Data recovery experience of "thrilling"
Owlbird
A few days ago, the author was called by a friend who was a database administrator. He didn't start with a database-made server, and he couldn't see it. Try to find it. My friend's operating system is Win2000 Server, the selected database is SQL2000, and his work unit is a tense station. This database server is specifically to store customer information, and the data file is stored in the tape every half month. And there should be a backup database file that day, and my friend bought a D version of the disc to read it, the disc is automatically running, and the disc is automatically restarted, and it will be restarted, when the system is rebooted As follows: Non-System Disk, please insert a system disk (see the D version is really harmful to others), obviously unable to boot the system. Processing If the computer can't start from the hard disk, we can start with the floppy disk, try Access the hard drive. If you cannot access the hard disk, it may be that the boot area of the main boot area or boot partition is destroyed, and we can apply the tool software such as debug command to see if the main boot area of the hard disk is normal. I use an MSDOS system floppy disk to boot, after entering the DOS system, because the server's primary partition is NTFS format, if you don't need a third-party software, you cannot view the partition information, but I want to take the debug command to look at MBR (hard drive " Main boot record), the operation is as follows: A: /> Debugxxxx: XXXX A 100 assembly editing command command xxxx: 0100 MOV AX, 0201 Read a sector XXXX: 0103 MOV BX, 0200 read to the current segment 0200 xxxx: 0106 MOV CX, 0001 Cylinder = 0, absolute sector number = 1xxxx: 0109 MOV DX, 80 magnetic head number = 0, drive letter 号 = 80xxxx: 010c INT 13 disk read and write interrupt XXXX: 010E INT 3 breakpoint interrupt XXXX: 010F Enter xxxx: xxxx g = 100 Performs the above instruction xxxx: xxxx d 380 Displays the main partition table content (HEX: 1BEH)
Detailed explanation of the above command can be found in Tsinghua University published "IBM-PC assembly language programming", which is compiled by Shen Meiming. I briefly introduce the main partition table. The main partition is located behind the hard disk main guidance record (0 cylinder 0 head 1 sector). From the 1beh byte, a total of 64 bytes is taken, and four partition entries are included. Each partition entry is 16 bytes, which contains a partition boot flag, system flag, start and end of the column number, sector number, magnetic head number, and the number of sectors in front of this partition and the partition The number of sectors occupied. The "Boot Sign" indicates whether this partition can be guided, that is, whether the partition is active. When the boot mark is "80", this partition is an active partition; the "System Sign" determines the type of the partition, such as "06" is the DOS FAT16 partition, "0B" is a DOS FAT32 partition, "83" is Linux Native partition Wait; the cylinder, sector number, and head number of the beginning and end indicate the start and termination position of the partition. This should not be tight, watch the parameters inside the primary partition in the first partition, which seems to be "38" (26h transformation into decimal 38), It is also very embarrassed. And my friend has not backed up MBR, which is buddy. However, usually the hard disk 0 cylinder 0 head 2 sector is a backup of the 0 cylinder 0 head 1 sector, whenever the system is guided, the system will copy the contents of the 0 cylinder 0 head 1 sector to the 0 cylinder 0 magnetic head 2 sector, and if the boot software of SC Commander, Lilo is installed, 0 cylinders 0 head 2 sector will be occupied, and the contents of the 0 cylinder 0 head 1 sector to 0 cylinders 0 head 3 sector This is what everyone needs attention. Therefore, if there is no backup of the MBR, find the hidden sector from 2 sectors from 2 sectors, find the backup