Jump to content

Hard Drive Bad Boot Sector Windows 8


Recommended Posts

Hey guys I've come across your community after some google searching and have seen some well versed folks in partition recovery.

My issue here is a laptop running windows 8 appears to have had a hard shut down thus messing up the partitions or something. I must note I am a newbie when it comes to in depth. I have imaged the disk, twice actually once with Active partition and once with dsfok.

It appears that the FAT32 partition for the boot is overlapped by two other partitions as shown in the attached pic

Im not sure what I need to do here. I am a novice. Thanks for any help in advance

post-375496-0-57034800-1363253420_thumb.

Link to comment
Share on other sites


Well, run TESTDISK on that disk (or it's image) with the log option.

http://www.cgsecurity.org/wiki/TestDisk

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

http://www.cgsecurity.org/wiki/File:Create_log.gif

You want to allow for searching for "partitions made under Vista".

http://www.cgsecurity.org/wiki/File:Vista_check.gif

DO NOT "write" anything.

Post the log as attachment (or upload it somewhere and post a link to it).

The screenshot you posted does not provide enough info to provide you with any advice.

jaclaz

Link to comment
Share on other sites

The screenshot you posted does not provide enough info to provide you with any advice.

Maybe not that, but it does appear that the software is warez. :angry:

I understand your problem here. You must have the same edition to be able to spot that straight away. I do however have a license for partition recovery, I do apologise for the screenshot I will change the license to my paid for version and re-snip

To add Jaclaz before I done anything I mage an image with active partition its a dim file how can I write this back to the drive I try

dsfi \\.\physicaldrive2 00 *filepath*
and get
\\.\physicaldrive2 - The parameter is incorrect

post-375496-0-63575600-1363273883_thumb.

post-375496-0-54579100-1363274157_thumb.

Edited by blackillusion
Link to comment
Share on other sites

The issue at first sight (but I have to re-read and understand better the log) seems to me connected to the sector size of the hard disk.

The disk is reporting 4096 bytes/sector (please read as "Advance Fornat"), whilst some data read in the bootsector/PBR BPB is about "normal" 512 bytes/sector data.

Can you post some info on what/how/when happened the issue first time? :unsure:

About dsfo/dsfi, they use a "common between them" syntax with "inverted" source/destination, the needed parameters are 4 (four):

Generically it is:

dsfo <source> <start> <length> <destination>

dsfi <destination> <start> <length> <source>

A <start> of 0 means "from the beginning".

A <length> of 0 means "the whole size of the source".

So you image a whole disk with:

dsfo \\.\PhysicalDriven 0 0 <some path>\image.dsk

which you can read as:

get out of \\.\PhysicalDriven, starting from the beginning, everything and save it as <some path>\image.dsk

and you restore with:

dsfi \\.\PhysicalDriven 0 0 <some path>\image.dsk

which you can read as:

put in \\.\PhysicalDriven, starting from the beginning, everything coming from <some path>\image.dsk

The two 0's in the command line are separated by a space, in your posted command line they look as "00" and the dsfok tools can only interpret them as a single parameter.

jaclaz

Link to comment
Share on other sites

The issue at first sight (but I have to re-read and understand better the log) seems to me connected to the sector size of the hard disk.

The disk is reporting 4096 bytes/sector (please read as "Advance Fornat"), whilst some data read in the bootsector/PBR BPB is about "normal" 512 bytes/sector data.

OK

Can you post some info on what/how/when happened the issue first time? :unsure:

I can't specifically tell you what happened. Obviously its rather new with windows 8. It had no power when I got it I opened her up and found it to have some contaminants on multiple pins on the QFP chip so cleaned it off and resoldered the legs to clear any excess crap off.

She booted and just gave the message BAD BOOT SECTOR. I imagine it may have come into contact with a liquid source or something that contaminated it and shorted it out, thus hard shutting down the hard drive and corrupted data.

