| Author | Message | ||
     greg@knfcon.com (Gfordham) |
I am examing a drive whose MBR and VBS have been altered, presumably to confuse my examination tools or hide data. When I open the physical disk the details panel displays a reasonble although probably incorrect CHS value. The template for NTFS VBS shows totally illogical values. For example, the details panel reports 255 heads but the template reports 20486 for the drive I am examining. Similarly, details panel reports 63 sectors per track while the template reports 24504 sectors per track. FYI, I am positioned on the first byte of sector 63 when initializing the template. So, which is right? Where is the details panel getting its values from? | ||
| Stefan Fleischmann (Admin) |
By VBS you apparently mean a boot sector. (What is the "V" supposed to mean?) > So, which is right? From an engineering point of view, maybe none. The actual internal hard disk layout may differ. However, what you see in the details panel is probably more reasonable and correct. > Where is the details panel getting its values from? Depending on what Windows version you are running WinHex on, either from the BIOS (9x/Me) or the operating system (NT/2000/XP). Anyway, the C/H/S values are not that important. What really counts for the partition layout AFAIK is the total number of sectors preceding a partition and the total length of a partition in sectors. | ||
| rjohnson |
(What is the "V" supposed to mean?) "Volume" (speaking on Greg's behalf) | ||
| greg@knfcon.com (Gfordham) |
Yes, the "V" means volume. I am running Win Hex on Win2000. And this is a large drive so I realize that CHS is somewhat a contrived value with respect to heads and cylinders. So, are you saying that the details panel performs a calculation based on lengths of MBR and each partition or that it gets the values from the operating system that is performing a calculation? If so, what does either use for sectors per track or heads in order to calculate cylinders? Does it use any of the data stored in either the MBR or VBS for sectors per track or does it simply use the expected 63 and 255? | ||
| Stefan Fleischmann (Admin) |
WinHex gets the values from the operating system. Not sure what kind of calculation you are referring to. The number of headers or sectors per track are not actually needed. I don't know whether or not the operating system uses them. | ||
| greg@knfcon.com (Gfordham) |
Doesn't sectors per track * heads * cylinders = total sectors? So, if you know total sectors, sectors per track and heads aren't you (operating system/BIOS) solving for cylinders? | ||
| Stefan Fleischmann (Admin) |
> Doesn't sectors per track * heads * cylinders = total sectors? There may be additional sectors at the end of the disk, not used by the operating system or any partition, that WinHex designates as surplus sectors. > So, if you know total sectors, sectors per > track and heads aren't you (operating > system/BIOS) solving for cylinders? Certainly not WinHex, and I would have no idea why the operating system or BIOS should calculate the number of cylinders like that. It can be obtained from the hard disk if indeed required for whatever reason. | ||
| greg@knfcon.com (Gfordham) |
the point on surplus sectors is well taken. It is my understanding that drives contain surplus sectors so that they can be mapped in should others fail. In other words after formatting a drive you actually get a drive having the capacity advertised instead of something less as a result of bad sectors. Aren't these extra sectors over and above the CHS or LBA of the drive and not used for data storage until after failure of another? Back to the details panel CHS, though. Previously I thought that you indicated WinHex received these values from the O/S or BIOS. Where do they get these values from? Are they not taken from the MBR, VBS and through a calculation since I do not see a value for cylinders in your templates for MBR and VBS? And if the values are wrong on the disk in the MBR and VBS, where would the O/S or BIOS get the correct values? | ||
| Stefan Fleischmann (Admin) |
> It is my understanding that drives contain > surplus sectors so that they can be mapped in > should others fail. This is yet another concept and is not related to what WinHex calls surplus sectors. If you manually adjust a partition such that it occupies the surplus sectors as well, they can be used like all other sectors can. It's just that by default partitions do not make use of them. There is nothing magic about surplus sectors. > Where do they get these values from? From the hardware, of course. > Are they not taken from the MBR, VBS No, absolutely not. When you buy a brand-new hard disk with no MBR and no boot sector, according to your assumption the BIOS and the operating system would never have a chance to know the CHS values... It is in fact the operating system itself (or a specialized utility, for that matter) that writes the MBR or a boot sector, so