Boot sector and partition viewing and recovery
Hard disk drives can often have multiple partitions. These partitions may contain different types of operating systems, such as FAT16, NTFS. Logically, each partition acts as if it is a separate drive.
A very common reason for disks to fail is if the partition information is missing, corrupted, or has been changed due to repartitioning. CnW Recovery software will allow this information to be reconstructed, and tested even on disks where the boot sector has failed totally.
In recovery mode, CnW Recovery software will display details on up to 8 partitions, giving details of format type (FAT16, NTFS etc) start location and length. It is possible for the user to override these locations to overcome corrupted boot sectors etc. The dialog box, also allows the user to select as few or as many as required for the recovery process. For complex recoveries, it is recommended to work on just one partition as a time.
How partitions are defined
On most PC disks, the very first sector on the disk contains some code for booting, and also a table which defines 4 partitions. The partition definition has the following information
● Boot indicator
● Starting head (0-255)
● Starting sector (1-63)
● Starting cylinder (0-1023)
● System ID
● Ending head
● Ending sector
● Ending cylinder
● Relative sectors (0-4G)
● Total sectors (0-4G)
The layout of the table dates back many years, and has caused several bottle necks in maximum disk sizes. For instance, the cylinder number has a maximum value of 1023, and sector has a maximum of 63. When added to a limitation of 16 heads, this produced the 528MB limit on a disk. When a big disk was 30MB, this was not a problem. Later limitations have been at about 8GB, and then about 137GB. The 137GB limit is due to 28 bit sector addressing limit or some earlier operating systems, and controller boards. Occasionally a BIOS update is required to enable drives greater than 137GB to be used. These have slowly been eroded by changing the BIOS on computers, and the current limitation is 2TB. This is a 32 bit sector address (4GB) and the sector size of 512 bytes.
T13 AT Attachment standards committee developed a new 48-bit addressing method. This method increases the address space by approximately a million fold to: 144 Petabytes. It is controlled by EFI entries. It should last a few years.
The partition table starts at byte 0x1BE, and each partition is defined by a 16 byte string. There is space for 4 partitions. Disks may actually contain more than 4 partitions, and this is achieved by using extended partitions, for which there can be any number. Currently the CnW Recover program will support a maximum of 8 partitions
Corrupted Partitions on hard disks
If is a fairly common problem where hard disk partition information is either deleted, or corrupted. Boot sector viruses can also cause damage, or programs attempting to repartition a disk. To assist with recovery, there is a function, Analyse Partitions where the whole disk will be scanned, and possible partition starts will be flagged. These can then be verified, and selected, or changed. There is an option to write these new boot sectors to the failed hard drive, but the program will restore files using a virtual boot sector, and so is unnecessary to change the drive in anyway. For forensic applications, this is essential as disks must never be changed, so maintaining continuity of evidence.
Partition Recovery and Boot Sector recovery
Corrupted, boot sector failure, or missing boot sectors are a major cause of apparent disk failure. With the analysis program, this can be resolved, and often all data on the hard disk drive recovered. The program will determine a possible boot sector, at which time a restore may be done, without actually changing the boor sector on the disk. This enables variations of boot sectors to be tried, before a new boot sector is written to the disk. It also allows disks to be recovered, when it is not possible to write a physical boot sector.
When finally happy with the partition parameters, there is an option to write the boot sector back to the disk. In this process, the original boot sector is read, and saved as a file on the main operating system disk. The partition tables are then updated, and the sector written back to sector 0. If it is not possible to write to this sector, then the operation will fail, and the disk will remain usable in a normal PC.
Types of partition
The function will detect the following partition types on hard drives
● FAT 12
● FAT16
● FAT32
● NTFS
● exFAT
● Extended partitions
● MAC HFS+
● Unix SCO
● Unix HTFS
● NT Backup file .BKF
● EFI partitions, eg Apple Mac and exFAT
EFI or GUID Partition header as used on Macs and newer PCs
A standard boot sector partition table saves start sector and lengths as a 32 byte number. When using 512 byte sectors, this has a 2 TB capacity. RAID disks have been larger than this for a long time, but stand alone disks are becoming available with this capacity.