MBR, and re-establish the MBR through the unmattered partition boot information will be a good Solution. So I did the following: A: /> Debugxxxx: xxxx a 100 assembly editing command command xxxx: 0100 MOV AX, 0201 Read a sector XXXX: 0103 MOV BX, 0200 read to the current segment memory 0200 XXXX: 0106 MOV CX, 0002 Cylinder = 0, absolute sector number = 2xxxx: 0109 MOV DX, 80 head number = 0, drive letter 号 = 80xxxx: 010c INT 13 Disk read and write interrupt XXXX: 010E INT 3 breakpoint Interrupt XXXX: 010F Enter xxxx: xxxx g = 100 Performs the above instructions XXXX: XXXX D 380 Displays the backup primary partition table content (HEX: 1beh)
Fortunately, the virus manufacturer is still a bit conscience, there is no record information of the backup home partition table, then we can use the backup MBR record information to rebuild the main partition table, the operation is as follows: (Note I didn't quit Debug XXXX: XXXX A 100XXXX: 0100 MOV AX, 0301 Write a sector XXXX: XXXX A 106xxxx: 0106 MOV CX, 0001 Cylinder = 0, absolute sector number = 1xxxx: xxxx g = 100 Execute the above instructions The partition table is tone to see if it is correct: XXXX: XXXX A 100xxxx: 0100 MOV AX, 0201 Reads a sector XXXX: XXXX g = 100 Performs the above instructions XXXX: XXXX D 380 Display the main partition table content (HEX: 1beh )everything is normal. However, for the sake of insurance, the MBR content is backed up to the floppy disk. The operation is as follows: xxxx: xxxx: xxxx r CX: 0200 Set the size of the primary partition table is 512 bytes, BX record high bytes, CX record low byte xxxx: xxxx na: /mbr.dat file naming XXXX: XXXX W 0200 writes the content of the memory address 0200 to the floppy disk XXXX: XXXX Q Exit Debug is all OK, but it is as follows when rebooted: Non-System Disk, please insert a system disk, it seems to have a lot of problems. You have to remove the hard drive, follow the other with Win2000 Server, partitioned as a slave. But when I double-click the partition, the prompt is as follows: "You can't access D: /, $ Volume damage and cannot be read", it seems that the virus is not small, can be directly interrupted under Win2000 Server, and modify MFT, virus manufacturing The skill is really not shallow. I use the chkdsk command to try a try to fix the $ Volume, and the results will not be repaired. It seems that I have to completely restore this server is unlikely, then the most critical problem now is actually restoring database files, this is my friend and I really care, according to my friends, I have two important user databases. Document, named Client1, Client2, so all our attention gives these two databases, and the two databases are filed by the suffix MDF file (main file of the user database), the suffix log file (The log file of the user database, the SQL2000's database main file is controlled by its corresponding log files. Of course, the king of the Queen of the data is recovery is my best choice, I use the RecoverNT version. Recovery uses quite simple, what to note is that files read by Recovery cannot be restored to the same hard disk, must be restored to other hard drives. But unfortunately, when I use Recover to read D partitions, because the MFT is damaged, the king of Wan Wang can not read a file, repeatedly tried several times or not, I had to take it. When I got home, I would make sure to try to study the Win2000 NTFS format. I have two books in my hand. One is the MCSE winning the book Win2000 Server, and there is an Inside Microsoft Windows 2000, Third Edition Chinese version of Windows 2000 internal version of Windows 2000 Unveiled, it is a book to hate less. I also search for information on the Internet. After two days of special research, after a bold idea, detailed analysis, a method that can't believe it so far. The climax I am going to format the D disk that cannot be read (note that advanced formatting rather than low), then read the file via Recover. Why do I have to do this, let me slowly?
