Experience in hard disk data repair
Related concepts:
MBR (Main Boot Record), the main boot record area, which is located on the 0 track 0 cylinder 1 sector of the entire hard disk, including a hard disk boot program, and a partition table.
DBR (DOS Boot Record) The operating system boot record area, usually located in the hard disk 0 track 1 column 1 sector, is the first sector that the operating system can access directly, and it also includes a boot program and a known This partition parameter record table of BPB (Bios Parameter Block). Each logical partition has a DBR.
FAT (File Allocation Table), the file allocation table, is the file addressing format of the DOS, Windows9x system, for data security, FAT generally do two, the second FAT is the first FAT backup.
Dir is the shorthand of Directory, the root directory, and DIR is followed by the second FAT table. For a detailed introduction of the hard disk storage structure, you can refer to my article "Hard Drive Data Structure" in the 99th.
Estimated data loss cause:
1. After installing multi-system boot software, abnormal operation is caused.
2, was infected with a certain virus. Data loss before:
2.5g
Hard disk, the original partition is: C:
2G
D:
500M
And the D disk is important data. Both partitions are FAT16 format.
Data loss process:
After the system is restarted, the D disk is lost.
Data loss after data:
The customer has re-partitioned with FDISK, trying to renovate partitions in the original partition size. But there is no formatting D disk, only formatting the C disk and reload the system.
Customer data repair requirements:
Restore all files in the "Digital Camera" directory in the D drive root directory.
Tools used:
Norton Disk Doctor: Diskedit.exe
Data repair process:
First, data backup: mainly includes physical 0 tracks, each partition logic 0 track, FAT table, and root directory, etc., and then equipped with GHOST backup data area.
Second, analyzing the main guiding sector MBR of the hard disk (including the primary partition table and the boot program), the guiding sector DBR, FAT table and root directory area of each partition.
Since the C-disk (the cause of the virus) has been rescaled and can be successfully launched, the MBR's logical structure should not have problems. The first sector of the 0 track where MBR is located is checked. It is confirmed that the estimate is correct, but the restriction table and the original partition Whether the table is exactly the same, it cannot be determined.
Through the partition table, you can find the physical location of the boot sector of each partition. The important data of the C disk can be determined after analysis (boot sector, first fatt table, second FAT table, root directory area) Abnormal, but the D disk except for the leading sector DBR, the other data of the appeal cannot correspond, DBR is not abnormal, because the result of the resilience, and the fact that the FAT1, FAT2 and root of the root area are all correct, there should be two kinds. Possible: First, the current partition is inconsistent with the original partition, resulting in data sorry; the second is that the data has been damaged by the virus.
Since it is observed when the MBR is found, the other sector of the 0 track is found to have a residual code that is unknown, and some of the display information is viewed, it can be determined that some multi-system software is left, indicating that the customer has installed more system management software. . This can roughly rule out the possibility of virus damage partition, and the partition loss should be caused by an exceptional operation multiple system management software.
Third, find the original partition according to the previous analysis, because the customer has re-partitioned after the data is lost, and it is estimated that the existing partition is inconsistent with the original partition, this undoubtedly increases the difficulty of data repair, but fortunately there is no formatting D disk, because if only fdisk is just fdisk, only the first sector of the partition of the original hard disk, if this sector does not fall on the important parameter area (DBR, FAT, root directory) of the original partition, then the success rate of repair Still quite high. Next is to find an important data area of the original D disk, according to the information provided by the customer, there is a subdirector of the "digital camera" in the root directory of the original D disk, so search "digital cameras" with the search function provided by Diskedit. The corresponding hexadecimal code can find the root of the original D disk. After 30 minutes, by filtering the search results, I finally found the sector where the root directory is located, and then the vine is touched, and the two FAT tables have been turned forward (depending on the experience of about 400-500 sectors) to find the DBR where the original D disk is located. District, then turn the 63 sectors forward, find the partition table of the original D disk, to this, the most difficult problem overcome. Fourth, rebuild the main partition table because the customer later re-established the primary partition table with the original partition table, so it must be manually rebuilt, and the original D disc partition table and the original D disk DBR found through the previous DBR, can Calculate the main partition table. Including the start of each partition, end sector, partition size, partition type, etc. After calculating the results, the primary partition table of the 0 track 1 sector is changed.
V. Restart the system, the original D disk, all files are basically recovered. Copy the "Digital Camera" directory and make a backup. Notify the customer to retrieve the data.
Description of this case:
1. When data is backed up, don't excessively believe in Ghost, Ghost only recognize the correct partition, and it will not be copied for hidden partitions. For incorrect partitions, it reports errors and stops the replication process. GHOST is not a purely all-round copy software, which only copies files existing on the FAT table, not all data on the disk!
2. Walking is that the customer restarted the D disk just than a few tracks than the original D, so the new D disk partition table is built in the last side of the original C disk. So this time it can be said that 100% recovered the data of the original D disk.
3, more shipping is that the customer does not reformat the D disk, otherwise it is impossible to have so high recovery rate.
Suggestions for readers:
After the hard disk data is lost, please contact your local data repair company immediately. It is best not to write a hard disk again, which will increase the difficulty of repair, and also affect the success rate of repair.
