d8apzl
Content Type
Profiles
Forums
Events
Posts posted by d8apzl
-
-
here is the zipfile:
http://www.mediafire.com/?phsvbwcxeu14n9z
It looks like we had about 13 errors in the making of the .dd file.
So I brought the drive in to work cause I work next to a Seagate guy, he gave it back same day and said,
"Bad disk or head, sorry
"0 -
I think we have a hit !!
It looks like the $MFT !!
Starting @ SECTOR 6498310 'FILE0' every 2 sectors (top left), stopped to post @ 6535700 and counting
0 -
Patience you must have, my young padawan.
SECTOR 4914172 (Mid)
SECTOR 5767000
SECTOR 6206330 (top left)
SECTOR 6206332 (top left)
SECTOR 6206334 (top left)
0 -
GACK!!!! (as in BARF!)
Anything I can do to get the photos back.
This is the $MFT of the first partition allright.
This is at the same time some good news and some bad news , the good news are that you didn't seemingly did any "meaningful" damage to this volume during your attempts, the bad news are that you still need to search for the $MFT (or traces of it) on the "main" partition.
Some more bad news are that your cousin actually LIED to you , the bootmgr is seemingly that of a Windows 7 (and is there since 2010) and evidently some attempts to re-install Vista or 7 were made in September 2011.
they probably don't know what OS she has/had.
It is possible someone else took a crack at restoring the laptop/hdd and failed.
SECTOR 2533196 (near bottom)
SECTOR 3458039 (near mid bottom)
SECTOR 3853742 (near mid bottom)
SECTOR 4179527 (high mid)
SECTOR 4254311 ("PROFILE0")
Please advise..
0 -
SECTOR 1882138 (top left)
SECTOR 1882140 (top left)
SECTOR 1882142 (top left)
SECTOR 1954380 (top left) amd 64 microsoft windows ie html rendering
SECTOR 1954382 (top left) activex
SECTOR 2083511 (5 rows down @ 0)
SECTOR 2178150 (below mid)
I didn't realize how much I have left to go - 217356288
To be on the "safe" side, copy some more sectors before he first hit and after the last hit in the group, let's say 200 sectors more or something like that, for the example found above, instead of copying only sectors 70312-70801, copy 1000 sectors, i.e. from 70000 to 71000.
Verify that you got the "right" sectors extracted, then zip all the files and upload the zip somewhere I can get them from, like zshare or similar and post a link to the files.
attached sectors.
To re-gain some "quota" on the forum, you may want to edit your previous post and delete from them the attachment screenshots, they are not needed anymore, and/or you may want to post them screenshots on a free image hosting service and post the link to it.
Thank you sir!
0 -
Not necessarily OT...
eh. I just need the pictures from the drive ultimately.
But getting the $MFT back to life or overwritten is fun and would be interesting, and a bonus.
...
SECTOR 1438535 (4 rows down @ 9 across)
SECTOR 1803602 (top left)
SECTOR 1803064 (top left)
SECTOR 1803606 (top left)
0 -
found a few more... still searching...
SECTOR 500941 (somewhere in middle)
SECTOR 805725 (somewhere in middle)
SECTOR 832637 ('FILE0' 3rd line from bottom @ 9 across)
0 -
http://www.msfn.org/...ix/page__st__15I went over my upload quota, didn't realize
here are my findings so far.. 454000 and going w/ data
'FILE0' somewhere in the middle of '0123456789ABCDED' unless specified
SECTOR 62591
SECTOR 62597
SECTOR 62603
SECTOR 62606
SECTOR 62614
SECTOR 62618
SECTOR 62675
SECTOR 62703
SECTOR 62706
SECTOR 62730
SECTOR 62781
SECTOR 62806
SECTOR 62879
SECTOR 62909
SECTOR 62959
SECTOR 62990
SECTOR 63194
SECTOR 63198
SECTOR 63226
SECTOR 63236
SECTOR 63260
SECTOR 63274
SECTOR 63301
SECTOR 63303 (very bottom)
SECTOR 63318
SECTOR 63345
SECTOR 63376
