Recovering Win2K Partition

[2Turtles]

Still trying...

I had to stop trying the Convar recovery tool as it is writing the recovered files right to the partition I'm trying to recover?? I cannot find where it would allow me to redirect where it puts recovered files - do you know? It is installed and run from win98 c: drive but once I tell it to scan the d: drive it created FOUND.000, FOUND.001 folders and was writing them to d: so I stopped the scan.

Also today was trying the program R-Studio but it does not mention document types other than mostly Microsoft and zero Open Office files in it's list and since it wants $80 to get out of demo mode well if I had $80 for a "maybe" then I'd be buying a new hard drive for sure instead. Plus it seems to use all the resources and then conks out on my old pc so maybe too big a program.

I have read sometimes you can copy the data from the partition to cd or dvd and then work on those - is this possible in my case or is that only if the o/s is good and the data bad? I have many blank cd and dvd and a burner that can do both if that would maybe work? Except that win98 says there is nothing there to copy so how does one make a copy? I am confused about that part.

Last question: am I not to use the other 2 partitions on that drive either? There is much space left on the F: and G: partitions (over 60GB) so should I NOT let recovery programs put what they find on those parts? So far I haven't used that drive but my win98 drive is not enough left to put the whole scrambled 28GB partition on...

[jaclaz]

Still trying...

I had to stop trying the Convar recovery tool as it is writing the recovered files right to the partition I'm trying to recover?? I cannot find where it would allow me to redirect where it puts recovered files - do you know? It is installed and run from win98 c: drive but once I tell it to scan the d: drive it created FOUND.000, FOUND.001 folders and was writing them to d: so I stopped the scan.

I think there should be one, but cannot say for sure, and yes, writing on the same partition is a NO NO.

I have read sometimes you can copy the data from the partition to cd or dvd and then work on those - is this possible in my case or is that only if the o/s is good and the data bad? I have many blank cd and dvd and a burner that can do both if that would maybe work? Except that win98 says there is nothing there to copy so how does one make a copy? I am confused about that part.

It is possible ONLY if you make a "RAW" image, i.e. a byte-by-byte copy, something you cannot do as the resulting file will be 3 Gb in size, exactly like the partition.

Last question: am I not to use the other 2 partitions on that drive either? There is much space left on the F: and G: partitions (over 60GB) so should I NOT let recovery programs put what they find on those parts? So far I haven't used that drive but my win98 drive is not enough left to put the whole scrambled 28GB partition on...

Theoretically, there should be no problem, as the other partitions are separately addressed spacces, but the rule of the thumb is to never write on same drive because you do not know how and why it got messed the first time, thus it is possible that due to the problem that originally corrupted the drive writing to it, even on a different partition, may cause problems.

But of course it's always a matter of probabilities a rough estimate would be, talking of probability of recover, since the "simple" things did not work:

1) Sending the drive to a professional 80% to 100%

2) Do it yourself on an imaged drive with professional (read Commercial) tools 60% to 80% (but this still allows for #1)

3) Do it yourself on original drive with professional tools 60% to 80%

4) Do it yourself on an imaged drive with Freeware tools 40% to 60% (but this still allows for #1)

5) Do it yourself on original drive with Freeware tools 30% to 40%

If you are determined to go on, before trying again a file based recovery, I would try TESTDISK again, trying to repair the FAT tables:

http://www.cgsecurity.org/wiki/Advanced_FA...pair_FAT_tables

if it fails, it will alter just the FAT tables, probably in such a way that a further FAT based recovery with a professional tool will be made impossible, but will not alter the files in any way, so the possibility of a file based one will remain untouched.

Also, it is possible that PHOTOREC or other file based utility recovers the files in a slightly incorrect way, enough for the original app to be not able to open it, but still containing most (or a large part) of the data within the file, that may be later "extracted" or "corrected" by specialized utilities or manually with a hex editor, but it would be a long, prone to errors and troublesome path that requires very advanced file formats knowledge and lots of experience.

jaclaz

[2Turtles]

If you are determined to go on, before trying again a file based recovery, I would try TESTDISK again, trying to repair the FAT tables:

http://www.cgsecurity.org/wiki/Advanced_FA...pair_FAT_tables

if it fails, it will alter just the FAT tables, probably in such a way that a further FAT based recovery with a professional tool will be made impossible, but will not alter the files in any way, so the possibility of a file based one will remain untouched.