I will stress no liquid or contaminents near the Hard drive as it was the opposite side of the laptop. Im not even sure the contaminents are liquid, may just be Fag ash...

About dsfo/dsfi, they use a "common between them" syntax with "inverted" source/destination, the needed parameters are 4 (four):

Generically it is:

dsfo <source> <start> <length> <destination>

dsfi <destination> <start> <length> <source>

A <start> of 0 means "from the beginning".

A <length> of 0 means "the whole size of the source".

So you image a whole disk with:

dsfo \\.\PhysicalDriven 0 0 <some path>\image.dsk

which you can read as:

get out of \\.\PhysicalDriven, starting from the beginning, everything and save it as <some path>\image.dsk

and you restore with:

dsfi \\.\PhysicalDriven 0 0 <some path>\image.dsk

which you can read as:

put in \\.\PhysicalDriven, starting from the beginning, everything coming from <some path>\image.dsk

The two 0's in the command line are separated by a space, in your posted command line they look as "00" and the dsfok tools can only interpret them as a single parameter.

jaclaz

Understood. I believe I wrote the command wrong while posting but correctly when I was running the program. I managed to start reading the disk with commands but trying to write the image CREATED with ACTIVE PARTITION (*.dim*) creates that error.

The reason I want to get the image back to disk is because I know it is completely untouched. Where as the disk has had some software run, testdisk, active and getdataback...

Edited by blackillusion
Link to comment
Share on other sites

Understood. I believe I wrote the command wrong while posting but correctly when I was running the program. I managed to start reading the disk with commands but trying to write the image CREATED with ACTIVE PARTITION (*.dim*) creates that error.

Well, I have no idea which format that tool uses, dsfo/dsfi is simply a (very small/compact) dd-like tool and only operates with "RAW images", and as such it is only compatible with "pure" dd-like tools.

The reason I want to get the image back to disk is because I know it is completely untouched. Where as the disk has had some software run, testdisk, active and getdataback...

Well testdisk won't write data, and as well getdataback won't (of course unless you explicitly tell them to write on the disk), cannot say about that other Active tool.

If, by any chance, the .dim image is not a RAW image and the dsfi command "went through" even partially it is very probable (please read as certain :ph34r: ) that the result will be completely "botching" the hard disk.

If you want my advice, STOP fiddling with that disk, NOW!

jaclaz

Link to comment
Share on other sites

Understood. I believe I wrote the command wrong while posting but correctly when I was running the program. I managed to start reading the disk with commands but trying to write the image CREATED with ACTIVE PARTITION (*.dim*) creates that error.

Well, I have no idea which format that tool uses, dsfo/dsfi is simply a (very small/compact) dd-like tool and only operates with "RAW images", and as such it is only compatible with "pure" dd-like tools.

The reason I want to get the image back to disk is because I know it is completely untouched. Where as the disk has had some software run, testdisk, active and getdataback...

Well testdisk won't write data, and as well getdataback won't (of course unless you explicitly tell them to write on the disk), cannot say about that other Active tool.

If, by any chance, the .dim image is not a RAW image and the dsfi command "went through" even partially it is very probable (please read as certain :ph34r: ) that the result will be completely "botching" the hard disk.

If you want my advice, STOP fiddling with that disk, NOW!

jaclaz

Noted. Strange thing is with getdataback partitions suddenly appeared readable in windows after a quick search which was strange.....

The image is a raw image created by Active@

So as to where to go from here. Obviously I have that Image from 1st usage. I can open it and recover any files there though there is not much data.

The whole purpose is to try and recover the partitions etc and learn. In worst case scenario I can just format and resinstall windows.

I do really appreciate your help no matter which way it goes.

