Jump to content

onlit4regs

Member
 View Profile  See their activity

  • Posts

    35

  • Joined

  • Last visited

  • Donations

    0.00 USD 

  • Country

    France

 Content Type 

Posts posted by onlit4regs

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    hi jaclaz

    well, I've done the test again, and I've finally succeeded in getting my test file on G: restored. (the offset on my drive G: was 2048 !)

    I've also succesfully restored an "already working" file on the image file, I have now the right sectors !

    so, I've decided to try on a faulty file now.

    unfortunatly, when trying to extract the 1st extent of 16 sectors only, drdd said:

    read error at ....: incorrect function

    read error at ....: semaphore delay has expired ....

    and several times !!

    :realmad:

    do you think this extent is usuable ? certainly not

    is this really lost ? is this because of the unbrick ? a problem with the unbrick ?

    thanks

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    yes I'm sure I've used the right physical drive number, as stated in windows disk manager

    this G: drive has only a primary partition. I'm not sure that it was really created under windows xp, I can't remember

    how to check the offset and cluster size on this partition ?

    anyway, that was just a hint for understanding why the drdd didn't work on the mounted image of my faulty drive ? but it seems it's not associated ....?

    thanks a lot

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    I've closed drdd before viewing the image.

    I've tried with selection also the physical drive in drdd

    same result

    with pldd, I've done a few test, it's the same with my image file on G:\

    BUT

    when I try the same image on my C: drive, it works !!! :rolleyes:

    so, this may be also the same problem with the image mounted drive letter ?

    any hint on why it works on C: and not further ?

    :blink:

    my G: partition is a good one, it's a single partionned disk in NTFS.

    thanks

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    on a working drive and a working file:

    myfragi.cmd g:\test.jpg

    1 52254759 418038135 3104 g:\test.jpg

    in drdd, I've extracted the sectors, but file is not a valid image. (I didn't use fsz nor dsfi this time)

    I've enclosed the drdd capture, just to be sure I am not wrong with values :unsure:

    on DMDE, when opening the image my500gb.img, and selecting the previous image test file, I have the same LBA: 6158983, vol.sec:6158920, clus:769865

    when opening with DMDE the mounted logical drive of IMD, the LBA is 6158920, vol.sec:6158920, clus:769865

    (on the Open NTFS Volume message box, start offset is set to 0)

    :}

    post-295513-0-78807700-1352553985_thumb.

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    something is going wrong on what I've done

    I tried on a file that was readable on my image:

    myfragi returns this:

    1 769865 6158983 624 f:\photos\PHOTOS~1\35ANSM~1.JPG

    in drdd, you wrote to x512 for the LBA start but values are in sector, so I have left the values from myfragi:

    start: 6158983 (sectors) - I can not write 6158983*512 = 3153399296, it doesn't fit in the software (only nine digit not ten)

    size: 624 (sectors)

    then :

    fsz c:\test.jpg 319488

    and finally:

    dsfi c:\test.jpg 0 0 c:\image[3153399296-3153718784].dd

    and the image is unreadable

    (it was OK in windows explorer on my500gb.img)

    I've misunderstand something in the values for drdd :wacko:

    thanks a lot

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    fsz C:\mytemp.dat 548864

    This will create an empty file of that size in bytes.

    Then you use:

    dsfi C:\mytemp.dat <offset> 0 <filechunk.dd>

    which means copy to C:\mytemp.dat, starting from offset <offset> for all it's length (0) the <filechunk.dd> where offset is the offset in BYTEs of the filechunk and the <fileschunk> is the name of the file extracted with datarescuedd, the first chunk with your data should be image[2030112256-2030120448].dd (where obviously 2030112256 is made by the LBA offset*512=3965063*512=2030112256 and 2030120448 is the offset+the length, i.e. 3965063*512+16*512=2030120448)

    The use of a spreadsheet is advised as it will produce the exact command lines faster and without the risk of typing errors.

    jaclaz

    ok, just to be sure I understand the offset in the dsfi command, for the second chunk, I'll have to use:

    dsfi c:\mytemp.dat 8192 0 filechunk2.dd

    (16*512 = 8192)

    is that right ?

    thank a lot

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    here we go with your magic batch ! :thumbup

    Ext: Lcn: LBAstart: Sects: File:

