| Author | Message | ||
     Fawzi Masri |
Hello, I have a Laptop disk that went bad. I cannot seem to boot from it anymore. so i pulled it out to see if i can repair it using winHex. (I do have the forensic version, an overkill i think, but i have it now). So i plugged it into another laptop using a PCMCA-ATA connector from SimpleTech (Drivelink). Windows Storage management tools, finds the disk but cannot give it a letter, so i cannot view its content. WinHex however recognise the Device and finds that it is a Toshiba MK6021GAS with about 60Gigs. It also recognises 3 partitions as follows: - Partition 1 (14.0GB, NTFS, Lost?) - Partition 2 (41.9GB,NTFS, Lost) - Partition 3 (16.0GB,,) So here are my questions: 1- What does the above partition info "Lost" and "Lost?" mean? 2- Why can i see the content and even copy the content of Partition 2 to another drive without a problem, but not partiton 1 nor partition 3? 3- Why when i copy a directory from partition 2 to another drive, that directory is flattened and the hierarchy is lost? 4- Yesterday, i was able to see the directory structure of Partition 1, today i cannot. all i did since then is install the latest revision 12.6 instead of the one i used yesterday version 11.7 of winhex. is that the issue? 5- is there a way to fix this hard disk as a bootable windows XP pro drive?? 6- How can i search for Word files and store them on another computer as a back-up? i know that is a lot, but i am still new at this. if you think there are specific articles that would help if i read, please let me know where they are. i did go thru the knowledge base once. ok, thanks a lot. fawzi | ||
| Stefan Fleischmann (Admin) |
1) Means that these partitions were not referenced by the partition table in the MBR, but detected by WinHex with an extra effort only. 2) That I can't tell from remote for partition 1. Since the file system on partition 3 was not detected, it is normal that no files and directories are listed in the directory browser. 3) When you select a directory and select Recover/Copy, the hierarchy below that directory should be retained. If the directory itself is recreated in a path equivalent to its original path if Options | Directory Browser | [x] Recover/copy including path is enabled. 4) WinHex uses a different approach since v12.5. If the earlier approach worked better for Partition 1, then the file system in Partition 1 is obviously damaged and I recommend you use a version before v12.5 (e.g. v11.7 or v12.35) for that. 5) With sufficient knowledge about hard disk partitioning and the NTFS file system, depending on level of corruption and how much time you have, probably yes. 6) You can explore the root directory of a partition recursively and set the filename filter in Options | Directory Browser to *.doc. The Explore Recursively command is available in the context menu that appears when you right-click the root directory of a partition in the Case Data window (after it has been added as an evidence object). | ||
| Fawzi Masri |
Hi Stefan, thanks for your response above... where can i learn how to fix a defective boot sector (see point 5 above). I am hoping there is a paper on this that outlines the steps and information that one has to obtain before he can actually recover it? thanks, fawzi | ||
| Björn Ganster (Admin4) |
Repairing a boot sector is difficult. You should be very careful when attempting a repair. Please recover as many files as possible or create an image of the disk before attempting it. In order to recreate the boot sector, you have to fill in 0x1bd bytes of boot code. It should be possible to take this from any windows installation without a boot manager. Then follow 4 partition entries for the partitions, as documented on http://www.antionline.com/showthread.php?s=&threadid=232188. The final two bytes, 55h, aah, mark the partition sector as valid. You might want to use a program like TestDisk: http://www.cgsecurity.org/index.html?testdisk.html | ||
| Terry Greenwood (Greenwood) |
Providing the boot sector is not physically damaged and can be written to & read from, the simplest way is to use fdisk. If you have an old windows 98 boot/startup disk, boot from that and at the command line enter 'fdisk /mbr' This will write the first 446 bytes of the boot sector. It does not write any partition information. | ||
| fawzi masri |
Thanks for the response guys. I did make an image and bak'd up all data that i could see using winHex. one problem i have is that only winhex sees this drive. the power managment tools with windows, recognise that i have a new disk inserted (i use this pcmia gadget) but it cannot give it a number. will the fdisk/mbr still work in this case?? it seems to me this command, will only work if my corrupted HDD is the only HDD in the system, and also recognisable by the system as well, correct? fawzi | ||
| Terry Greenwood (Greenwood) |
I have just attached a disk (wiped with 00 in WinHex) to my system via a Promise ATA controller card. The disk shows up as Disk 1 and is labelled as 'Not Initialised'. If I right click where the label is, I get the option to 'Initialise Disk' which I believe does the same as fdisk. If you are not getting a Disk Number allocated, perhaps the PCMCIA connector is causing a problem. I would attach the hard disk directly to the motherboard if possible, or try a USB or Firewire caddy and try again. | ||
| fawzi masri |
Hi Terry, i just tried your suggestion. For some reason, the "initialize Disk" is not an option. All i get when i right click i get the following options: - Properties - New Partitions - Help i am not sure why now... any ideas what to do? thanks, fawzi | ||
| Terry Greenwood (Greenwood) |
Does the disk show up in the Disk Management window ? And does it get allocated a Disk Number ? (Your boot disk should be showing as Disk 0). What other ways of connecting the disk did you try ? | ||
| Fawzi Masri |
HI Terry, currently i am using this PCMCIA card from some company, i forgot the name right now. My disk appears as Disk 1 in the Disk Managment Window, but i am not able to assign a Character to it. so Disk0 is "C:", but Disk1 does not appear under Mycomputer, etc... and when i right click on it i do not see the intialize anymore, i only get what i showed in my previous email. any ideas? fawzi p.s. are you x-ways support, or another customer/user of x-ways? i don't want to bogg you down with my question, although much appriciated. | ||
| Terry Greenwood (Greenwood) |
