Is there any way to recover a partition after writing zeros with WD DL

[energydream2007]

Hello. iv an hdd recovery question(s) and i hope you have some resolution:

HDD: Western Digital - WD3200AAKS , its a 320GB 3.5\" drive (1 Partition on it that was NTFS with no OS on it - just important data like VMware projects)

OK so i guess you know the Data Lifeguard Diagnostic tool by wd:

http://support.wdc.com/product/download.asp?groupid=606&sid=30〈=en

The version iv used is the latest (witch is 5.04f).

(dont mind the drive listed)

The problem is i did have a failed drive (other wd drive) witch i wanted to Zero Fill it by this tool but by mistake i did it for my good & healthy WD3200AAKS drive mention above. I did the quick "Write Zeros To Drive" command without having noticed its the wrong drive until booted to the OS.

My question is:

Is there any way to recover the partition after running a Zero Fill command?

I did tried alot of recovering soft but its not working so good (from 320GB iv recovered something like 26GB witch are off course not in the original structure they were). i havnt find any software that can recover the ALL original partition data & the folder structure (or at least most of the data & the structure).

Can you advise on the next step man? how to recover the data?

TNX :]

[jaclaz]

My question is:

Is there any way to recover the partition after running a Zero Fill command?

If the Zero fill command was carried, the drive is filled with zero's .

Unfortunately there is NO way on Earth you can recover ANYTHING from that drive.

If you managed to recover the 26Gb of Data or *any* data it means that either you stopped the execution of the zero fil, or it ddn't work as expected.

How long did the program run?

How was it terminated?

jaclaz

[energydream2007]

My question is:

Is there any way to recover the partition after running a Zero Fill command?

If the Zero fill command was carried, the drive is filled with zero's .

Unfortunately there is NO way on Earth you can recover ANYTHING from that drive.

If you managed to recover the 26Gb of Data or *any* data it means that either you stopped the execution of the zero fil, or it ddn't work as expected.

How long did the program run?

How was it terminated?

jaclaz

No man the command completed successfully without termination man. i did the "Write Zeros to Drive" with the Quick option and it goes all the way up to 100% with no probs. (the data iv recovered is 100% real no raw stuff but just 26gb approximately)

[jaclaz]

I don't know about the "Quick" option.

The DLGDIAG.TXT talks about the :

-FWRITE Write zeros to the first and last million sectors

and

-WRITE Write zeros to the entire drive

If whatever you used is the correspondent to "-FWRITE", the first and last million sectors in your hard disk should be 00's.

1,000,000x512=512,000,000 bytes at the beginning and at the end of the disk should be 00's.

Basically if you had a single whole partition on the disk you have "lost" all the initial part and all the end part, this includes the MBR, the PBR and the PBR mirror (besides some initial data).

Since I presume that the drive was partitioned in a single, biggish, NTFS partition, it is very likely that the $MFT has not been overwritten.

Open the disk in a disk editor (suggested Tiny Hexer):

http://reboot.pro/8734/

and try checking sector # 6,291,519 (786432*8+63)

compare with:

If the $MFT is found, it is possible that we can manually recreate the filesystem (at least enough to run a chkdsk on it or however get the files together with the filenames).

You need to make an image of the disk "as is", before starting fiddling with it, you will need another hard disk bigger than 320 Gb (or however 320 Gb free on any hard disk).

Mind you it won't be easy, it will take some time and patience, and there is NO guarantee it will work.

jaclaz

[energydream2007]

I don't know about the "Quick" option.

The DLGDIAG.TXT talks about the :

-FWRITE Write zeros to the first and last million sectors

and

-WRITE Write zeros to the entire drive

If whatever you used is the correspondent to "-FWRITE", the first and last million sectors in your hard disk should be 00's.

1,000,000x512=512,000,000 bytes at the beginning and at the end of the disk should be 00's.

Basically if you had a single whole partition on the disk you have "lost" all the initial part and all the end part, this includes the MBR, the PBR and the PBR mirror (besides some initial data).

Since I presume that the drive was partitioned in a single, biggish, NTFS partition, it is very likely that the $MFT has not been overwritten.

Open the disk in a disk editor (suggested Tiny Hexer):

http://reboot.pro/8734/

and try checking sector # 6,291,519 (786432*8+63)

compare with:

If the $MFT is found, it is possible that we can manually recreate the filesystem (at least enough to run a chkdsk on it or however get the files together with the filenames).

You need to make an image of the disk "as is", before starting fiddling with it, you will need another hard disk bigger than 320 Gb (or however 320 Gb free on any hard disk).

Mind you it won't be easy, it will take some time and patience, and there is NO guarantee it will work.

jaclaz

Yes the Quick mode = -FWRITE. and ya the drive had 1 big ntfs partition with no OS on it. when im trying some recovery softs i can see they listing at least 1 $MFT entry.

I do have 2TB free for the task.