SECTOR 63379
SECTOR 63394
SECTOR 63406
SECTOR 63456
SECTOR 63468
SECTOR 63492
SECTOR 63505
SECTOR 63532
SECTOR 63535
SECTOR 63350 (top but not 1st on left)
SECTOR 63565
SECTOR 63601
SECTOR 63612 (bottom 1st)
SECTOR 63638
SECTOR 63651
SECTOR 63678
SECTOR 63681
SECTOR 63695
SECTOR 63715
SECTOR 63760
SECTOR 63771
SECTOR 63795
SECTOR 63808
SECTOR 63836
SECTOR 63838
SECTOR 63853
SECTOR 63870
SECTOR 63964
SECTOR 63995
SECTOR 63998
SECTOR 64023
SECTOR 64061
SECTOR 64073
SECTOR 64097
SECTOR 64110
SECTOR 64137
SECTOR 64140
SECTOR 64154
SECTOR 64169
SECTOR 64305
SECTOR 64332
SECTOR 64335
SECTOR 64359
SECTOR 64497
SECTOR 64522
SECTOR 64610 (top but not 1st on left)
SECTOR 64616
SECTOR 64650
SECTOR 64652
SECTOR 64676
SECTOR 64689
SECTOR 64716
SECTOR 64719
SECTOR 64734
SECTOR 64750
SECTOR 64784
SECTOR 64800
SECTOR 64824
SECTOR 64837
SECTOR 64864
SECTOR 64867
SECTOR 64882
SECTOR 64898
SECTOR 64964
SECTOR 64989
SECTOR 65183
SECTOR 65188
SECTOR 65219
SECTOR 65222
SECTOR 65245
SECTOR 65258
SECTOR 65286
SECTOR 65293
SECTOR 65308
SECTOR 65323
SECTOR 65359
SECTOR 65366
SECTOR 65395
SECTOR 65412
SECTOR 65440
SECTOR 65443
SECTOR 65468
SECTOR 65487
SECTOR 65538
SECTOR 65562
SECTOR 65602
SECTOR 65632
SECTOR 65635
SECTOR 65650
SECTOR 65700
SECTOR 65725
SECTOR 66035
SECTOR 66061
SECTOR 70312 (BINGO!?) took screenshot (top left)
SECTOR 70314 (BINGO?!) took screenshot (top left)
SECTOR 70316 (eh bingo?) took screenshot (top left)
SECTOR 70318 (maybe nothing) took screenshot (top left)
SECTOR 70320 (top left)
SECTOR 70322 (top left)
SECTOR 70324 (top left)
SECTOR 70326 (top left from here on unless specified differently)
SECTOR 70328
SECTOR 70330
SECTOR 70332
SECTOR 70334
SECTOR 70336
SECTOR 70338
SECTOR 70340
SECTOR 70342
SECTOR 70344 (exactly like the screenshot from the fellow in the post you sent the link to) http://www.msfn.org/...ix/page__st__15
SECTOR 70346
SECTOR 70348
SECTOR 70350
SECTOR 70352
SECTOR 70354
SECTOR 70356
SECTOR 70358
SECTOR 70360
SECTOR 70362
SECTOR 70364
SECTOR 70366
SECTOR 70368
SECTOR 70370
SECTOR 70372
SECTOR 70374
SECTOR 70376
SECTOR 70378
SECTOR 70380
SECTOR 70382
SECTOR 70384
SECTOR 70386
SECTOR 70388
SECTOR 70390
SECTOR 70392
SECTOR 70394
SECTOR 70396
SECTOR 70398
SECTOR 70400
SECTOR 70402
SECTOR 70404
SECTOR 70406
SECTOR 70408
SECTOR 70410
SECTOR 70412
SECTOR 70414
SECTOR 70416
SECTOR 70418
SECTOR 70420
SECTOR 70422
SECTOR 70424
SECTOR 70426
SECTOR 70428
SECTOR 70430
SECTOR 70432
SECTOR 70434
SECTOR 70436
SECTOR 70438
SECTOR 70440
SECTOR 70442
SECTOR 70444
SECTOR 70446
SECTOR 70448
SECTOR 70450
SECTOR 70452
SECTOR 70454
SECTOR 70456
SECTOR 70458
SECTOR 70460
SECTOR 70462
SECTOR 70464
SECTOR 70466
SECTOR 70468
SECTOR 70470
SECTOR 70472
SECTOR 70474
SECTOR 70476
SECTOR 70478
SECTOR 70480
SECTOR 70482
SECTOR 70484
SECTOR 70486
SECTOR 70488
SECTOR 70490
SECTOR 70492
SECTOR 70494
SECTOR 70496
SECTOR 70498
SECTOR 70500
SECTOR 70502 BCD
SECTOR 70504 BCD LOG
SECTOR 70506
SECTOR 70508
SECTOR 70510
SECTOR 70512
SECTOR 70514
SECTOR 70516 (I can make out w.i.n.7.l.d.r in the middle)
SECTOR 70518
SECTOR 70520
SECTOR 70522
SECTOR 70524
SECTOR 70526
SECTOR 70528
SECTOR 70530
SECTOR 70532
SECTOR 70534
SECTOR 70536
SECTOR 70538 - 70800 every 2 sectors (FILE0 @ top left)
SECTOR 143388 (searched through lots of Data before hitting this FILE0 but it is closer to the middle not top left)
SECTOR 196507 ( again in the middle, searched through lots of data before hitting )
SECTOR 241647 ("RCRD(" on very top left, FILE0 near bottom, searched through lots of data before hitting)
SECTOR 376148 (Top Left)
SECTOR 376150 (Top Left) (I could make out Las vegas and Grand canyon MOD (pictures maybe?))