I was reading something about that the other day (I think on starman pages) and used Testdisk to compare FAT Tables - it reports 2 of them and as identical - am I wrong in thinking Testdisk will be unable to repair since it does not have a better one to choose from?

I keep trying but I do have trouble grasping and holding on to such mental complexities - now, if this drive needed physical repair - even with tiny tools under a microscope then all I'd need is a diagram because mechanical dexterity is where my skills are!

...time to shovel some snow

.............yes, it snows here in April!

[2Turtles]

Have looked at the partition with another recovery tool - this program says there are NTFS, FAT16 and FAT32 on the partition - can this just happen? I was under the impression that a disk had to be formatted NTFS in order to have NTFS filesystem. Plus how did FAT16 get on there? Am posting the screenshot of the programs scan of my missing D: drive and the *13* whatever they are it sees on there!

I have not told Testdisk to fix the FAT table yet, I am going to look at it again today. I re-read my first post and win98 scandisk reported the fat tables as different so I must make sure that I did not run/read the Testdisk info wrong.

EDIT: ok am back, my inability to keep all the sectors and tables etc distinct and clear in my mind is obvious - this is what I saw/read in Testdisk

so now I am imagining there are TWO copies of boot sectors and TWO copies of FAT tables and they are two different things.... is this correct? If so my mission now is to have a look at the FAT tables, if that is possible. If I understand correctly, Testdisk will "repair" the fat just by coping the FAT2 over the FAT1 which may only help if they are different (and FAT2 isn't mangled as well).

On the lighter side, I have retrieved 10 of 70 pages that are not mutilated beyond repair. I had to look through over 8,000 txt files that PHOTOREC generated so it was time consuming but for anyone who is poor and has lost important documents - we are not completely without hope. Although PHOTOREC says it recognizes .odt file types it must need them to be less corrupted than mine are to find them - for me it found only 1 as type.odt but many thousands of .txt files - a few of which turned out to be slightly mashed .odt files and parts of .odt files.

My hunting method is to save all the txt files PHOTOREC found to a single folder, point at it using win98's "find files" "containing text" and then inserting the most uncommon words from the document I could think of - words you wouldn't expect to see in O/S or program txt files which were overwhelmingly plentiful.

I must stress that even this has it's limitations - for instance I used "Vegas" because a story about Las Vegas was in one part of my papers - and I never imagined that 300 pages of what appeared to be computer code-ish or something like that turned up using that word! Plus you may find a 100 page text file that looks like unrelated garble but if you were to use "find in this document" and go to all instances of the word you may find that on page 80 and 81 are parts of what you are actually searching for which is how most of my stuff is being located. Anyway it is a matter of sifting and straining, persistence and patience - not for the short tempered or easily discouraged that's for sure! I am hoping to use all the programs available to get as many pieces as I can first and then try to repair the drive - obviously if one has the money than you would be smarter to copy the drive and try and repair it first before searching for needles in haystacks

As yet I have not found a way to recover Thunderbird e-mail so the sequel to "the Wrath of Mahm" is still being written...

Edited April 20, 2008 by 2Turtles

[jaclaz]

Basically:

FAT16 has one bootsector (first sector of partition) and two copies of the FAT

FAT32 has one bootsector (first sector of partition) a backup copy of it (in sector 6 of partition) and two copies of the FAT

The bootsector is just 512 bytes long i.e. one sector and contains (mainly) only:

1) Name of the partition

2) Volume serial number

3) Extents (size) of the partition

4) Code for booting (invoking the OS loader or system files)

The backup of the bootsector is "static" meaning that is never changed/updated, unless explicitly, or by running programs like scandisk or checkdisk, or similar utilities, whilst the 1st or 2nd FAT are used during normal disk operations (for example copying, creating or deleting files). Changes are written to one of the two tables, then once the operation has been carried on successfully the second table is updated to reflect the changes on the other one.

The FAT, expecially on big volumes are huge, spanning over hundreds of disk sectors, and they contain one entry for each cluster on the disk, you have to think at them as the index of a book, where there is one entry for each page of the book.