"Open the disk in a disk editor (suggested Tiny Hexer): http://reboot.pro/8734/" - i guess i need to image the whole drive 1:1 right? can suggest a good soft for this task? (and what the extension needs to be?)

"and try checking sector # 6,291,519 (786432*8+63) compare with:

" - can you be little more specipic about the steps needed in order to do this and rebuild the mft? im not sure what are you saying here man.

Edited December 24, 2010 by energydream2007

[jaclaz]

Yes the Quick mode = -FWRITE. and ya the drive had 1 big ntfs partition with no OS on it. when im trying some recovery softs i can see they listing at least 1 $MFT entry.

Good.

I do have 2TB free for the task.

Very good.

i guess i need to image the whole drive 1:1 right? can suggest a good soft for this task? (and what the extension needs to be?)

Yep.

Suggested apps are:.

DatarescueDD

http://www.datarescue.com/photorescue/v3/drdd.htm

or Clonedisk:

http://erwan.l.free.fr/clonedisk/

http://reboot.pro/8480/

You want to image the \\.\Physicaldrive or "Drive" as RAW.

The extension has really no importance, DatarescueDD uses .dd extension by default, clonedisk .img, but it's just a name.

"and try checking sector # 6,291,519 (786432*8+63) compare with:

- can you be little more specipic about the steps needed in order to do this and rebuild the mft? im not sure what are you saying here man.

Let's wait until you have the image.

Which OS are you running ? (2K/XP is "better" than Vista or 7, you know, "run as admin", "elevated privileges" and such)

Under which OS was originally partitioned the disk?

The general plan is:

1. create the dd-like image
   
2. verify where the $MFT is (if found)
   
3. create a NTFS sparse file same size as the image
   
4. mount the latter in a virtual drive and partition/format it (hopefully EXACTLY as it was partitioned/formatted before)
   
5. copy the first million sectors from the newly created and partitioned/formatted image to the disk (or to a second copy of the original image)
   
6. copy the last million sectors from the newly created and partitioned/formatted image to the disk (or to a second copy of the original image)
   

The result should be a disk with a valid partition and filesystem with a number of $MFT entries pointing to "nowhere" (the ones that indexed now 00ed sectors) and hopefully a number of still valid entries that should allow recovering/copying the files that occupied non-00ed sectors.

jaclaz

Edited December 24, 2010 by jaclaz

[energydream2007]

Yes the Quick mode = -FWRITE. and ya the drive had 1 big ntfs partition with no OS on it. when im trying some recovery softs i can see they listing at least 1 $MFT entry.

Good.

I do have 2TB free for the task.

Very good.

i guess i need to image the whole drive 1:1 right? can suggest a good soft for this task? (and what the extension needs to be?)

Yep.

Suggested apps are:.

DatarescueDD

http://www.datarescue.com/photorescue/v3/drdd.htm

or Clonedisk:

http://erwan.l.free.fr/clonedisk/

http://reboot.pro/8480/

You want to image the \\.\Physicaldrive or "Drive" as RAW.

The extension has really no importance, DatarescueDD uses .dd extension by default, clonedisk .img, but it's just a name.

"and try checking sector # 6,291,519 (786432*8+63) compare with:

- can you be little more specipic about the steps needed in order to do this and rebuild the mft? im not sure what are you saying here man.

Let's wait until you have the image.

Which OS are you running ? (2K/XP is "better" than Vista or 7, you know, "run as admin", "elevated privileges" and such)

Under which OS was originally partitioned the disk?

The general plan is:

1. create the dd-like image
   
2. verify where the $MFT is (if found)
   
3. create a NTFS sparse file same size as the image
   
4. mount the latter in a virtual drive and partition/format it (hopefully EXACTLY as it was partitioned/formatted before)
   
5. copy the first million sectors from the newly created and partitioned/formatted image to the disk (or to a second copy of the original image)
   
6. copy the last million sectors from the newly created and partitioned/formatted image to the disk (or to a second copy of the original image)
   

The result should be a disk with a valid partition and filesystem with a number of $MFT entries pointing to "nowhere" (the ones that indexed now 00ed sectors) and hopefully a number of still valid entries that should allow recovering/copying the files that occupied non-00ed sectors.

jaclaz

About the image - right now im creating it using GetDataBack:

does it will do the trick? or its better try one of the above listed?

*Im running Win7 Ultimate x64 (im the admin :] ).

if im remember correctly its was last partitioned by Vista x64 but not sure man. (i do remember that the offset was 1024 in 99%).

Yes we will wait for the image cause i see there are some steps that il understand after doing the first ones.

[jaclaz]

Sure , any app capable of a RAW image will do.

I like when people ask what to use and then use ANOTHER app.

If it was formatted by Vista (unpatched) the number of hidden sectors will be probably 2048 and thus the $MFT should be at (786432*8+2048)=6,293,504

The 1024 you mention would be "atypical", and I have never seen a first partiion starting at LBA 1024, only "good ol'" 63 or "new, stoopid" 2048.