SECTOR 393205 ("f) 'screenshot, went over quota cannot attach'
SECTOR 406310 (FILE0 3rd line from the top, can recognize c.o.o.k.i.e.s. .s.q.l.i.t.e. .j.o.u.r.n.a.l.)
Lot of 0000s .............. between this point
more data after approx SECTOR 423600
more 0000s after approx SECTOR 430000
more data after approx 444000
0 -
would this be it?!
0 -
this looks like a false positive I will keep searching.
she did mention that there could've been XP on it then Vista was loaded on top of that, but she said that it could've been a different laptop she was thinking of so I just dismissed it.
0 -
I am not (yet) convinced that "everything" is lost.
You are certainly optimistic. When I did the search for "46494C45" from 20848 I do notice that there is a lot of data there so the backup (& drive) still holds data.
Also, you should check the USB enclosure, it is possible that the "always lit" is the symptom of a problem .
I rebooted the XP and when it came back, the lit hdd light had stopped. After I opened the drive in drdd, the lit light was constant again. I rebooted again, it's fine now.
Also, it may help me if you could gather (from your cousin) as many details on the "story" of this disk as you can get (like which OS was there, how many parittions, if he changed something, etc, etc.)
She cannot recall all that much, and at this point she said, all she cares about is the photos on the drive.
I can tell you the OS was always the Vista that came w/ the laptop. Microsoft Windows Vista Home Premium 64-bit Edition. Very sorry, I didn't think it was 64-bit, I thought it was 32-bit.
She also said that one day it just stopped working probably due to the laptop overheating, she cannot be sure if there was a virus or not, the drive was probably not encrypted unless it was a default setting. It should've been a standard Vista OS as a single partition, unless HP had a hidden recovery partition.
and if you would provide a (synthetic) list of the actions you attempted on the disk (again with as much detail as you can remember) before making the image with datarescuedd, including the actual name of the apps you have used, and anything that you can remember about what they did or how they behaved.
Again, I'm very sorry. I did try a few things w/o success before I posted here.
Tried Bootrec commands from Win7 w/ failing disk as enclosure..
- /fixmbr /fixboot, but this must have been run on the PE partition because I could not access the single partition w/ Vista OS on it.
Next, I tried the Vista PE w/ the failing drive in the laptop
- /fixmbr /fixboot, also on the PE partition because I couldn't access the OS partition.
Next I tried a few apps w/o success like MbrFix, EasyBCD, Stellar Phoenix Windows Data Recovery - Home, EASEUS Data Recovery Wizard Professional 4.0.1, Kernel for Windows Data Recovery.
MbrFix
MbrFix /drive <num> fixmbr /vista
EasyBCD
I tried the BCD Backup/Repair w/o success
I even tried am ubuntu LiveCD to access and restore the boot record but I couldn't download the MS-SYS program to do anything so I scraped the idea.
http://www.ehow.com/how_6807559_fix-windows-mbr-ubuntu.html
Please do not be upset, I know I s*ck because I didn't know how to make a backup of the drive before using these tools. This is when I saw your posts on msfn.org and decided to post here. Thank you for all your help w/ this and for not giving up.
The backup is still scanning at 203000
EDIT: found boot sectors?!?
0 -
The sectors do not match, see attachment.
Could it be that the first "100 Mb" partition is an artifact (of some kind) created by any of your previous attempts?
Yes, the 100MB looks like a Win7 PE partition when I tried BOOTREC w/o success w/ Win7.