In other words, the two copies of the FAT are always the same unless something went wrong and prevented from the "mirroring" to happen. (a power shortage, a problem in the HD controller, malicious code, whatever).

In a perfectly defragged volume, a FAT is just a sequential number of "addresses" and it is rather easy to be repaired, in a fragmented volume, there is no predictable "sequence", but some errors, like duplicated addresses, overlapping ones, and similar can still be fixed.

You must think at your volume as is now as the photocopies of a book, where each page is a disk cluster of sectors, made omitting the pages numbers, that have been shuffled, and you have not anymore an index to access them.

What you compared with testdisk are just the bootsector and it's backup copy, it is possible that if the two FAT's are different TESTDISK can choose the "least wrong" data from both and fix them.

About the report by the demo of Active Recovery, you must understand that these kind of programs have heuristic engines that try to "guess" from a number of parameters they search in data how the partition was before corruption.

Hence the need for working on copies, you try choosing one of the "guesses", maybe it works, if it does not, you re-create the data as it was before and re-run chosing another "guess" or another recovery program.

If you are going to try and extract text from "recovered" files, there are utilities that automate the work, here is one:

ftp://ftp.elf.stuba.sk/pub/pc/utiltext/bintext.zip

jaclaz

[2Turtles]

The book analogy was an excellent bit of imagery - it gives the FAT concept weight (pun intended hahaha)

Speaking of fat, I'm putting my 98 on a rigorous starvation diet - the mission is to remove every last currently unnecessary byte from it's mouth until it's slimmed down to 8GB, which will leave 32GB give or take to use as the copy-zone. I have read that it is possible to shift partition sizes without reformatting so I'll attempt that on the 40GB after the exorcise...

nope, that wasn't a typo either lol

Thanxmuch for bintext there's no such thing as too much help

ps I meant to ask earlier too - can removing programs and defragging the win98 drive affect the win2k side in any way since 98 is the main o/s on the master drive?

Edited April 21, 2008 by 2Turtles

[2Turtles]

Question: Before Testdisk repairs the FAT - those files that Convar put there before I stopped it (almost 500MB) should I leave them there or remove them (plus the ntoskrn.exe file I put there) first before the FAT is corrected by Testdisk? Has the FAT been changed since the meltdown or is it the same until Win2k can boot again?

[jaclaz]

Question: Before Testdisk repairs the FAT - those files that Convar put there before I stopped it (almost 500MB) should I leave them there or remove them (plus the ntoskrn.exe file I put there) first before the FAT is corrected by Testdisk?

I would make a copy of them on some other place and leave them where they are.

Has the FAT been changed since the meltdown or is it the same until Win2k can boot again?

Well, FAT is dinamically changed everytime a file is written to (or deleted from) hard disk, nothing related to booting or re-booting.

Hence the idea of not writing anything on the partition, any write operation on the drive lessens the probability of recovering what was there before.

I am afraid that the various attempts may have taken by now the FAT's "beyond" any possible "fixing", but you never know.

jaclaz

[2Turtles]

To be sure, I have not abandoned my quest. I tried the Testdisk repair FAT Table however it's response was:

FATs seem Ok, nothing to do.

I don't understand why this is happening if the boot sector is okay and the FAT is okay

I have manged to piece together about 26 of the 70 pages using a number of programs (more about that later) although it would appear that only parts of the oldest versions of the documents exist - the entire set of the final drafts have not left a single trace. I am wondering if this is because under Win2K they are in the administrators "My Documents" folder and the parts I am recovering are actually just those that I tossed in the recycle bin at some point? Any chance I could re-install Win2K without annihilating the contents of that "My Documents" folder?

Another weird thing I noticed about the recovered files - all types. not just my .odt's - is that the dates are WAY off. Some things say "created 04/43/2048 and modified 00/18/2022" and odd business like that while hundreds of others all seem to be dated 00/00/1980 - there is seriously some corruption of some sort going on - I know its not motherboard battery because that's a new one a few months ago, besides I think that would have killed both drives not just one if that can even kill a drive...hmmm

As of yet I have not recovered any of "Mahms" email - it would seem that Thunderbird email are not yet readily recognized by any of the proggys I've tried - only Outlook Express which we do not use. I am going to email the Testdisk fellow and ask if he would consider adding mbox format to his list.

Any other ideas I could try out there?

