need to recover mbr on ST950032 5AS seagate from HP HDX w/ Vista 32-bi

[d8apzl]

http://www.msfn.org/...ix/page__st__15I went over my upload quota, didn't realize

here are my findings so far.. 454000 and going w/ data

'FILE0' somewhere in the middle of '0123456789ABCDED' unless specified

SECTOR 62591

SECTOR 62597

SECTOR 62603

SECTOR 62606

SECTOR 62614

SECTOR 62618

SECTOR 62675

SECTOR 62703

SECTOR 62706

SECTOR 62730

SECTOR 62781

SECTOR 62806

SECTOR 62879

SECTOR 62909

SECTOR 62959

SECTOR 62990

SECTOR 63194

SECTOR 63198

SECTOR 63226

SECTOR 63236

SECTOR 63260

SECTOR 63274

SECTOR 63301

SECTOR 63303 (very bottom)

SECTOR 63318

SECTOR 63345

SECTOR 63376

SECTOR 63379

SECTOR 63394

SECTOR 63406

SECTOR 63456

SECTOR 63468

SECTOR 63492

SECTOR 63505

SECTOR 63532

SECTOR 63535

SECTOR 63350 (top but not 1st on left)

SECTOR 63565

SECTOR 63601

SECTOR 63612 (bottom 1st)

SECTOR 63638

SECTOR 63651

SECTOR 63678

SECTOR 63681

SECTOR 63695

SECTOR 63715

SECTOR 63760

SECTOR 63771

SECTOR 63795

SECTOR 63808

SECTOR 63836

SECTOR 63838

SECTOR 63853

SECTOR 63870

SECTOR 63964

SECTOR 63995

SECTOR 63998

SECTOR 64023

SECTOR 64061

SECTOR 64073

SECTOR 64097

SECTOR 64110

SECTOR 64137

SECTOR 64140

SECTOR 64154

SECTOR 64169

SECTOR 64305

SECTOR 64332

SECTOR 64335

SECTOR 64359

SECTOR 64497

SECTOR 64522

SECTOR 64610 (top but not 1st on left)

SECTOR 64616

SECTOR 64650

SECTOR 64652

SECTOR 64676

SECTOR 64689

SECTOR 64716

SECTOR 64719

SECTOR 64734

SECTOR 64750

SECTOR 64784

SECTOR 64800

SECTOR 64824

SECTOR 64837

SECTOR 64864

SECTOR 64867

SECTOR 64882

SECTOR 64898

SECTOR 64964

SECTOR 64989

SECTOR 65183

SECTOR 65188

SECTOR 65219

SECTOR 65222

SECTOR 65245

SECTOR 65258

SECTOR 65286

SECTOR 65293

SECTOR 65308

SECTOR 65323

SECTOR 65359

SECTOR 65366

SECTOR 65395

SECTOR 65412

SECTOR 65440

SECTOR 65443

SECTOR 65468

SECTOR 65487

SECTOR 65538

SECTOR 65562

SECTOR 65602

SECTOR 65632

SECTOR 65635

SECTOR 65650

SECTOR 65700

SECTOR 65725

SECTOR 66035

SECTOR 66061

SECTOR 70312 (BINGO!?) took screenshot (top left)

SECTOR 70314 (BINGO?!) took screenshot (top left)

SECTOR 70316 (eh bingo?) took screenshot (top left)

SECTOR 70318 (maybe nothing) took screenshot (top left)

SECTOR 70320 (top left)

SECTOR 70322 (top left)

SECTOR 70324 (top left)

SECTOR 70326 (top left from here on unless specified differently)

SECTOR 70328

SECTOR 70330

SECTOR 70332

SECTOR 70334

SECTOR 70336

SECTOR 70338

SECTOR 70340

SECTOR 70342

SECTOR 70344 (exactly like the screenshot from the fellow in the post you sent the link to) http://www.msfn.org/...ix/page__st__15