Otherwise, a good idea could be to open with Tiny Hexer the disk, goto sector 6280000 then Edit->Find/Replace->input "FILE0" (please note that tis is CaSeSeNsItIvE), make sure that you have Text mode checked and "Dos 8 bits", then click on the "Find" button, at the prompt click on "Yes to all".
I followed the instructions you specified. It doesn't look good. No 'FILE0' found and I received an I/O error.
Also, I noticed when I plugged the HDD back in to the XP to do all the work, the HDD light on my HD enclosure is constantly lit up. Could this be causing the I/O errors?
I would really hate to tell my cousins gf her drive is toast, but it looks like it's completely corrupt. What do you think?
see attached .bin files and screenshot.
EDIT: At this point, if I can read the files and transfer to a different drive it would be ok. If she set a pw the files may be inaccessible because of permission issues, yes?
When I ran a recovery program after trying the BOOTREC, it saved all the RAW files (11.9GB) by type,: FILE001.bmp; FILE002.bmp, etc.. but they are not accessible whatsoever, meaning you can open them and some have different file sizes but nothing shows up.
0 -
The image completed. Successfully? I cannot be positive it is an exact image because there were several errors that occurred before DRDD finished. However, DRDD did complete w/ errors.
25GB +/- 1GB was written to the image with DRDD.
The main $MFT should start at:
206848+786432*8=6498304
And it's Mirror at:
206848+61035263*8=488488952
The sectors do not match, see attachment.
0 -
The bad news are that you are not (yet) doing EXACTLY what you are told to.
What I said:
4. run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
what you did:
]4. run ddrescue on the disk that you think is the failed one, saving only 1 sector Mb (lower upper fields Start=0, Size=1, End=1) to file image[0-512].dd
sorry about that, I was wondering why the filename was different from what you said it would be. I don't know why I thought the Sectors fields were above the MBs fields.
Ok
I saved the sectors, here they are below. it doesn't look good.
It looks like the backup sectors are gone??
0 -
Let's do it like this
:- STOP whatever you are doing. (of course let datarescuedd finish the image)
- use ONLY the XP (and NOT the Windows 7)
- run again Hdhacker to save the MBR (first sector of PhysicalDrive) of the disk that you think is the failed one, save it like MBR_disk_n.hdh
- run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
- run tiny hexer, use the file->disk->open drive to open the disk that you think is the failed one (it will auto-set to load one sector at the time and will open on the first sector) choose File-> Save as and save it like MBR_disk_n.thx
- compress the three resulting files into a zip and post it as attachment. (if the three files are not IDENTICAL there is an issue of some kind)
I followed the steps, here are the results:
0 - STOP whatever you are doing. (of course let datarescuedd finish the image)
-
The MBR you posted DOES NOT contain info about two partitions, one around 100 Mb and one around 465 Mb, the one you posted, that I have NO WAY to verify it belongs to the "problematic" disk, has a SINGLE partition, evidently with a wrong size (around 2 Tb) OR it is the MBR of ANOTHER DISK!
Ok, you are right on this. I do have a 2TB on the XP. hdhacker may have saved the results from the 2TB not the failing 500GB. I was sure I selected the 500GB but I may have made a mistake.
Let's do it like this
:- STOP whatever you are doing. (of course let datarescuedd finish the image)
- use ONLY the XP (and NOT the Windows 7)
- run again Hdhacker to save the MBR (first sector of PhysicalDrive) of the disk that you think is the failed one, save it like MBR_disk_n.hdh
- run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
- run tiny hexer, use the file->disk->open drive to open the disk that you think is the failed one (it will auto-set to load one sector at the time and will open on the first sector) choose File-> Save as and save it like MBR_disk_n.thx
- compress the three resulting files into a zip and post it as attachment. (if the three files are not IDENTICAL there is an issue of some kind)
Again you're right and sorry for the confusion. Thank you for being patient, as soon as the drdd finishes I will follow the steps you outlined and post back.
0 - STOP whatever you are doing. (of course let datarescuedd finish the image)
-
EDIT:
Are you positive that the MBR you posted was from the actual disk in question?
and is it disk 4 or disk 5 (or what)?
Yes, the MBR was posted from the disk in question. 500GB using hdhacker on WinXP.