I'll be here chicken-pecking the new birthday book for some time to come since I'm two-finger typist - and I've read about a couple more recovery programs so I'm going to try their demos to see if anything can see the true current files since none have so far.

Cheers

[cdob]

the entire set of the final drafts have not left a single trace. I am wondering if this is because under Win2K they are in the administrators "My Documents" folder and the parts I am recovering are actually just those that I tossed in the recycle bin at some point? Any chance I could re-install Win2K without annihilating the contents of that "My Documents" folder?

Well, remember the big drive without 48-bit LBA support.

Writing did work as long as you write data in front of hard disk (below 128 GB).

Next you added more data.

The first time you like write at end of disk (e.g. at 140 GB location) there is a wrap arround.

Data are written at front of media.

MBR and first partition is in danger and corrupted now.

New data are in danger and corrupted now.

Reinstalling Win2K won't change situation now.

Mbox is a plain text file. http://en.wikipedia.org/wiki/Mbox

Use a editor.

I've read about a couple more recovery programs so I'm going to try their demos to see if anything can see the true current files since none have so far.

Try Getdataback for FAT. Should run at Win98.

http://www.runtime.org/data-recovery-software.htm

[2Turtles]

Yes cdob, I remember you mentioning the big drive without 48bit support, but it does have 48 bit support - unless SP4 somehow managed to not fix the situation:

SYMPTOMS

Windows 2000 Service Pack 2 (SP2) and earlier versions of Windows 2000 do not support 48-bit Logical Block Addressing (LBA) as defined in the ATA/ATAPI 6.0 specification.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base...

as I said initially I have SP4 so assume I'm covered. Also there is nowhere near 128GB of data on the entire drive. It was a new drive and install so the D: partition has whatever the size of win2k installed is plus SP4, basic hardware drivers, Firefox, Thunderbird, OpenOffice, Microsoft Office, Nero and Paintshop Pro 6. And of course my project which is 7 sets of 10 pages each about 4-6MB in size. My 40 GB has the same hardware drivers (albeit win98 versions), the same programs plus 51 more programs and 6 years of MS Office documents and it takes up less than 9GB - even if you add the media files from the F: and G: drives combined it is less than 80GB - rather short of reaching "wrap around"...

I didn't really expect a win2k install on top could fix it but it was mentioned earlier so I was hoping there was a slight chance - gotta have hope.

I knew the email was plain text as well but since no trace of them have appeared I thought it may have to do with the .msf index file and hoped that finding that might help find the email. I've already used Getdataback and a whole slew of others, including quite a number of professional demo versions just to see if anything different is located. So far none of them have found any current data - only files that were deleted and some "universal .exe .dll and readme/txt files that were available to all user profiles. The actual working system files before the drives demise are not being found or at least not recognized by any of the recovery software.

As a matter of fact TESTDISK is the only program that actually sees the garbled system folders on that drive and PHOTOREC has found more complete hunks and files than any of the other programs - so anyone who doubts the effectiveness or capabilities of freeware and it's creators should think again - if I ever had to recommend or buy recovery software I would be donating to the TESTDISK/PHOTOREC folks first

The Programs I've tried/used so far:

Hard Drive Utilities

Beeblebrox

Hdat2

Powemax

PTEDIT32

TESTDISC

File Recovery

ADRC

Active Partition Recovery-Demo

Convar PC Inspector

Davory-Demo

Filerecovery Pro-Demo

Getdataback-Demo

PHOTOREC

R-Studio-Demo

For CHK Files

CHK-Mate

FileCHK

TrID

UnCHK

Whatformat

I think it'll take a miracle or a past experience epiphany in the middle of the night by an Über-Guru to find the actual data that has been mangled, I'm mighty appreciative and thank everyone here for their input - especially jclaz, without you I wouldn't have what I've got and half is certainly better than none so thank you very, very much. As for the "Wrath of Mahm" it's sequel is likely "Return to the Planet of Win98" since I can't really tout the superiority of having a "newer o/s" after this now can I?

Cheers Folks

[cdob]

as I said initially I have SP4 so assume I'm covered. Also there is nowhere near 128GB of data on the entire drive.

Read KB305098 again. A registry change is required for 48-bit LBA ATAPI support.

Ammount of data does not matter. A file maybe written at end of disk.