Pierre's field guide to partition table recovery
© DataRescue sprl 1997

Part 2 - A Practical Case

A crash !

Easy Recovery

 

  Soon after I made Part 1 of this recovery guide available, I received an e-mail from a gentleman who had suffered from what seemed to be a major HD crash. He had totally lost access to his hard drive. Initially, this drive had contained an OS/2 Boot Manager, a small DOS partition, and two bigger HPFS partitions. An initial examination with OS/2's FDISK simply shows non-significant garbage information. To complicate matters, it refuses to write to the disk. DOS' FDISK shows incoherent data.

E-mail to the rescue

 

At this point, considering the fact that the crash did not last long, I suspected that the data on the hard drive was mostly intact. We decided to attempt an e-mail recovery. (Mr Victim lives somewhere in the US and I live somewhere in Europe, shipping the drive was a bit cumbersome).

Note : the fact that the crash was short is significant. It suggests that the data on the hard disk hasn't been corrupted extensively. Software crashes are not able to wipe 850 MB in ten seconds. Think about it for a while : this would require a 85 MB/sec data transfer rate !

A short software crash doesn't wipe an entire disk clean !

Step One : a white page

  Mr Victim hits another problem when he realizes that the FDISKs he tries are useless. They simply refuse to commit the reasonable changes he wishes to apply. That is actually a good thing because FDISK might prove to be dangerous in those circumstances : you can never be sure of what the different versions of the utility will really write on the disk.

Never trust FDISK when partition information is wrong or non-existent !

When I do this kind of recovery, I prefer to start with a white page : Mr Victim will use a boot disk and Norton Disk Editor to clean the MBR (the first physical sector of the hard disk). Here is the relevant part of our e-mails, edited for clarity. Here is what I first suggested

Quoting from our e-mails

Pierre 0 in the first sector (FA 33) and then write zeroes (by changing to write mode in the config of diskedit) up to, but not including the 55AA at the end of the sector (those bytes are OK). Then boot as you wish from floppy and execute fdisk /mbr or fdisk /newmbr in order to have a clean boot code, a valid boot marker and an empty partition table.

Victim Alright. After much finger-crossing, I did as you said and zero'd the first 510 bytes of the first sector using DISKEDIT. I then booted from an OS/2 floppy and ran FDISK. Now OS/2's FDISK reports:


Partition Information
Name     Status            Access              FS                    Mbyte
           None             :Pri/Log             Freespace            812

 

That's quite a change from the junk I used to see the past week. :-) Anyway, at this point, I'd like to confirm again that I should boot OS/2 (from floppy) and run FDISK /NEWMBR /DISK:1 (this is the correct format - I've checked)?

Yes, Mr Victim, this is the correct format and we now have a nice empty page to work with. Writing proper bootstrap code wasn't really necessary because we aimed at the fourth partition on the drive, but it is a necessary step if you want to restore a booting system.

Step Two : what do we want ?

  Mr Victim told me that the data he wants to recover was located on the 4th partition of the hard-drive. This partition was formatted in HPFS. Relevant ? No ! We don't care about the format of the partition because we only need to restore correct pointers to the partition location. Norton DiskEditor will help us get a binary image of all possible partition/boot sector on the hard disk. I need those images to build up a coherent mental picture of the drive's structure. Unfortunately, the algorithm Norton DiskEditor uses to find those sectors isn't very sophisticated. It only looks for the 55AA marker at the end of a sector. That's why Mr Victim sent me a few sectors too many. However, some of those possible mbr/boot sectors were particularly interesting because they fit quite nicely in the disk partitioning model Mr Victim described.
Cyl   0 - Side 1 - Sect 1
Cyl   2 - Side 0 - Sect 1
Cyl   8 - Side 0 - Sect 1
Cyl  10 - Side 0 - Sect 1
Cyl  11 - Side 0 - Sect 1
Cyl 194 - Side 0 - Sect 1 
Cyl 194 - Side 1 - Sect 1


Almost home !

 

We now only need a few more informations to finalize the recovery.

1. We know or can find out that the drive geometry is 32 Sides x 825 Cylinders x 63 Sectors. There are several different ways to obtain this information, but Disk Editor can provide the BIOS disk geometry under the Tools/Advanced menu

2.We visually confirm that Cylinder 194 - Side 1 - Sect 1 contains a valid OS/2 boot sector. See below. The text messages will help a novice confirm that it is a boot sector

 

000150  41 20 64 69 73 6B 20 72 65 61 64 20 65 72 72 6F  A disk read erro
000160  72 20 6F 63 63 75 72 72 65 64 2E 0D 0A 00 07 4F  r occurred. O
000170  53 32 4B 52 4E 4C 06 4F 53 32 4C 44 52 07 4F 53  S2KRNLOS2LDROS
000180  32 42 4F 4F 54 00 00 00 00 00 00 00 00 00 00 00  2BOOT           
000190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                  
0001A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                  
0001B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                  
0001C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                  
0001D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                  
0001E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                  
0001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA                U�
  3.We visually confirm that Cylinder 194 - Side 0 - Sect 1 contains a valid partition description.

 

"The old HPFS partition information"
State Begin Head Begin Cyl Begin Sect Type End Head End Cyl End Sect Relative Sect Number of Sect
- 1 194 1 HPFS 31 824 63 63 1272033

Final Step

 

Remember that the target of our recovery is that HPFS partition. All we need to do now is recreate a correct pointer in the MBR. We know that this pointer must be an extended partition entry. If it was not the case, we would not have a partition table at (Cyl 194 - Side 0 - Sect 1) but we would have a boot sector.

We know where this extended partition obviously begins at (Cyl 194 - Side 0 - Sect 1)

We know that it ends at least at (Cyl 824-31-63) because the partition it contains ends there. We know that it ends at most at (Cyl 824-31-63) because this is the end of the disk.

We calculate that it contains 1272096 sectors. One way to calculate this is by adding the size of the HPFS partition with the number of hidden sectors before that partition.

We calculate the total number of sectors on the disk : 32x825x63 = 1663200. (Note that that Cyl goes from 0 to 824, Side from 0 to 31 and Sectors from 1 to 63).

We calculate the offset of this partition (the distance from the MBR) to be the equal to the offset last sector of the HD minus the total size of the partition.

1663200 - 1272096 = 391104

Therefore, with DiskEditor, we create the following partition entry in the MBR (the real recovery involved sending the HEX string in email for remote patching of the MBR) and put the disk as secondary disk in an OS/2 system. The partition becomes visible after the reboot and is immediately backed up.

"The rebuild extended partition entry"
State Begin Head Begin Cyl Begin Sect Type End Head End Cyl End Sect Relative Sect Number of Sect
NO 0 194 1 EXTEND 31 824 63 391104 1272096

Questions ?

 
  • what happened to the disk ?
  • what if the situation is more complex ?
  • what if I need to recover a complete system ?
  • you did a free e-mail recovery for that guy, will you do that for me ? No, i've go a life to earn..
  • what is LBA, how does Win 95 OSR 2 deal with disk bigger than 2 GB, etc... ? READ THE RELEVANT FAQ!!!

Additional Information can be found in our bookstore.


DataRescue 45 quai de la Dérivation 4020 Liège (Belgium)
tel 32-4-3446510 fax 32-4-3446514
Please send us your questions or comments.