SECTOR 70346

SECTOR 70348

SECTOR 70350

SECTOR 70352

SECTOR 70354

SECTOR 70356

SECTOR 70358

SECTOR 70360

SECTOR 70362

SECTOR 70364

SECTOR 70366

SECTOR 70368

SECTOR 70370

SECTOR 70372

SECTOR 70374

SECTOR 70376

SECTOR 70378

SECTOR 70380

SECTOR 70382

SECTOR 70384

SECTOR 70386

SECTOR 70388

SECTOR 70390

SECTOR 70392

SECTOR 70394

SECTOR 70396

SECTOR 70398

SECTOR 70400

SECTOR 70402

SECTOR 70404

SECTOR 70406

SECTOR 70408

SECTOR 70410

SECTOR 70412

SECTOR 70414

SECTOR 70416

SECTOR 70418

SECTOR 70420

SECTOR 70422

SECTOR 70424

SECTOR 70426

SECTOR 70428

SECTOR 70430

SECTOR 70432

SECTOR 70434

SECTOR 70436

SECTOR 70438

SECTOR 70440

SECTOR 70442

SECTOR 70444

SECTOR 70446

SECTOR 70448

SECTOR 70450

SECTOR 70452

SECTOR 70454

SECTOR 70456

SECTOR 70458

SECTOR 70460

SECTOR 70462

SECTOR 70464

SECTOR 70466

SECTOR 70468

SECTOR 70470

SECTOR 70472

SECTOR 70474

SECTOR 70476

SECTOR 70478

SECTOR 70480

SECTOR 70482

SECTOR 70484

SECTOR 70486

SECTOR 70488

SECTOR 70490

SECTOR 70492

SECTOR 70494

SECTOR 70496

SECTOR 70498

SECTOR 70500

SECTOR 70502 BCD

SECTOR 70504 BCD LOG

SECTOR 70506

SECTOR 70508

SECTOR 70510

SECTOR 70512

SECTOR 70514

SECTOR 70516 (I can make out w.i.n.7.l.d.r in the middle)

SECTOR 70518

SECTOR 70520

SECTOR 70522

SECTOR 70524

SECTOR 70526

SECTOR 70528

SECTOR 70530

SECTOR 70532

SECTOR 70534

SECTOR 70536

SECTOR 70538 - 70800 every 2 sectors (FILE0 @ top left)

SECTOR 143388 (searched through lots of Data before hitting this FILE0 but it is closer to the middle not top left)

SECTOR 196507 ( again in the middle, searched through lots of data before hitting )

SECTOR 241647 ("RCRD(" on very top left, FILE0 near bottom, searched through lots of data before hitting)

SECTOR 376148 (Top Left)

SECTOR 376150 (Top Left) (I could make out Las vegas and Grand canyon MOD (pictures maybe?))

SECTOR 393205 ("f) 'screenshot, went over quota cannot attach'

SECTOR 406310 (FILE0 3rd line from the top, can recognize c.o.o.k.i.e.s. .s.q.l.i.t.e. .j.o.u.r.n.a.l.)

Lot of 0000s .............. between this point

more data after approx SECTOR 423600

more 0000s after approx SECTOR 430000

more data after approx 444000

[d8apzl]

found a few more... still searching...

SECTOR 500941 (somewhere in middle)

SECTOR 805725 (somewhere in middle)

SECTOR 832637 ('FILE0' 3rd line from bottom @ 9 across)

Edited July 23, 2012 by d8apzl

[submix8c]

Not necessarily OT...

If (I say, IF!) you can get the Pictures backed off of the C-Drive and (I say, AND!) the Recovery Partition is kept intact and accessible, then (and ONLY THEN!) I may be able to help you with getting the HP MBR "special" code (I believe it has some) back so you can do a Factory Restore. I say this because you have apparently/probably wiped it with your fiddling.

Not hijacking, jaclaz, just offering some post-recovery assistance... (HP Laptop WinVista Home Prem x64)

[d8apzl]

Not necessarily OT...

eh. I just need the pictures from the drive ultimately.

But getting the $MFT back to life or overwritten is fun and would be interesting, and a bonus.

...

SECTOR 1438535 (4 rows down @ 9 across)

SECTOR 1803602 (top left)

SECTOR 1803064 (top left)

SECTOR 1803606 (top left)

Edited July 23, 2012 by d8apzl

[jaclaz]

OK.

A $MFT is actually made of n "entries", each two sectors in size, and each beginning with "FILE0".

A $MFT mirror is a copy of the first 4 (four) such entries.

Right now you seem like having a possibly valid "something" starting at sector 70312 up to 70801, but keep searching.

Once you have finished going through the drive, copy the groups of sectors that correspond to these characteristics (like the group above) to new files.

To do so, you can use datarescuedd allright (using the SECTORS fields and NOT the SIZE ones).

To be on the "safe" side, copy some more sectors before he first hit and after the last hit in the group, let's say 200 sectors more or something like that, for the example found above, instead of copying only sectors 70312-70801, copy 1000 sectors, i.e. from 70000 to 71000.

Verify that you got the "right" sectors extracted, then zip all the files and upload the zip somewhere I can get them from, like zshare or similar and post a link to the files.