    1 495625 3965063 16 f:\montage\2011-tmp.pds

    2 28135076 225080671 16 f:\montage\2011-tmp.pds

    3 48751063 390008567 32 f:\montage\2011-tmp.pds

    4 48797290 390378383 64 f:\montage\2011-tmp.pds

    5 50038742 400309999 128 f:\montage\2011-tmp.pds

    6 26068714 208549775 128 f:\montage\2011-tmp.pds

    7 94098378 752787087 136 f:\montage\2011-tmp.pds

    8 74619826 596958671 120 f:\montage\2011-tmp.pds

    9 95440487 763523959 152 f:\montage\2011-tmp.pds

    10 106615323 852922647 104 f:\montage\2011-tmp.pds

    11 95441871 763535031 152 f:\montage\2011-tmp.pds

    12 48579698 388637647 24 f:\montage\2011-tmp.pds

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    so, the command I used was:

    getfileextents F:\myfile.txt

    and always get the same error: initFileTranslation: invalid descriptor

    on a "good" partition, it worked ! no problem. It's only with the mounted image that cause problems.

    with myfragmenter, I have more results:

    MyFragmenter.exe -i f:\montage\2011-tmp.pds

    MyFragmenter v1.2, 2008 J.C. Kessels

    Commandline argument '-i' accepted.

    Processing: f:\montage\2011-tmp.pds

    Fragment list:

    Extent 1: Lcn=495625, Vcn=0, NextVcn=2

    Extent 2: Lcn=28135076, Vcn=2, NextVcn=4

    Extent 3: Lcn=48751063, Vcn=4, NextVcn=8

    Extent 4: Lcn=48797290, Vcn=8, NextVcn=16

    Extent 5: Lcn=50038742, Vcn=16, NextVcn=32

    Extent 6: Lcn=26068714, Vcn=32, NextVcn=48

    Extent 7: Lcn=94098378, Vcn=48, NextVcn=65

    Extent 8: Lcn=74619826, Vcn=65, NextVcn=80

    Extent 9: Lcn=95440487, Vcn=80, NextVcn=99

    Extent 10: Lcn=106615323, Vcn=99, NextVcn=112

    Extent 11: Lcn=95441871, Vcn=112, NextVcn=131

    Extent 12: Lcn=48579698, Vcn=131, NextVcn=134

    134 clusters, 12 fragments.

    Finished, 1 files processed.

    what do you suggest for next step ? :yes:

    thanks a lot

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    ok, first checkdisk without parameters returns a lot of messages like this one (sorry it's translated from french):

    errors corrected in index $I30 of file 42062

    ....

    index verification terminated

    errors found. chkdsk can not continue in read only mode

    Then, with /F, a lot of messages like this:

    errors corrected in index $I30 of file 41863

    Sort of index $I30 of file 41863

    Restore of orphaned file xxxx.xxx (1198) in file of directory 49

    Insert of index entry with ID 311 in index $SDH of file 9

    Fix of record segment of security file

    ...

    Errors corrected in miror of MFT

    Errors corrected in "capslock" file

    errors corrected in bitmap attribute of MFT

    errors corrected in volume map

    and finally with /F /R:

    everything was ok

    Then, I can see the directory and files under windows !! :thumbup

    but of course, still unable to read the dozen of files I'm interested in.

    should I give a try with the extents now ? (from your procedure in a previous post)

    thanks a lot

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    But you can still open it in DMDE , this time being NOT propmpted with:

    Volume does not fit into device:

    Use this virtual volume size (this is what I've selected)

    or

    Use decreased volume size

    and see the $MFT contents with it?

    yes, there is no more prompted message

    on the lower right pane, I can see "FILE:$MFT" with all information about $FILE_NAME, $DATA,$BITMAP, ....

    But BEFORE that, can you check it again in TESTDISK, and do three things:

    1. do a log of the session
    2. check/verify/fix the $MFT Mirror
    3. post the actual log

    jaclaz

    under testdisk, I've just searched for partition, display files (only display one empty directory) and that's all

    I've attached the log

    did you want other actions in testdisk ? I don't understand which action you mean on checklist #2

    thanks

    testdisk.log.txt

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    :blink:

    don't know why the size was wrong.

    I've redone it, it's now clearly 500 105 281 536 bytes

    I've passed again testdisk on it, with same results as before: can see only one directory, and content is empty.

    I've tried to mount with IMDisk this new made image my500GB.img, and still same result:

    I've mounted it with IMDisk, with default parameters of size of virtual disk, etc. It showed a new letter, but impossible to browse this letter ! (no filesystem type indicated in IMDisk, and windows can't see the size of partition, file or directory unreable or corrupted ...) :realmad:

    so, can't get fileextents to work on it too.

    ??

    thanks

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    Yep, the begin offset is 63 allright but those data do not make much sense.

    They are not the actual data related to a file, those correspond to entry #531 in the $MFT, possibly the $MFT entry for that file, according to the data till now gathered.