The replacement for the standard boot sector partition table is EFI partitions (Extensible Firmware Interface) , also known as GUID partitions. Rather than describing a partition with 16 bytes, there is a 128 byte record, and of most importance, numbers are 64 bit numbers, rather than 32 bit numbers. The maximum capacity can there be described as very very large.
To remain compatible, such a disk will start with a standard boot sector, and partition table, but the partition type will be set as 0xEE.
The standard started in 1998 by IBM, and the Unified EFI standard started about 2005. For main stream products it was first adopted by Apple when they started shipping Intel based Macintoshes in 2006. The other description for this means of specifying disks is with GUID partition table
Sector 1, Partition table header
00000000 45 46 49 20 50 41 52 54 - 00 00 01 00 5C 00 00 00 EFI PART \
00000010 57 EA 15 5F 00 00 00 00 - 01 00 00 00 00 00 00 00 Wê_
00000020 0F 31 51 5D 01 00 00 00 - 22 00 00 00 00 00 00 00 1Q] "
00000030 EE 30 51 5D 01 00 00 00 - AC 09 2F FA D1 04 93 4F î0Q] ¬ /úÑ“O
00000040 92 9F E4 60 39 9C 6B 70 - 02 00 00 00 00 00 00 00 ’Ÿä`9œkp
00000050 80 00 00 00 80 00 00 00 - 06 4F 4F 6F 00 00 00 00 € € OOo
This always starts with the text EFI PART followed by the version number (1) and length (0x5c). Offset 0x18 is the address of this sector (1) and at offset is the location of a backup copy. In this example it is at 0x15D51310F, or about 2.9TB
● Offset 0x28 is the address of area used for partition data (0x22 in this example)
● Offset 0x38, for 16 bytes is the Disk GUID, a signature string for this EFI
● Offset 0x48 is the number of defined partitions on this disk
Sector 2 and onwards, partition entries
00000000 16 E3 C9 E3 5C 0B B8 4D - 81 7D F9 2D F0 02 15 AE ãÉã\ ¸M}ù-ð®
00000010 6E D9 3E F6 CE 0D B5 42 - A5 B8 8A 0B 10 6A 55 E3 nÙ>öÎ µB¥¸Š jUã
00000020 22 00 00 00 00 00 00 00 - 21 00 04 00 00 00 00 00 " !
00000030 00 00 00 00 00 00 00 00 - 4D 00 69 00 63 00 72 00 M i c r
00000040 6F 00 73 00 6F 00 66 00 - 74 00 20 00 72 00 65 00 o s o f t r e
00000050 73 00 65 00 72 00 76 00 - 65 00 64 00 20 00 70 00 s e r v e d p
00000060 61 00 72 00 74 00 69 00 - 74 00 69 00 6F 00 6E 00 a r t i t i o n
00000070 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000080 A2 A0 D0 EB E5 B9 33 44 - 87 C0 68 B6 B7 26 99 C7 ¢ Ðëå¹3D‡Àh¶·&™Ç
00000090 0A CD 32 5D 7E A5 35 48 - 9F B3 D7 0A A5 1F 77 EF Í2]~¥5HŸ³× ¥wï
000000A0 00 08 04 00 00 00 00 00 - FF 2F 51 5D 01 00 00 00 ÿ/Q]
000000B0 00 00 00 00 00 00 00 00 - 42 00 61 00 73 00 69 00 B a s i
000000C0 63 00 20 00 64 00 61 00 - 74 00 61 00 20 00 70 00 c d a t a p
000000D0 61 00 72 00 74 00 69 00 - 74 00 69 00 6F 00 6E 00 a r t i t i o n
000000E0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000000F0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Each partition entry is 0x80 (128) bytes long. Shown above are therefore two entries.
Each entry started with a 16 byte string, or Globally Universal ID (GUID). Each string is unique, and about such strings have been defined for different type of disk partition. CnW detects the most common ones for PCs and Apple computers. However, this list will grow. The second 16 bytes is unique for each partition - this is in efect a disk partition unique serial number.
Offset 0x20 points to the start sector of the partition
Offset 0x28 points to the final sector of the partition, 0x40021 in the first example and 0x15D512fFF in the second example. The second example also shows a sector nunber that is greater than 32 bits, and would not be possible with a standard boot sector partition table.
The final part of the partition is a description string.
For users with forensic features, the details of each partition are stored in the log