it cannot possibly depend on an existing MBR or boot sector. Besides, the MBR and a boot sector do not even contain these values. They may tell you something about the CHS values of a certain partition, but not the CHS values of the hard disk as such. > I do not see a value for cylinders in your > templates for MBR and VBS? There are entries for start and end cylinders in the MBR's partition table (even if they are not required just for the partition layout, as I wrote above already). There is no cylinder value in a boot sector. The file system does not need to know at all. It does not care about what kind of physical device the sectors it occupies belong to (floppy disk, hard disk, memory card, USB stick, ...), so why should it need to know the internal structure of a hard disk. > And if the values are wrong on the disk in the MBR and VBS (There are no such values describing the entire hard disk in either the MBR or a boot sector.) > where would the O/S or BIOS get the correct values? By asking the hardware. | ||
| greg@knfcon.com (Gfordham) |
Yeah, I guess you got me in a brain dead moment. How would it know sizes before formatting???? Well at least now I know why the details panel has what it has. Now I can try and figure out how the sector size in the in VBS got to be 35000; how the number of sectors in the first partition is many multiples of the total sectors on this drive; and how all the unused sections of your template got populated with values, (just to mention a few of the oddities) and how all of this is impeding analysis and recovery. On another drive with similar quirks, I have located about 1,600 FAT directories but they do not seem to line up at the start of clusters even though they line-up with the start of sectors. With my 11.2 WinHex license I was not able to get a recovery to Excel of the file and folder list. Has 11.5 been improved such that this data could easily be recovered even with the kinds of anamolies I have described? | ||
| Stefan Fleischmann (Admin) |
Both WinHex 11.2's and 11.5's "Create Drive Contents Table" commands are able to list files and directories in orphaned sector- but not cluster-aligned subdirectories if "[x] Particularly thorough search" is enabled. | ||
| greg@knfcon.com (Gfordham) |
Here's the rub. Create Drive Contents only appears when I am working with logical drives. There is no logical drive for this drive. Of course there are values in the MBR and VBS but WinHex does not detect a logical drive. FYI, the MBR appears acceptable but the VBS is wacky. Why can't Create Drive Contents just scan the physical disk? The Help system indicates that it is looking for directories that might have been orphaned after resizing the partition. | ||
| Alan Harper (Sonicbuster) |
Surplus sectors do not begin where I expect them to. I am examining a disk with three partitions. The disk has 80,293,248 sectors. The last partition begins at sector 72,340,695 and continues for 5,767,335 sectors. This means that the next unallocated (surplus) sector should be 78,108,030, but WinHex reports the beginning of the surplus sectors at sector 80,292,870. Is this a WinHex bug? Here are the key sector values according to the WinHex partition table template: P1: Sectors preceeding = 63; P1 sectors = 112,392 P2: Sectors preceeding = 112,455; P2 sectors = 72,228,240 P3: Sectors preceeding = 72,340,695; P3 sect = 5,767,335 P4: Not defined | ||
| Jens Kirschner (Admin3) |
No, this is no bug. What you found in the table is the end of the currently allocated clusters, what "surplus sectors" in WinHex really means, though, is the sectors that are not even allocatable, because they do not add up to a full cylinder/head/track entity. The beginning of the surplus sectors for a given hard drive never changes and has nothing to do with currently allocated partitions. | ||
| Stefan Fleischmann (Admin) |
If you are interested in information on inter-partition gaps and unpartitioned space, try Specialist | Media Details Report instead. | ||
| Paul Mullen (Pcguru) |
So "Surplus Sectors" really means sectors which Microsoft's formatting tools don't bother to use. Since any disk partition that extends beyond 8 Gb has to use LBA addressing and not CHS (it would exceed the maximum cylinder number), there is absolutely no reason why a partition that starts beyond 8 Gb should be constrained by cylinder boundaries. Cylinders heads and sectors are a totally artificial concept anyway for all IDE drives - just a hangover from the early days of hard drives. I'm guessing that the only reason Microsoft still use Cylinders is that the NT boot sector loader code, still used in XP, is still based on cylinders heads and sectors. That is why you get a boot error if the first partition's boot sector has an incorrect number of heads. This means that the partition NTLDR is loaded from has to start on a cylinder boundary and below the 8 Gb limit. | ||
| Stefan Fleischmann (Admin) |
Yes, a relict from ancient times. |