onlit4regs Posted August 17, 2012 Posted August 17, 2012 (edited) hi,My 500Gb Seagate 7200.11 had the famous bug of BSY state, it wasn't seen in BIOS.I have successfully made the unbrick trick with serial cable, hyper terminal and so on. Now the drive is seen in the BIOS (and with the right size).But Windows see a RAW partition on it.I've tried easus recovery, it has seen all my files, but any restore of any file results in an unreadable file. (nothing was writen on the faulty disk at the moment)I've tried testdisk, it has seen the partition, I have made "WRITE PARTITION TABLE" to the faulty disk, and reboot. same thing under windows.so now, what can I do ?I attach the HDHACKER first sector of logical drive and first sector of physical drive, if this can help.thanks a lot for your help HDHACKER.zip Edited August 17, 2012 by onlit4regs
jaclaz Posted August 17, 2012 Posted August 17, 2012 I attach the HDHACKER first sector of logical drive and first sector of physical drive, if this can help.At first sight there is nothing "wrong" in them.BUT how exactly (under which OS, with which tools) was the disk partitioned originally?The sectors you posted seems like a "normal" XP partitioned (French), single NTFS:#0 07 80 0 1 1 1023 254 63 63 976768002 The data in the bootsector is as well "standard": 3 0003 OEM String: NTFS 11 000B Bytes per sector: 0200 51221 0015 Media type: F8 24824 0018 Sectors per Head: 003F 6326 001A Number of Heads: 00FF 25528 001C Sectors Before: 0000003F 6340 0028 Total Sectors: 000000003A384C01 97676800148 0030 LCN for $MFT:: 00000000000C0000 78643256 0038 LCN for $MFTMirr:: 0000000003A384C0 6104800064 0040 Clusters per $MFT record: 000000F6 24668 0044 Clusters per Index record: 00000001 172 0048 Volume Serial: 6424B80A24B7DD6CWhich OS are you running/can run?Ideally you should try imaging the disk on a (larger) device as a file, first thing, do you have (or can buy) a 640 or 750 Gb disk?You could check with a disk viewer/editor the presence at the designed addresses of the $MFT and of it's mirror.$MFT is at 63+786432*8=sector 6,291,519$MFT Mirror is at 63+61048000*8=sector 488,384,063The first sector of both should begin with "File0" or in hex "46494C4530".jaclaz
onlit4regs Posted August 17, 2012 Author Posted August 17, 2012 I attach the HDHACKER first sector of logical drive and first sector of physical drive, if this can help.At first sight there is nothing "wrong" in them.BUT how exactly (under which OS, with which tools) was the disk partitioned originally?The sectors you posted seems like a "normal" XP partitioned (French), single NTFS:#0 07 80 0 1 1 1023 254 63 63 976768002 The data in the bootsector is as well "standard": 3 0003 OEM String: NTFS 11 000B Bytes per sector: 0200 51221 0015 Media type: F8 24824 0018 Sectors per Head: 003F 6326 001A Number of Heads: 00FF 25528 001C Sectors Before: 0000003F 6340 0028 Total Sectors: 000000003A384C01 97676800148 0030 LCN for $MFT:: 00000000000C0000 78643256 0038 LCN for $MFTMirr:: 0000000003A384C0 6104800064 0040 Clusters per $MFT record: 000000F6 24668 0044 Clusters per Index record: 00000001 172 0048 Volume Serial: 6424B80A24B7DD6CWhich OS are you running/can run?Ideally you should try imaging the disk on a (larger) device as a file, first thing, do you have (or can buy) a 640 or 750 Gb disk?You could check with a disk viewer/editor the presence at the designed addresses of the $MFT and of it's mirror.$MFT is at 63+786432*8=sector 6,291,519$MFT Mirror is at 63+61048000*8=sector 488,384,063The first sector of both should begin with "File0" or in hex "46494C4530".jaclazthanks a lot for your message jaclaz.it was originally parted in windows XP (French), with standard XP storage manager.I have a 1Tb hard drive available for imaging, and I am running actually Win 7 Pro x64, but I can also plug it again on my win XP.I'll try to give a look at the MFT with disk editor and I'll tell you.
onlit4regs Posted August 17, 2012 Author Posted August 17, 2012 hmmm, $MFT begins with the good code "File0". the problem is $MFT mirror, impossible to access :"System Error: Code 1117 " and in french something like: I/O error, unable to satisfy query.