Once you have the image, get Tiny Hexer, install it, then:

File-> Disk->Open disk image or large file as drive->(choose the image file)->in the "First Sector" box input 6291519

If the first few bytes are "FILE0" it should be the right place, to make sure at offset 240 (around half of the sector) there should be $.M.F.T.

If not try:

File-> Disk->Goto Sector/Position->input 6293504 and check if the "FILE0" and "$.M.F.T." is there

Once you have a sector opened, you can use SHIFT+F7 to go one sector back or SHIFT+F8 to go one forward. (the sector just before the "right" one should be all FF's.

jaclaz

[energydream2007]

Sure , any app capable of a RAW image will do.

I like when people ask what to use and then use ANOTHER app.

If it was formatted by Vista (unpatched) the number of hidden sectors will be probably 2048 and thus the $MFT should be at (786432*8+2048)=6,293,504

The 1024 you mention would be "atypical", and I have never seen a first partiion starting at LBA 1024, only "good ol'" 63 or "new, stoopid" 2048.

Once you have the image, get Tiny Hexer, install it, then:

File-> Disk->Open disk image or large file as drive->(choose the image file)->in the "First Sector" box input 6291519

If the first few bytes are "FILE0" it should be the right place, to make sure at offset 240 (around half of the sector) there should be $.M.F.T.

If not try:

File-> Disk->Goto Sector/Position->input 6293504 and check if the "FILE0" and "$.M.F.T." is there

Once you have a sector opened, you can use SHIFT+F7 to go one sector back or SHIFT+F8 to go one forward. (the sector just before the "right" one should be all FF's.

jaclaz

I just used GTB until you answered so i can save some time on image creation :]

OK so after all created the image and load it as you say and put 6291519 and thats what iv got:

input 6291519:

input 6293504

to tell you the truth im not sure what im looking at here as i will need a little more help (and by the way tnx for your help very appreciated man )

[jaclaz]

No.

You are "looking at" sector 103355673 and 103363844 (as you can see at the top of the screenshots you posted )

Which means that you input 0x6291519 and NOT 6291519, i.e. you are using the Decimal number I gave you as if it were a Hex number.

(Cannot say about you, but I have 5 fingers each hand and I am more familiar with decimal system )

0x6291519 (Hex) = 103355673 (Dec)

Try again.

jaclaz

Edited December 24, 2010 by jaclaz

[energydream2007]

No.

You are "looking at" sector 103355673 and 103363844 (as you can see at the top of the screenshots you posted )

Which means that you input 0x6291519 and NOT 6291519, i.e. you are using the Decimal number I gave you as if it were a Hex number.

0x6291519 (Hex) = 103355673 (Dec)

Try again.

jaclaz

oops. tnx 2 minutes il post the right pics

[energydream2007]

Here:

6291519

6293504

[jaclaz]

Hmmm.

Maybe the disk had a "recovery" or "hidden" partition of some kind?

Try another thing.

Go to sector 6291400.

Then:

Edit->Find/Replace

Search for "FILE0" (CAPITAL, without double quotes, last character is a zero, not an "o") make sure you have selected "Find Text" and "DOS 8 bits".

You will be prompted to continue searching beyond current sector, press the "Yes to all".

It may take some time, but you should find a hit.

If the hit is NOT at offset 0x00 in the sector then press again "Find", you want to find first hit that is at the beginning of a sector.

jaclaz

Edited December 24, 2010 by jaclaz

[energydream2007]

Hmmm.

Maybe the disk had a "recovery" or "hidden" partition of some kind?

Try another thing.

Go to sector 6291400.

Then:

Edit->Find/Replace

Search for "FILE0" (CAPITAL, without double quotes, last character is a zero, not an "o") make sure you have selected "Find Text" and "DOS 8 bits".

You will be prompted to continue searching beyond current sector, press the "Yes to all".

It may take some time, but you should find a hit.

If the hit is NOT at offset 0x00 in the sector then press again "Find", you want to find first hit that is at the beginning of a sector.

jaclaz

No there isnt any hidden partition that i can think of.

Update - Tiny hexer is still searching witch makes it alot of time man :] (its now on sector 6716000 and keep going since i started the scan - 4 hours).

Can you evaluate when tiny hexer will find FILE0? (approximatly)

Update - Tiny hexer at sector 6947000 and keep going - il update later man

7050000

Update - at sector 18805000 now and still searching

Edited December 25, 2010 by energydream2007

[jaclaz]

Hmmm.

Very strange.

The $MFT is by default at sector (786432*8+sectorsbefore)=min 6,291,456 + "x"

If you are at 18,805,000 it's no good, as it would mean that "x " is 18,805,000-6,291,456=12,513,544 which should mean roughly a 6 Gb hidden partition ( that you don't recall).

Are you sure you are looking for the right string?

In HEX it should be:

46494C4530

Try another thing.

Get dmde:

http://softdm.com/

Try scanning the image for NTFS volumes with it.

jaclaz