Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Sign in to follow this  
barnai

Erroneous formatting

Recommended Posts

While experimenting with an USB formatting tool, fbinst, I mistakenly formatted an external HD that I use for backup (with important data on it). The HD contains several partitions of different types. Now the disk is not recognized by Windows, which proposes to format it when I try to access it through the explorer.

The formatting command was:

fbinst (hd1) format --fat16 --zip --force

I was using a batch, which also executed commands to add grub4dos on the disk:

fbinst (hd1) add grldr grub4dos-0.4.4\grldr
fbinst (hd1) add-menu fb.cfg fb.txt

And the disk partitionning was:

Partition 1: FAT32 - 30 GB

Partition 2: EXT3 - 30 GB

Partition 3: FAT32 - 30 GB

Partition 4: FAT32 - 10 GB

...

With a few more FAT32 partitions.

I used TestDisk to retrieve partition info, and it found back info on all partitions except the first one (even with a Deeper Search). So now, I suppose I'll have to use file-to-file tools to retrieve data on the first partition, as advised by jaclaz.

The question I have now is: should I write the partial partition info I have now, before trying further recovery ? I fear the new partition info written by TestDisk might mask the previous one and thus prevent future attempts to read that latter in order to retrieve the first partition.

I can not make an image of the external HD: my internal HD is smaller and I have no bigger storage at hand. If its not absolutely necessary, Id prefer avoid buying one :} .

Share this post


Link to post
Share on other sites

The question I have now is: should I write the partial partition info I have now, before trying further recovery ?

Yes.

I fear the new partition info written by TestDisk might mask the previous one and thus prevent future attempts to read that latter in order to retrieve the first partition.

No, it won't affect a file based recovery, as long as you can verify that what TESTDISK has found really resembles what you had before.

But it is advised that you anyway image the first (missing) partition, you only need some 30 Gb (which I hope you have somewhere available.

An explanation of the situation, and of the problems it caused (and their resolution)

fbinst writes roughly 8 Mb of data for it's peculiar partitioning scheme.

What is lost is:

  • MBR (and Partition table) 1 sector
  • hidden sectors (usually 62)
  • FAT32 bootsector and hidden sectors (possibly 32)
  • First and probably part of second FAT table. for such a volume, fat should be around 15352 for each table

If my estimation is correct:

63+32+15,352+15,352=30,799*512=15,769,088

Overwriting 8 Mb should leave most of the 2nd copy of FAT "as it was".

Partial recovery of a FAT table is not straightforward, but it should be possible.

If you post as an attachment the MBR as it is recovered by TESTDISK (or the DATA within it), a good way is to use Tiny hexer and my PTview Structure Viewer:

http://www.boot-land.net/forums/index.php?showtopic=8734

and save the .htm

Or use HDhacker to save first sector of PhysicalDrive:

http://dimio.altervista.org/eng/

and compress it in a .zip archive.

I may be able to give you a couple of hints on what to do/where to look for the partial FAT.

The amount of success you will have with PHOTOREC (or other file-based recovery) greatly depends on the level of fragmentation your drive had and on size of the files that were on it, and it could be an additional attempts once (and if) some files are recovered through a "fixed" FAT table.

But we need to have that 30 Gb or so data imaged, as we need to change some DATA in it, and it may make things worse.

jaclaz

Share this post


Link to post
Share on other sites

it appears to only be 100gb...which you can buy much more than that for a reasonable amount (i bought a 500gb for $80 + change last week).

my question is, what's more important, getting back what you can right now, or trying to find the rest before going on, because that's what you're down to unless you just go out and get an external drive. many local stores can sell you a good sized internal drive, and you can pick out a good external enclosure while you're there, which usually comes out less than a standard external drive.

you mentioned the FS was FAT, so you may try recovering what you can, and looking for alternate means of recovering the last partition?

Share this post


Link to post
Share on other sites

@jaclaz:

Ive made some room on my internal HD and finally made an image of the first 30 GB of the disk with dd for Windows.

Ive recovered with TestDisk the partitions following the first one. They seem OK.

Now I tried to get the MBR through the different methods u gave. But since I am not familiar with those, I am not sure of the result. Anyway I attached them for both methods (PTView and HDHacker).

If its not what u expected please give me some more info about using those tools.

@bonestonne:

Well thank you for the info but I am aware of the current prices of storage :) . I am just not ready for the moment to spend such money unless it is necessary, and now I think it wont be :sneaky: .

P.S. Oops I had forgotten to attach the files :blushing:

MBR_recovered.html

MBR_recovered.zip

Edited by barnai

Share this post


Link to post
Share on other sites

Start Sector is 61432560.

Now use MKimg/MBRbatch to make on a NTFS partition a new SPARSE image (it will occupy a bunch of Mb only):

http://www.boot-land.net/forums/index.php?showtopic=3191

http://www.boot-land.net/forums/index.php?showtopic=5000

Size:

61432560x512=31,453,470,720

Geometry: 255/63

Format as FAT32 LBA (0C).