To re-gain some "quota" on the forum, you may want to edit your previous post and delete from them the attachment screenshots, they are not needed anymore, and/or you may want to post them screenshots on a free image hosting service and post the link to it.

jaclaz

[d8apzl]

SECTOR 1882138 (top left)

SECTOR 1882140 (top left)

SECTOR 1882142 (top left)

SECTOR 1954380 (top left) amd 64 microsoft windows ie html rendering

SECTOR 1954382 (top left) activex

SECTOR 2083511 (5 rows down @ 0)

SECTOR 2178150 (below mid)

I didn't realize how much I have left to go - 217356288

To be on the "safe" side, copy some more sectors before he first hit and after the last hit in the group, let's say 200 sectors more or something like that, for the example found above, instead of copying only sectors 70312-70801, copy 1000 sectors, i.e. from 70000 to 71000.

Verify that you got the "right" sectors extracted, then zip all the files and upload the zip somewhere I can get them from, like zshare or similar and post a link to the files.

attached sectors.

To re-gain some "quota" on the forum, you may want to edit your previous post and delete from them the attachment screenshots, they are not needed anymore, and/or you may want to post them screenshots on a free image hosting service and post the link to it.

Thank you sir!

[jaclaz]

The file you posted is a $MFT .

The $MFT contents are seemingly that of a (well mixed up) Windows 7 "system" partition, without going into much details, the $MFT has been created (please read as filesystem was formatted) on 2010-04-26, and some of the usual WIndows 7 boot files are there with the same date.

Then there are folders:

• $WINDOWS.~LS
  
• SETUPT~1
  
• Sources
  

created on 2011-09-02

Then there is a mountpoint made on 2012-07-15 (this is probably compatible with your attempts)

Then there is a deleted folder MSI4519d.tmp created on 2012-07-22 (this is probably compatible with your attempts)

This is the $MFT of the first partition allright.

This is at the same time some good news and some bad news , the good news are that you didn't seemingly did any "meaningful" damage to this volume during your attempts, the bad news are that you still need to search for the $MFT (or traces of it) on the "main" partition.

Some more bad news are that your cousin actually LIED to you , the bootmgr is seemingly that of a Windows 7 (and is there since 2010) and evidently some attempts to re-install Vista or 7 were made in September 2011.

jaclaz

[submix8c]

GACK!!!! (as in BARF!)

Someone royally screwed it up! Potentially that Partition can be put back to its original OEM state (have to investigate that) as well as the "special" MBR code. It all depends on what (with jaclaz' help) can be "found" on the First Partition (I believe this is the usual place for the Factory WIM/SWM Image). What should have been the Vista (not Win7 x86/x64 whatever/whichever).

-see BOOTMGR comment above-

Those Pictures seem to be the important factor as well - recovering (if possible) the Second Partition (the actual Running OS) now becomes rather (somewhat) important.

-post made as a follow-up based on my knowledge of Vista/Win7 OEM Install-

edit - Hmmm - may not be a "special" MBR - maybe just std. Vista - the remainder would be via F8 into the Recovery (Partition#1).

edit2 - restore to factory (if Part#1 "fixed") by setting it to Active?

edit3 - info making me unsure of complete restore (should be 3 partitions?)

edit4 - MBR "special" code probably same as the one on HP XP-install (maybe) so could help with that (later) to get F11 back.

edit5 - HP Restore MSFN HP MBR MSFN HP MBR#2

"What else does the box say, Steve?"

Edited July 24, 2012 by submix8c

[d8apzl]

GACK!!!! (as in BARF!)

Anything I can do to get the photos back.

This is the $MFT of the first partition allright.

This is at the same time some good news and some bad news , the good news are that you didn't seemingly did any "meaningful" damage to this volume during your attempts, the bad news are that you still need to search for the $MFT (or traces of it) on the "main" partition.

Some more bad news are that your cousin actually LIED to you , the bootmgr is seemingly that of a Windows 7 (and is there since 2010) and evidently some attempts to re-install Vista or 7 were made in September 2011.

they probably don't know what OS she has/had.

It is possible someone else took a crack at restoring the laptop/hdd and failed.

SECTOR 2533196 (near bottom)

SECTOR 3458039 (near mid bottom)

SECTOR 3853742 (near mid bottom)

SECTOR 4179527 (high mid)

SECTOR 4254311 ("PROFILE0")

Please advise..

[jaclaz]

Please advise..

Patience you must have, my young padawan.

Continue scanning, I am pretty sure that before or later you will get to the "real" thing.

@submix8

In this particular case, noone cares about the "first partition", nor abut the MBR code, nor about the OS, the "only" priority is getting back some data (namely some pictures).

BTW, with 99.99% probability the original HP recovery partition has been wiped/overwritten in 2010.