Edited by blackillusion
Link to comment
Share on other sites

As I see it there are three possible issues on that disk:

1) a partition is missing, i.e. there is a "hole" at the beginning of the disk

2) there is seemingly NO overlapping of any kind of the three "current" partitions:

1 * HPFS - NTFS 10 168 31 18 160 14 128000 [WINRETOOLS]

2 P HPFS - NTFS 18 160 15 7402 197 27 118626304 [OS]

3 P HPFS - NTFS 7402 197 28 7600 41 57 3171072 [PBR Image]

so I wonder what is the Active thingy trying to tell us

3) Something is seemingly not right (but it might be a "quirk"in testdisk, see below) with total size of the disk, testdisk senses a geometry of:

Disk /dev/sdc - 500 GB / 465 GiB - CHS 7600 255 63, sector size=4096 - WDC WD50 00LPVT-75G33T0, S/N:152D20337A0C

which should mean that last cylinder is #7599, whilst the last partition is using cylinder #7600 (partially)

All in all the only issue that is connectable to a power down is the corruption/missing of the first partition.

BUT the data found by Testdisk about this possible first partition:

NTFS at 667/224/5

Warning: number of bytes per sector mismatches 512 (NTFS) != 4096 (HD)

filesystem size 85833728

sectors_per_cluster 8

mft_lcn 786432

mftmirr_lcn 16

clusters_per_mft_record -10

clusters_per_index_record 1

HPFS - NTFS 0 4 5 667 224 6 10729216

NTFS found using backup sector, blocksize=4096, 43 GB / 40 GiB

is however "strange", it's beginning could be OK, but the end address (from which the data has been extracted) is well within the [OS] partition, the fact that the found bootsector is using a mismatched bytes per sector value could mean that the found bootsector is actually an around 5 Gb "raw" image (or a residual of it, since the main BPB has not been found).

The latest "standard" is to have (at least on 512 bytes/sector media) the first partition starting at LBA 2048, i.e. at 0/32/33 or with 2048*512=1048576 bytes before.

IF the same is used on a 4 kb/sector device, that would mean LBA 256 or CHS 0/4/5 (which would be "perfectly in line" with the start of the missing partition found by Testdisk.

So, if we take for granted that the start is ok at 0/4/5, we cannot "extend it" beyond 10/168/30 (i.e. immediately before the [WINRETOOLS] partition.

The partition would then be around 700 Mb in size, an uncommon size.

On the other hand, if we take for good the data found by Testdisk about first missing partition, it would be a 40 Gb partition that would "obliterate" the [WINRETOOLS] partition and overlap on the [OS] one.

The specs for the WD5000LPVT tell us that the disk has 976,773,168 available sectors, but that of course relate to 512 bytres/sectors:

976,773,168*512=500,107,862,016 which is OK with the other specs of havibg a capacity (using million bytes) of 500,107 MB

500,107,862,016/4096=122,096,646 sectors

Which means CHS 7600/41/63.

Since last partition the [PBR Image] ends on 7600/41/63 there are 6 sectors unindexed in the partition table, that seems to me another "queer" thing.

Any way to know how it was partitioned originally?

Right now (set apart the 6 sectors at the end) it seems that the only way the disk can be in this situation is that *somehow*:

  1. first partition was deleted
  2. a new smallish first partition was created (around 700 Mb in size)
  3. a new second partition was created ( the [WINRETOOLS] one)
  4. the (currently third) partition [OS] was expanded until the end of the [WINRETOOLS] one
  5. the 700 Mb in size partition was deleted

of these only last action may be connected to a power failure or to a hardware issue. :unsure:

If this is the case, someone must have "voluntarily" carried the first 4 actions (no matter if recently of some time ago - exampled used disk not wiped), and we cannot use the data relative to the "first partition" that TESTDISK found.

Now, if you access "normally" the disk hat happens?

I mean all the data in those partitions should be normally accessible, and if the disk does not boot may be related to a numebr of other things like a missing or ciorrupted file.