While the image is mounted, check with tiny hexer the FAT32 bootsector.

You have in the image 63 hidden sectors+ (possibly 32) Reserved sectors + 2 x (possibly 15352) sectors per fat table.

You need to extract from the new image:

  • the hidden sectors (63)
  • the reserved sectors (32)
  • the sectors for first FAT table (15352)
  • first sector of second FAT table (1)

Verify the above values with the ones of the image you created, 63+32+15352+1=15,448x512=7,909,376 bytes

Overwrite first 7,909,376 of the 30 Gbish image of the "formatted" hard disk with those extracted by the brand new image.

Then run TESTDISK on the resulting image.

It is possible that you may able to recover a number of files this way.

jaclaz

Share this post


Link to post
Share on other sites

It helped a bit, since TestDisk now finds a partition, but it then gives a list of filenames which are only a bunch of undecipherable characters, and when I enter the ones that are meant to be directories, I find nothing but a message telling me that files are corrupted or something like that.

I verified the beginning of the resulting img file with Tiny Hexer and there is actually some sort of limit after the first 63 sectors, and same after the 32 following. So that was OK.

To copy the 15,448 sectors of the new image to that of the formatted disk, I used Tiny Hexer again: I opened the sectors for both images in the editor, copied the content of the first one and pasted into the second one. I dont know if that was regular :unsure: but it was the easiest for me. If its not good I suppose I could do it with one of the tools in MBRbatch.

Share this post


Link to post
Share on other sites

Yep, the procedure is correct.

This way you have:

  • a completely blank first FAT
  • a second FAT in which First sector is blank and all the others remain the ones from the "old" image

Now it all depends on how much of the second FAT has been overwritten by fbinst.

(and also how the data was organized on the "lost" partition).

TESTDISK might be able to make some sense from it:

http://www.cgsecurity.org/wiki/Advanced_FA...pair_FAT_tables

You can also try to leave both First and Second FAT (i.e. overwrite first 63+32 sectors only) with the ones from the freshly created image and try again TESTDISK, and then some other data recovery program.

PHOTOREC is still an option, if anything at a "higher level fails", expecially if the drive wasn't much fragmented.

jaclaz

Share this post


Link to post
Share on other sites

I think there is something I should not have done: I made my 30GB image of the external HD before writing the partial partition info recovered by TestDisk. So we were working on that "unrecovered" image (sorry I should have told you, we may have gained some time :blushing: ).

Now I tried to make the image again, the ext HD being already partially recovered, and I got something more interesting: after overwriting with the bytes coming from the MBRbatch image, the actual directory structure at the root of the lost partition is found. The folder names are correct. There are some files with strange names though (most with only one letter), whereas there were no file at the root, on the original partition. Now when I try to enter any folder I get the message Ive told you before:

No file found, the filesystem seems damaged.

I tried the Repair FAT function as well, but it didnt allow to recover anything more. And the result was the same when overwriting only 95 sectors at the beginning of the image.

So from this point do you think we can do more at high level ? And should I write with TestDisk the info recovered through the overwriting methods (even though there are only folder names) ?

Share this post


Link to post
Share on other sites
No file found, the filesystem seems damaged.

I tried the Repair FAT function as well, but it didnt allow to recover anything more. And the result was the same when overwriting only 95 sectors at the beginning of the image.

So from this point do you think we can do more at high level ? And should I write with TestDisk the info recovered through the overwriting methods (even though there are only folder names) ?

Difficult to say. :(

Since you are working on an image (and you can always make a new image exactly as the one you have now in your hands - or at least this is the idea), you have nothing to loose in writing the changes and use some other tool on the image.

Most probably, now that you have recovered the "base directory structure" it would be possible to recover manually the pointers to their contents, but is not something that you can learn from a couple posts on a Forum (or that I can teach you quickly).

Your best option as I see it, is to throw at the semi-recovered image any tool you can find.

jaclaz

Share this post


Link to post
Share on other sites

I finally recovered the first partition file to file, handling fragmented files as I could :crazy: . I reformatted the partition, but as NTFS now, since it is easier to recover, from what I read here and there.

Is there a way to close threads ? I believe this one can be :hello: .

Share this post


Link to post
Share on other sites
I reformatted the partition, but as NTFS now, since it is easier to recover, from what I read here and there.

I wouldn't "count" on it, though. ;)

Is there a way to close threads ? I believe this one can be :hello: .

No need to close anything, we know it's solved, but people may want to add something useful in future or ask questions about the procedures you followed. :)

jaclaz

Share this post


Link to post
Share on other sites
Is there a way to close threads ? I believe this one can be :hello: .

Some people edit the 1st post of the thread to add "[sOLVED]" after the title.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...