz.altervista.org/Projects/VDM/vdm.html

BUT better if creating a .pln file for it, by hand :w00t: or using the little batch here:

http://www.forensicfocus.com/Forums/viewtopic/t=1489/postdays=0/postorder=asc/start=42/

Can you confirm that the first sector of the "my500GB.img" is identical to the MBR sector you initially posted? :unsure:

(Would it be possible that you got the MBR and PBR "right" with hdhacker form the "original disk" and that somehow when you made the image either of them is not there/is corrupted?)

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

And if you access this "my500GB.img" with dmde you can actually see the $MFT, but if you try opening/mounting it with IMDISK you have issues (like being prompted to format it and/or in the IMDISK control panel NOT seeing NTFS as "filesystem")?

Do I get this right?

absolutly !

If yes, you can try the following, using TESTDISK on the "my500GB.img" as follows:

TESTDISK <path>\my500GB.img

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

be sure to choose to Create a log, follow the above and post the log and a description of what it says on screen (since the disk was originally partitioned on XP, do reply "No" to the question about it having been partitioned under Vista as it should speed up things).

testdisk have seen the NTFS partition of 500Go, said structure OK.

when pressing "P", there is only one directory displayed, and when entering it, it's empty ....

It is also possible that (for any reason) the IMDISK (which works at a "somewhat higher level" than other virtual drivers) have different kinds of issues with the image, it is possible that *somehow* it fails to detect the offset to the partition (BTW are you prompted to choose an offset when mounting the image?)

offset is automatically set at 63 blocks when I select my500gb.img

another thing you may want to try is (on XP, NOT on 7) the VDK driver:

Can you confirm that the first sector of the "my500GB.img" is identical to the MBR sector you initially posted? :unsure:

vdk driver did the same thing as IMDISK: mount partition, but when trying to access on windows: "this drive must be formatted" :angry:

yes MBR is the same

thanks for your help

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.