The reason why I am insisting on trying to get some partition data (as opposed to use a plainer "file-based" recovery approach, is that d8apzl already tried a couple of "file based" recovery software, with bad results (files recovered but "invalid")

Generally speaking something like this is often connected with a high fragmentation level, and file based recovery in very rare cases is able to recover (valid) .jpg files if they are fragmented, and IMHO the .jpg file format, though having a very good compression level, is one of the most "fragile" file formats around, in most cases one single byte missing or wrong can create an invalid image and "repairing" a corrupted jpeg is either very difficult or impossible.

jaclaz

[d8apzl]

Patience you must have, my young padawan.

SECTOR 4914172 (Mid)

SECTOR 5767000

SECTOR 6206330 (top left)

SECTOR 6206332 (top left)

SECTOR 6206334 (top left)

[d8apzl]

I think we have a hit !!

It looks like the $MFT !!

Starting @ SECTOR 6498310 'FILE0' every 2 sectors (top left), stopped to post @ 6535700 and counting

Edited July 26, 2012 by d8apzl

[jaclaz]

I think we have a hit !!

It looks like the $MFT !!

Starting @ SECTOR 6498310 'FILE0' every 2 sectors (top left), stopped to post @ 6535700 and counting

Good .

Stop the scan.

Extract from the image from the "fisrt hit you have 6498310, let's round it to 6498000, 10000 sectors.

Then usual procedure, compress it and post the .zip or upload it to a free hosting and post the link.

It seems like (for *any* reason) the first scan done with the "text" instead of the hex did not "catch" .

jaclaz

[d8apzl]

here is the zipfile:

http://www.mediafire.com/?phsvbwcxeu14n9z

It looks like we had about 13 errors in the making of the .dd file.

So I brought the drive in to work cause I work next to a Seagate guy, he gave it back same day and said,

"Bad disk or head, sorry "

Edited July 27, 2012 by d8apzl

[jaclaz]

It looks like we had about 13 errors in the making of the .dd file.

Well, 13 errors mean little, it is the type and extension of each that may make the difference.

So I brought the drive in to work cause I work next to a Seagate guy, he gave it back same day and said,

"Bad disk or head, sorry "

I will translate this to plain English for you (two possible alternative translations) :

1. I do work for Seagate, as a matter of fact it is 15 years that I am the delivery boy, what I usually say to my friends is that I am chief engineer at Seagate, and they believe me, I actually hve no idea on how a hard disk is made or how it works, but since also my friends know nothing about hard disks, I'l just tell this guy that there is nothing to do about the disk.
   
2. I actually am chief engineer at Seagate and I can of course recover any drive, whatever the damage is, but since it would cost me time, dedication and what not, I'll simply tell this guy that there is nothing to do about the disk.
   

Now back to work.

What you got now is actually a $MFT and all in all it seems like being in "good shape".

So, it is at sector 6498310?

There is something that doesn't sound right.

The image you posted is called image[3326976000-3332096000].dd.

The Datarescuedd names images automatically as image[<bytes_from>-<bytes_to>].dd

So 3326976000/512=sector 6498000 (which is "right")

BUT I find the first hit within the file at offset 156672, and since 156672/512=306, it seems to me like the $MFT begins at 6498000+306=6498306 (and NOT 6498310).

Please, do check that on the image sector 6498306 does begin with "FILE0" and that around the middle you can read "$.M.F.T.m.i.r.r.".

If this is the case, it means that *someow* the first entry of the $MFT has etiher been overwritten or is/was unreadable, as the sector that contain the "$.M.F.T.m.i.r.r.". is the "second" entry of a $MFT.

And, since both the 6498306 and the 6498310 did not make sense as they would represent (given the offset of the partition) a "fractional cluster", it would make much sense that the $MFT actually started on 6498304 which nicely corresponds to cluster #786432 (which is the actual "right" "standard" value).

Your "quest" is not (yet) finished.

Since the first record of the $MFT is seemingly missing, we need to find the $MFT Mirror.

It is (or should be) at the half of the volume.

Theoretically this would be around sector 206848+976564224/2=488488960, possibly the already given 488488952

So you should GOTO sector 488488000 (to be on the safe side) and search again for "46494C4530".

Can you also please post the actual EXACT size (in bytes) of the whole image taken (just to make sure I can replicate it "virtually")?

The condition of the $MFT is not at all "bad", at least form the set of sectors you posted.

If the drive is still functional after the Seagate guy's attempts (if any) a good idea would be to try again imaging a bunch of sectors, trying this time "backwards".

The same range [3326976000-3332096000] would do nicely . (the missing two first sector of the $MFT are now filled with 00's or FF's and this may be a sign of a read error, that in some cases can be avoided by imaging "backwards", also, try doing this partial image a couple of times, once as soon as the disk is on - "cold disk" - and once after the disk has been powered by at least half an hour - "hot disk", you never know).

jaclaz