jaclaz Posted August 17, 2012 Posted August 17, 2012 it was originally parted in windows XP (French), with standard XP storage manager.Then the partition and the bootsector are seemingly OK.I have a 1Tb hard drive available for imaging, and I am running actually Win 7 Pro x64, but I can also plug it again on my win XP.Then a good idea would be to image it.The reference app is Datarescuedd, see here:http://reboot.pro/7783/You might want to do a few tests with "smallish" parts of the disk , see this for a possible approach:http://reboot.pro/15040/#entry133567I have no idea if it works ok under 7 64 bit, it should, but cannot say.If you have a XP available it should be "safer" (in the sense of "known to be working")hmmm, $MFT begins with the good code "File0". the problem is $MFT mirror, impossible to access :"System Error: Code 1117 " and in french something like: I/O error, unable to satisfy query. Hmmm, strange.It is possible that there is a bunch of bad sectors (or a translation table in the disk that was cleared during the unbricking) but a failed $MFT Mirror should not prevent the filesystem to be recognized .Once you have the image done, we will see what TESTDISK finds about those....jaclaz
onlit4regs Posted August 22, 2012 Author Posted August 22, 2012 hello jaclazok the image is done, it took a long time, a lot of I/O errors. the image is only 136Go what should I do next, you were talking about something with testdisk, can you tell me more please ?thanks a lot
jaclaz Posted August 29, 2012 Posted August 29, 2012 hello jaclazok the image is done, it took a long time, a lot of I/O errors. the image is only 136Go what should I do next, you were talking about something with testdisk, can you tell me more please ?thanks a lotSorry, I missed your reply. Anyway if the "image" is 136 Gb it is very UNLIKE an image.You seemingly did not follow the proposed approach:You might want to do a few tests with "smallish" parts of the disk , see this for a possible approach:http://reboot.pro/15040/#entry133567I seem to remember to have read *somewhere* that there is a rather common issue (though I don't seem to remember affecting 7200.11 specifically) where after an unbricking the actually accessible data is about 1/3 of the total, maybe this is the case.Now the whole point is:does the "whatever" you have now, 136 Gb in size represent the first 136 Gb of the disk? If yes, most probably you can recover partially the data present in that part of the disk.What I would do:create a sparse file (on a NTFS partition) sized 63+976768002=976,768,128 sectors x 512 = 500,105,281,536 bytes in size"dd to it" the 136 Gb *whatever* you haveanalyze it with TESTDISKHow to do that in practice (in a command prompt window, after having collected the tools and put them in a directory like C:\hdtools\, and navigating to that directory):mksparse <path>\my500GB.img 500105281536dsfi <path>\my500GB.img 0 0 <path>\thewhatever136GB.imgtestdisk <path>\my500GB.imgmksparse: see here:http://reboot.pro/3191/page__st__25#entry70583or:http://wayback.archive.org/web/*/http://www.acc.umu.se/~bosse/mksparse.zipdsfi (part of the dsfok toolkit), here (you can use instead any other "dd-like" tool yu may be more familiar with):http://members.ozemail.com.au/~nulifetv/freezip/freeware/testdisk, here:http://www.cgsecurity.org/wiki/TestDisk_DownloadFollow this EXACTLY (you want to create a log, Intel, analyse, N to "search for Vista created partitions", ):http://www.cgsecurity.org/wiki/TestDisk_Step_By_Stepsee if pressing "P" you see (at least some of) the files .Report what happens.jaclaz
onlit4regs Posted August 31, 2012 Author Posted August 31, 2012 hi,thanks for your reply and your time !testdisk have seen the NTFS partition of 500Go, said structure OK.when pressing "P", there is only one directory displayed, and when entering it, it's empty .... I think I'll try again the image processing of the hard drive this week-end, I've done it with USB connexion, but I'll try with direct SATA connexion, to see if it can go up to 500gb image. I'll tell you what.thanks again
jaclaz Posted August 31, 2012 Posted August 31, 2012 testdisk have seen the NTFS partition of 500Go, said structure OK.when pressing "P", there is only one directory displayed, and when entering it, it's empty .... Try having a look at the "my500GB.img" with dmde:http://softdm.com/even if it is a tool that is not ( like TESTDISK) suitable to be used with a less then advanced knowledge of the NTFS filesystem, you should be able to understand if there is an issue with the $MFT or with the actual filesystem contents. Another thing that you could do is to extrract some sectors starting from 6,291,519 and use on them this tool:http://www.forensicfocus.com/Forums/viewtopic/t=8010/http://code.google.com/p/mft2csv/just to understand if the $MFT contains valid data or if it is "the issue".If this latter is the case, PHOTOREC may still be able to find many files....jaclaz