I am a user of WinHex / X-Ways. I have been testing on an old disk. To rewrite the boot code you will need to edit the boot sector. Mark a block from offset 0 to offset 1BB then under the Edit menu, select Fill Block with 00. You then have to do the same for the last two bytes in the sector (55 AA) to remove the boot sector signature. Do not be tempted to simply wipe the whole 512 bytes as you need to retain the partition information which lies between offset 1BB and the boot sector signature. Make sure that these changes get written then reboot. Double check with WinHex that your changes were written. When you open the Disk Management window (if the wizard starts just cancel) right click in the grey area where the label Disk 1 is showing and you should then be able to initialize the disk. | ||
| Fawz Masri |
Hi Terry, Thanks a lot for the detailed info... i will give it a shot. Fawzi | ||
| Fawzi Masri (Fawzi_Masri) |
Hi Terry, I finaly got around to initialize the disk. i put the "00" where you have asked me to do so, and initialized the disk. however, i was not able to assign a letter to it. I looked at it in WinHex, and i found that it now has similar stuff to what it did before, nameley the last sentence in the sector that i can read is "Invalid partition table Error loading operating system Missing operating system" I did double check that i had "00" there before. so it must have come up because of initializing the disk. so the question i have if winhex can see 2 partitions on my disk, why can't the PC do the same? And how can i leverage winhex to figure out what to put in the partition table? any ideas, fawzi | ||
| Stefan Fleischmann (Admin) |
> And how can i leverage winhex to figure out what to put > in the partition table? WinHex can't/won't do that itself, sorry, only the user can do that, with the help of the partition table template. | ||
| Terry Greenwood (Greenwood) |
It is theoretically possible to manually insert the hex codes for the partition information BUT you have to know the exact number of sectors that were in each partition. Also, unless you had a backup copy of the boot sector, it is not easy to determine whether the information about the partitions was correct or had been corrupted somehow. You might want to check the Microsoft knowledge base for causes of the 'Invalid Partition Table' error or check the disk with something like Partition Magic which may give a more understandable error message. | ||
| Ashish Username: ashish Registered: N/A |
Hi, I have 3 logical drives on my system namely C, D and E. I have a dual booting system with Win98 installed on C and WinXp installed on E. Sometime back I got an error while booting the system for drive E. I thoroughly scanned drive E and it was done successfully. When I tried to do the standard scan fro C, D, and E together it said there are errors on drive C:. so then together I did thorough scan on drive C:, D: and E. (In Win98 OS). scanning on drive C completed successfully but when it was scanning for drive D:. Scandisk programme and the m\c got hanged. When I reboot the system, I was no longer able to boot from Win98 OS. I tried then OS WINXP (which is installed on drive E) and it worked. When I tried to access the drive C: in winXp it gives me an error "Data Error (Consistancy Check required)" and am unable to access the drive C:. When checked for the drive C: in it property then instead of file sytem= FAT it shows RAW and used space and free space is shown as zero. How should I recover my C: drive...?? Please help Thank Ashish | ||
| Steven Young Username: stevenbnh Registered: N/A |
Hello Stefan, I have also experienced an issue similar to Ahsish. I have a dual boot system, with a physically separate second boot drive. Both drives are Windows XP, with the second drive with just the original XP SP1 installation. No antivirus, network connection, used only to image my primary system drive. Running Winhex 14.1 specialist license. I don't believe my problem is with Winhex, but with Windows possibly accessing the drive. To perform the image I boot from the second drive. Then I remove the drive from Windows using the MOUNTVOL [Drive:] /D command. The drive is no longer visible in Windows Explorer. I then perform a restore image of the raw backup image (.001) file. All appears to go well, with Winhex reporting that 77K sectors were copied. Then I compare my image with the disk. On several occassions I have found a mismatch, I then copy from the image file where the first mismatch occurs +200K bytes and compare again. In most instances the problem is resolved with re-writing these bytes. There is nothing significant about the 200K, as I stop the compare as soon as I see one error. After having a successful compare of the disk and image file I reboot the system and get the "Data Error(Consistancy Check Require)" mentioned previously by Ashish. Since the logical drive has been removed with the Mountvol command, I can only write the image file to disk using the physical media. I tried using a BartPE boot CD and experienced the same issue. Another reason I feel this is somehow related to Windows is when I don't perform the compare, or when I just copy the 200K bytes I don't have the problem. It seems that the longer the Windows OS has to check around the more likely I am to have the problem. To speed up the checking process I also use the CRC32 hash. When the hash matches my original image, I feel the disk should be operating as normal, but still have the same problem of my drive being corrupt. I would be willing to try the Replica cloning app, but am not sure about how to name the file on the destination drive. Since I am running NTFS the boot floppy running DOS cannot access these disks and I don't want to chance overwriting my data. Thank you, Steve | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
Sorry, cannot explain this. Usually the buffering performed by Windows is deactivated when unloading the drive letter. > Since the logical drive has been removed with the > Mountvol command, I can only write the image file to disk > using the physical media. BTW, in WinHex you can open the partition from within the physical disk and can then select that partition as the destination even if it does not have a drive letter associated. | ||
| Steven Young Username: stevenbnh Registered: N/A |
Hello Stefan, I wanted to follow-up on this issue as I now believe the cause of my problem was some intermittent bad memory. In my testing after this post I found that when the system was completely shutdown, after performing the restore, the CRC32 matches when the system was rebooted. This was also unexplainable. System was up-to-date on drivers, BIOS, OS patches etc. After getting hit wih some system crashes recently, the system error messages pointed me in the direction of RAM issues. After 20hrs of testing the RAM, issues were finally discovered. Although I had performed periodic checks of the system RAM previously, the duration of the tests were less than 12 hours. Steve | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
Thanks for that information. |