From what Testdisk says, the Active partition is the [WINRETOOLS] one:

Current partition structure:

1 * HPFS - NTFS 10 168 31 18 160 14 128000 [WINRETOOLS]

2 P HPFS - NTFS 18 160 15 7402 197 27 118626304 [OS]

3 P HPFS - NTFS 7402 197 28 7600 41 57 3171072 [PBR Image]

It is possible (check the partitions contents) that the BOOTMGR and \boot\BCD is instead in one of the other two, then all is needed is to set that partition to Active status.

What happens if you try booting the laptop from that disk?

jaclaz

Link to comment
Share on other sites

If you try boot it just says bad sector press any key.

I believe its just dell standard or out the box configuration I've read that it is meant to have 6 partitions. http://en.community.dell.com/support-forums/software-os/f/4677/p/19494111/20312796.aspx

That is a while lot of info you have posted I am having difficulty reading on my mobiles screen and will have to have a proper read throughout the post when I am home late tonight.

I think it looks like 2 fat partitions are missing?

Link to comment
Share on other sites

If you try boot it just says bad sector press any key.

Yes, but that, as said, would be "compatible" with just the wrong partition being set as active in the MBR.

I believe its just dell standard or out the box configuration I've read that it is meant to have 6 partitions. http://en.community.dell.com/support-forums/software-os/f/4677/p/19494111/20312796.aspx

Well, that post is about a 1 Tb disk (and NOT a 500 Mb one) partitioned as UEFI/GPT. (yours seems like using the MBR allright)

Testdisk says:

Partition table type: Intel

which means MBR (and NOT GPT)

Which EXACT model is the laptop you have?

If this is accurate:

A total of six partitions were shown: Partition 1 ("ESP", System), partition 2 ("DIAGS", OEM (reserved)), partition 3 (MSR (reserved)), partition 4 ("WINRETOOLS", recovery), partition 5 ("OS", primary), and partition 6 ("PBR Image", recovery).

Then my hypothesis that the disk has been extensively fiddled with appear more probable :whistle:

I think it looks like 2 fat partitions are missing?

No, either three of them are missing (6-3=3 ;)) or more likely only one (of course also two is possible, but while an additional partition for "DIAGS" would make some sense there cannot be more than 4 (Primary) partitions in a MBR partitioned disk, so if more than one is missing, then they were volumes inside an Extended partition, of which there are NO traces found by Testdisk).

That is a while lot of info you have posted I am having difficulty reading on my mobiles screen and will have to have a proper read throughout the post when I am home late tonight.

Sure, and there are a lot of questions/doubts in them, take your time. :)

jaclaz

Link to comment
Share on other sites

Ok I have managed to read through I see what your saying. I think we are just missing that one partition.

Laptop is a Inspiron 3520

I read what you said about boot/ boot\BCD and upon browsing the forth partition in Active@ found them (see attachments)

I do apologise if I am missing some of what you are saying or being dumb and not reading properly.

post-375496-0-05982000-1363387339_thumb.

post-375496-0-00572300-1363387345_thumb.

post-375496-0-18896900-1363387566_thumb.

post-375496-0-24972600-1363388250_thumb.

Edited by blackillusion
Link to comment
Share on other sites

Yep, that's probably the one.

It is strange however that Testdisk didn't find it. :unsure:

The start of the partition is OK (0/4/5 does equal 256) :thumbup

The size is seemingly not, for two reasons:

  1. the number of sectors 1,024,000 does correspond to the given size 500 Mb, but only if sectors are counted as being 512 byte each.
  2. the "hole" between 0/4/5 and 10/168/30 is larger than 500Mb, it is 171,008 sectors by 4,096=700,448,768, i.e. roughly 700 Mib (counted in millions)

The 500 Mb volume is "possible" but still it doesn't make much sense that the good Dell guys have left some 175 Mb "empty".

Let's have a "second" opinion.

Get DMDE:

http://softdm.com/

and try scanning the disk with it.

Open the Physical disk, and run a "FAT search".

The re-open it and run a "NTFS search"

Post screenshots/results

jaclaz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...