|
Partitions, analysis and recovery
|   |
|
Partitions, analysis and recovery
| |
Probably the most import sector on a hard disk is the boot sector, or also called Master Boot Record (MBR). If this sector fails, or is corrupted, most PCs will not read the disk at all. Thus on a disk, or memory chip where the boot sector is invalid, when doing a recover, the error message "First partition not recognised, Run the analyse partitions function" will be displayed, and the dialog box below will be displayed with ??? rather than a format type.
When running the Recover function, if a disk has more than one partition, an option will be displayed so that only the required partitions are restored. Each partition – up to 8, will be displayed with detected format, start and end sector on the disk. The values displayed are taken from the boot sector (see below). If the boot sector is corrupted, new values can be entered. Alternatively, the Analyse Partitions function can be run. This will scan the whole disk, looking for possible partition starts.
A very significant feature of the CnW Recovery software is that it is not necessary to write a new partition sector back to the disk in order to recover data. Once parameters are edited, a temporary copy of the boot sector in memory is used. This means that the mast disk is not changed (essential for forensic investigation) and if the disk has a completely failed sector 0, this does not cause a problem.
The display shows data about the disk as follows
The above values may be changed, but for recovery purposes, only the Relative Sector, and Total sectors are used. If the relative sector is wrong, there will be problems restoring data. The Total sector count is not as important, and if too large will probably not affect the program.
When the analyse function is run, it will try and reconstruct the values described above. Once the analyse has been run, it is possible to do a test restore using the newly recovered values. It is not necessary at this stage to write the new sector to the hard disk. This also means that the demo program will work with a new boot sector layout.
If you multiply the maximum cylinder, head and sector numbers together, and then the sector size of 512 bytes, you get to 8GB. Some users may be familiar with this being a limit some years of ago the maximum disk size that PCs could accept.
Boot Sector or Master Boot Record
The boot sector is sector 0 on a hard drive, and a typical screen dump of one is shown below
There are several areas to look at on the dump.
Most of the sector, from the start to byte 0x1bd is code that is run to start the PC up. This is only important for a bootable disk, and can be ignored for straight forward data recovery. If it is required to re-instate the booting of the disk, this code must be valid.
The final two bytes of the sector are always 0x55 and 0xAA. These are check bytes that help ensue that the sector has been read correctly. For instance, it is occasionally possible for a byte to be skipped, or read twice. In these cases, the 0x55 and 0xAA would not be in the correct location. The hard drive CRC check should also fail, but that is much harder to see - though the PC should detect an error.
The important part of the disk starts at byte 0x1BE, and it is these bytes that are decoded by CnW program and displayed logically in the table at the top of this page. The brief summary below will describe each byte. There are up to 4 entries, each 16 bytes long, for each partition. If a partition is marked as extended, then the pointer points to another sector with the same data structure starting at 0x1BE on the new sector. This is a means where an unlimited number of partitions can be created. See Partition Table Structure for full details