I started the ddrd w/ the 500GB & 750GB on a W7 system because I thought it would be faster using USB 3.0
It looks like ddrd picked it up as Drive 5, but diskpart picked it up as Disk 4.
p.s. nice spoiler
0 -
unless diskpart and ddrescue use a different numbering scheme which - from memory - I doubt, but in any case you should always test two different items with the SAME tool, to see differences, or the SAME item with two different tools, as is, it seems to me like you are comparing diferent items with different tools....
It must be a different schema because I only have one 500GB drive connected. Maybe diskpart starts from disk 0
ddrd was still reading errors and stopped erroring about 10 minutes ago, but the 750GB has more than 17GB written so far.
0 -
I swear, I'm not kidding you.
Please see the pngs.
I will let ddrd continue.
0 -
Not sure if this information helps but, on the failing disk I have a drive letter that shows up "System Reserved" 70MB free of 99.9MB, it could be windows PE when I tried bootrec before.
Looks like ddrd found errors but it's slowly still in progress and continues to find errors of the same type.
Running this with admin rights. Should I be running this on the XP? I'm using W7.
see attached png.
0 -
The failing drive is 500GB, there possibly could've been a virus, but I cannot say for sure.
not very familiar with hex but I can hack it.
Luckily I have a 750GB
I never opened. It better not be DOA. What can I use to duplicate the drive?
Technically, I have 908GB free on my XP drive, can I make an image of the 500GB drive using some tool(s)? Ghost?
DL'd:
- tinyhex 1.8.1.6 (installed on the XP)
- BSview.zip
- MBRview.zip
- PTview.zip
0 - tinyhex 1.8.1.6 (installed on the XP)
-
hmm, thought I attached the zip to the previous post.. here it is.
0 -
First off, I would just like to say you are THE Man jaclaz and thank you because I saw some other posts in which you helped folks recover their data/drives.
Attached is the zip containing the .dat results from hdhacker.
I used XP 32-bit w/ hdhacker
0 -
Hi, I'm trying to fix my cousins gf laptop. She needs to get at the data and back it up.
I don't know how it originally occurred, but the laptop can get pretty hot, maybe an abrupt shutdown from overheating caused the original error.
Boots directly to the error:
"A Disk Read Error Occurred Press Ctrl-Alt-Del to Reboot"
I tried the Vista DVD, repair, Bootrec.exe to no avail.
Also numerous partition recovery sw w/o success.
I figured I tried the rest and now I'll try the best, you folks at msfn.
The file system is currently in the RAW state.
As far as I know I did not completely delete or format the partition w/ the Vista OS from using any tools. (diskpart, trial versions of recovery sw, acronis, etc.) The OS should still exist on the drive.
This is what I would like to find out and potentially overwrite/rewrite the MBR (to get Vista to function normally again).
I saw a post w/ jaclaz using tools like TESTDISK to help solve the issue but I do not want to further complicate the matter if I happen to make an unreversible change. Can you help diagnose and recover the Vista OS Boot Record? Please let me know of any information I can provide to help w/ this problem/resolution.
Thank you kindly in advance.
0
"
.
:
I never opened. It better not be DOA. 
need to recover mbr on ST950032 5AS seagate from HP HDX w/ Vista 32-bi
in Hard Drive and Removable Media
Posted · Edited by d8apzl
They appear to be read errors, bad sectors most likely.
Yah, probably the latter internal cust. service guy asked tech w/ "proprietary" sw & equipment did not want to spend any time on it, lost all hope and/or unenlightened. have you ever considered working for seagate/hitachi?
Appears @ '6498306' on the image I made with ddrd. I see "$.M.F.T.M.i.r.r."
The image I had zipped (image[3326976000-3332096000].dd) and posted was from the actual disk.. Maybe the read errors prevented the backup of those sectors.
That would be too easy, yes?
Forgive me, I may be missing something.
The math in the first equation seems off.. I got.. 206848+976564224/2=488385536
I searched the failing drive from 488488000 for "46494C4530" and haven't found anything yet. @ 488492200 and counting..
Also, in the complete image I made with ddrd I only have '217356288' total SECTORS
I cannot search more than that.
in TinyHex - total / 217356288
in ddrd actual failing disk - total / 976768065
The drive appears to be in the same state it was in when I gave it to him (same read errors?).
Let me try this out. in ddrd on failing disk:
EDIT: Strange, but I checked '6498306' on the failing disk and the result was totally different, there was no $MFTmirr.
Now I'm searching for ($.M.F.T.m.i.r.r) '24004D00460054004D00690072007200' from SECTOR 488380000 on the failing disk.
image170341171200-170603315200.zip