First of all, I want to talk about Windows's file system principles. It is well known that Windows has FAT12, FAT16, FAT32, NTFS and other file formats, and FAT12, FAT16, FAT32 file format can be seen as a class, referred to as FAT format, and NTFS file format It is seen as a class. I briefly introduce the data structure of the FAT format file system, depending on its different features and functions can be divided into 1. Guide sectors. 2. DOS Boot Record means the meaning of the operating system boot record area. 3. FAT table (File Alloction Table) should generally have two, one of which is another backup, and its important role is to store pointers that point to files (related concepts I will introduce when I discuss NTFS file format ) .4.Dir area (Directory) is the file root directory area. 5. Data District, as the name suggests this area is where users are stored, accounting for most of the disk space, it is the most critical place. Now let's talk about the basics of the NTFS file format. In NTFS, all data stored on the volume is included in the file, including data structures for locating and acquiring files, boot programs, and record this volume (NTFS metadata), which reflects NTFS. Principle: Anything on the disk is file. Storage in the file makes it easy to locate and maintain data, in NTFS, all stored data in the volume is in a file record array called MFT, called the master file table, MFT is Advanced formatting is generated. The MFT is composed of a file record array. The size of File Record is generally fixed, and the size is 1KB regardless of the size of the cluster, this concept is equivalent to inode in Linux. File Record is physically continuous in the MFT file record array, and numbered from 0. The MFT is only available for system itself, the architecture file system is used, which is called metadata in NTFS. The following list of important metadata files for Windows2000 NTFS main file tables 0 $ mft 1 $ mftmirr 2 $ logfile 3 $ VOLUME 4 $ Attrdef 5 $ Directory 6 $ BITMAP 7 $ boot 8 $ BADCLUS 9 $ Secure 10 $ UPCASE 11 $ EXTEND These NTFS main file tables are important metadata files starting with $ (USD symbol), but the symbol is hidden, and the Dir command cannot be used in Windows2000 (even plus / a parameter) like a normal file. These metadata files are out. In fact, File System Driver (NTFS.SYS) maintains a system variable NTFSProtectSystemFiles to hide these metadata. However, Microsoft provides an OEM TOOL, called nfi.exe, use this tool to dump important metadata files for NTFS main file tables (metadata: is stored on volume support file system format management.
It cannot be accessed by the app, which can only serve the system), the following is an example I give: C: /> NFI D: File 0master File Table ($ MFT) $ STANDARD_INFORMATION (Resident) $ file_name (Resident " ) $ DATA (nonresident) logical sectors 32-21151 (0x20-0x529f) $ BITMAP (nonresident) logical sectors 16-19 (0x10-0x13) File 1Master File Table Mirror ($ MftMirr) $ STANDARD_INFORMATION (resident) $ FILE_NAME (resident) $ DATA (NONRESIDENT) Logical Sectors 2048284-2048291 (0x1f411c-0x1f4123) (due to space limit, the remaining omitted), these metadata file files are required for the system driver assembly, and Win2000 is not a representation of each partition. The partition contains the file system format that Win2000 can identify. The identified file system format is the main file table, which can be done by advanced formatting to the partition. This is what you might think, if you format the partition, is the partition content is not all? It seems to be like this, when the author opens the formatted D disk, the empty is as well. It is well known that Windows is positioned to locate the file in disk storage, and the pointer to the cluster number in the FAT form is included in the FAT table, The pointer to cluster number in NTFS is included in the $ MFT and $ MFTMIRR file (Note: $ mftmirr is a backup of $ MFT, if the $ MFT record is destroyed, NTFS reads $ mftmirr file, $ MFT and $ mftmirr Both data segment locations are stored in the boot sector, and the copy of the boot sector is located at the end of the partition). Then the $ MFT and $ MFTMIRR file have been rebuilt, so our files will also see, but actually these files do not have a real disappearance, they also hide in disk media, and Recover is not the cluster number of files. Document, it uses a low-order approach to read the file through the disk access method of the file control block (FCB), which is the place where he is high, not the document code disk access (this needs to be expanded) Function call), so when I read the file on the D disk with Recover, it took more than 1 hour, and the four files required were found, I saved it to the C: / MDF file home. Finally, open the SQL2000 Enterprise Manager, select an instance, click on the database right, select the additional database, give the corresponding disk position corresponding to the data file (note that the best master data file and the corresponding log file are placed in the same directory), everything OK, Friends' customer data is coming back. Postscript: 1. As a database administrator to back up, always be careful, don't think about my friend, or not. 2. I don't want to give any specific methods, just want to discuss the way of thinking about data recovery. 3. If the manufacturer of the virus can think about others, not the picture is very painful, put your smart talents in the forward road. 4. If there is a friend, there is different opinions on this article, please advise. Contact wLbird@163.com