    In the "upper right" pane right click on the file name, you will have a set of choices, right now you seem like having chosen "Open MFT file (hex Editor)", while you want to choose the bolded "Open (Hex Editor)".

    Can you see in the lower right pane the beginning of the file?

    If yes, you will also see the LBA, vol.sec, Cluster and sec. of the actual file.

    Is this file recoverable?

    hi,

    I've done the OPEN (Hex Editor) last time, and I've seen the beginning of the file on the lower right pane. This small text file was recovered with success :yes: (but not interesting for me !)

    the values I've given yesterday were from this file.

    Try another thing before anything else (on the "my500GB.img").

    Open it with DMDE, does it show a window titled "Partitions - dmde 2.4.4"?

    Can you see two entries in it, the first one being:

    Image:<path>\my500GB.img etc.

    and the second:

    <label> Primary (A) NTFS (07) 500 GB EBCF 63 <some number>

    ?

    If yes, if you select the second the "Open Volume" button should become enabled, press it.

    A new popup should appear, titled "Open NTFS volume" with some data (post this data).

    values are:

    Bytes per sector:512

    Bytes per cluster:4096

    Bytes per MFT record:1024

    Bytes per index record:4096

    Total sectors number: 976768002

    MFT cluster (or 0): 786432

    MFTMirr cluster (or 0): 61048000

    Start Offset: 32256

    when I click open , I've a choice:

    Volume does not fit into device:

    Use this virtual volume size (this is what I've selected)

    or

    Use decreased volume size

    the values from first line are, as you've said:

    LBA:6291519 vol.sec 6291456 Clus:786432 sec.0 (MFT 0)

    If you open again the image, and this time you choose instead "NTFS Search" (start it and wait until "NTFS 0" appears, then press "start/stop") and then select the "NTFS0" and click on the "Open volume" you should get the same:

    In the lower right pane you should see (first line):

    LBA:6291519 vol.sec 6291456 Clus:786432 sec.0 (MFT 0)

    If this is what happens, I am wondering what prevents the NTFS mounting with both IMDISK and VDK. :w00t:

    yes it's the same values on first line

    thanks for your help

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    And if you access this "my500GB.img" with dmde you can actually see the $MFT, but if you try opening/mounting it with IMDISK you have issues (like being prompted to format it and/or in the IMDISK control panel NOT seeing NTFS as "filesystem")?

    Do I get this right?

    absolutly !

    If yes, you can try the following, using TESTDISK on the "my500GB.img" as follows:

    TESTDISK <path>\my500GB.img

    http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

    be sure to choose to Create a log, follow the above and post the log and a description of what it says on screen (since the disk was originally partitioned on XP, do reply "No" to the question about it having been partitioned under Vista as it should speed up things).

    testdisk have seen the NTFS partition of 500Go, said structure OK.

    when pressing "P", there is only one directory displayed, and when entering it, it's empty ....

    It is also possible that (for any reason) the IMDISK (which works at a "somewhat higher level" than other virtual drivers) have different kinds of issues with the image, it is possible that *somehow* it fails to detect the offset to the partition (BTW are you prompted to choose an offset when mounting the image?)

    offset is automatically set at 63 blocks when I select my500gb.img

    another thing you may want to try is (on XP, NOT on 7) the VDK driver:

    Can you confirm that the first sector of the "my500GB.img" is identical to the MBR sector you initially posted? :unsure:

    vdk driver did the same thing as IMDISK: mount partition, but when trying to access on windows: "this drive must be formatted" :angry:

    yes MBR is the same

    thanks for your help

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    yes dmde has no problem seeing the directory/file structure on the image file, I see all my favorite files.

    I've mounted it with IMDisk, with default parameters of size of virtual disk, etc. It showed a new letter, but impossible to browse this letter ! (no filesystem type indicated in IMDisk, and windows can't see the size of partition, file or directory unreable or corrupted ...) :realmad:

    so, can't get fileextents to work on it too.

    ??

    thanks

    0

    still no partition on Seagate after successful unbrick

    in Hard Drive and Removable Media

    Posted

    hi jaclaz

    so, I have tried DMDE on the original hard drive, It couldn't display the directory/file structure , it was so long on "reading MFT", more than 4 days to complete only 3% !! so I aborted

    on this disk, there is a dozen of "most wanted" files for me, which may represents 2 or 3go. I've made my recovery tests on these files. maybe other are readable, but they are not necessary for the moment.

    so, do you think I should try to image the disk in smaller chunks ?

    thanks

    0
×
×
  • Create New...