onlit4regs Posted September 3, 2012 Author Posted September 3, 2012 testdisk have seen the NTFS partition of 500Go, said structure OK.when pressing "P", there is only one directory displayed, and when entering it, it's empty .... Try having a look at the "my500GB.img" with dmde:http://softdm.com/even if it is a tool that is not ( like TESTDISK) suitable to be used with a less then advanced knowledge of the NTFS filesystem, you should be able to understand if there is an issue with the $MFT or with the actual filesystem contents. Another thing that you could do is to extrract some sectors starting from 6,291,519 and use on them this tool:http://www.forensicfocus.com/Forums/viewtopic/t=8010/http://code.google.com/p/mft2csv/just to understand if the $MFT contains valid data or if it is "the issue".If this latter is the case, PHOTOREC may still be able to find many files....jaclazsoftdm shows me all the files and directories of my hard drive, but trying to recover a dozen of files results with unreadable files. I tried making a new image with ddrescue, with direct SATA connection in my PC. it started faster than the previous one on USB, but it is still running, since 72 hours !!! only 24,5Go done .... so much errors: "unable to satisfy request because of an I/O error".I have stopped the process.about the last thing you asked, I'm not sure to understand what you really want me to do. Extract how many sectors from 6291519 ? and then, mft decode ? or mft2csv ?thanks a lot for your help. I'm getting less and less hope to recover anything
onlit4regs Posted September 3, 2012 Author Posted September 3, 2012 testdisk have seen the NTFS partition of 500Go, said structure OK.when pressing "P", there is only one directory displayed, and when entering it, it's empty .... Try having a look at the "my500GB.img" with dmde:http://softdm.com/even if it is a tool that is not ( like TESTDISK) suitable to be used with a less then advanced knowledge of the NTFS filesystem, you should be able to understand if there is an issue with the $MFT or with the actual filesystem contents. Another thing that you could do is to extrract some sectors starting from 6,291,519 and use on them this tool:http://www.forensicfocus.com/Forums/viewtopic/t=8010/http://code.google.com/p/mft2csv/just to understand if the $MFT contains valid data or if it is "the issue".If this latter is the case, PHOTOREC may still be able to find many files....jaclazsoftdm shows me all the files and directories of my hard drive, but trying to recover a dozen of files results with unreadable files. I tried making a new image with ddrescue, with direct SATA connection in my PC. it started faster than the previous one on USB, but it is still running, since 72 hours !!! only 24,5Go done .... so much errors: "unable to satisfy request because of an I/O error".I have stopped the process.about the last thing you asked, I'm not sure to understand what you really want me to do. Extract how many sectors from 6291519 ? and then, mft decode ? or mft2csv ?thanks a lot for your help. I'm getting less and less hope to recover anything
jaclaz Posted September 4, 2012 Posted September 4, 2012 softdm shows me all the files and directories of my hard drive, but trying to recover a dozen of files results with unreadable files. This should mean that the $MFT is OK (i.e. no need to analyze it manually with mft2csv).But if you ran the DMDE on the (incomplete) image, this may still be "normal".I tried making a new image with ddrescue, with direct SATA connection in my PC. it started faster than the previous one on USB, but it is still running, since 72 hours !!! only 24,5Go done .... so much errors: "unable to satisfy request because of an I/O error".I have stopped the process.And, AGAIN, you are using a WRONG approach (attempting to image the whole disk at once).For the THIRD time, please read again this:You might want to do a few tests with "smallish" parts of the disk , see this for a possible approach:http://reboot.pro/15040/#entry133567You might want to try with even smaller "chunks".Another test (but be careful):What happens with DMDE on the original disk?I find it strange that the $MFT is "perfect" (as it seemingly is) but *all* the disk is unreadable (I could understand some areas, but not the large majority of the disk) jaclaz
onlit4regs Posted September 4, 2012 Author Posted September 4, 2012 ok, will try that sorry for not understanding this approach I've just read the post indicated, I just have a question about reassembling the different parts ? how to do that ? it says to create an empty file (with which tool ?) of the size of the disk and then merge all parts.thanks
jaclaz Posted September 4, 2012 Posted September 4, 2012 ok, will try that sorry for not understanding this approach I've just read the post indicated, I just have a question about reassembling the different parts ? how to do that ? it says to create an empty file (with which tool ?) of the size of the disk and then merge all parts.thanksNormally I would use fsz.exe (part of the dsfok toolkit):http://members.ozemail.com.au/~nulifetv/freezip/freeware/that is if you have the space available to create a "whole" file, but It should be more convenient to use instead mksparse, here:http://reboot.pro/3191/page__st__25#entry70583this way the file will grow only with the actual "chunks" that you write to it.And the reference app to write these chunks is dsfi (still part of the dsfok toolkit).I can give you specific instructions if this other approachs actual succeeds in getting more data.But if the test with DMDE on the original disk gives the same results, than there is a more serious issue somewhere "before" (partial unbricking or "failed" unbricking) though as said it sounds "strange".jaclaz
onlit4regs Posted September 13, 2012 Author Posted September 13, 2012 hi jaclazso, I have tried DMDE on the original hard drive, It couldn't display the directory/file structure , it was so long on "reading MFT", more than 4 days to complete only 3% !! so I abortedon this disk, there is a dozen of "most wanted" files for me, which may represents 2 or 3go. I've made my recovery tests on these files. maybe other are readable, but they are not necessary for the moment.so, do you think I should try to image the disk in smaller chunks ?thanks
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now