Recovery of Damaged MBR on WinXP SP3 Partition
Posted: 31 Jan 2021, 04:31
--- Background ---
- Using testdisk-7.2-WIP.win64
- HDD is Maxtor DiamondMax Plus 9 120GB ATA/133
- Original OS is WinXP Pro, likely SP3 with `EFS` directories
- Image snapshot made after failure
--- Operational status ---
HDD used with single partition for many years as primary OS/disc. Transferred data to new computer and backups of most files are *probably* intact. However, confirmation is desired. HDD was booted in original or similar computer. HDD would not boot and ended in blue screen error. Upon reboot the error ```No bootable drive present``` was displayed.
--- Mistake: Snapshot of drive in initial state was not captured ---
Rather than initially booting in an enclosure and capturing a disk image, the drive was booted in a machine of similar configuration to the original. After the disk error, the machine was powered off and transferred to an external enclosure on a separate machine. This initial boot after years of storage may have damaged the MBR or boot files after initial access.
On powering up in the external enclosure and connected to a Win10 machine, the OS detected the drive as RAW and unformatted. Additionally, the drive appeared to be producing 'click of death' sounds during read operations.
In an attempt to preserve data on the drive, an image was created resulting in an `image.dd` file that was approximately the size of the original drive (120GB) and a log file is available and will be posted next. Once the image was created the original drive was powered down and all operations were attempted on a copy of the image file. As the volume contains encrypted directories which are the user directories with files, I don't believe that PhotoRec would be able to recover those files.
Both `initial scan` and `deeper scan` have revealed no correct partitions. I believe that the attempt to boot the drive caused some type of error which has destroyed MBR and partition data that TestDisk would ordinarily use to recover files. Initially loading TestDisk and providing the `image.dd` file as a parameter have shown three odd sectors when I think there should be one. I cannot tell if some partitions are supposed to be related to the above EFS directories as I do not have the technical background to understand how EFS directories were stored. The partitions are listed as ```Sys=72, Sys=74, and Netware 3.11+```. But, none of the detected values seem to make sense. Image of detected values available.
A quick search has revealed no partitions found.
A deeper search has revealed no partitions found.
--- Questions ---
Am I missing a setting to properly indicate how TestDisk should analyze the disk image?
While further disk damage is possible if repeated, is there another setting or method that would have captured a better image making recovery more likely?
Can I make a copy of the image file and force write an NTFS partition assuming the entire volume was one partition?
If the correct values for writing an NTFS partition cannot be guessed then would it be possible, even if time consuming, to script brute forcing the values in some way?
Is there a way to directly mount the image file as a virtual drive and use Windows utilities, or others, to restore the partition?
Similar to the previous question, could I write the image file directly to a virtual drive and attempt other recovery methods?
If operating from a bootdisk, restarting makes sense. But, if an image file (image.dd) is being changed is a computer reboot really required?
Within a different OS is quitting TestDisk and restarting the whole computer really required?
Or will restarting the program itself be enough?
--- Learning ---
I am far out of my depth here so this is for my own learning.
When an MBR/partition are created isn't that related to disk geometry? So, if I partitioned the same disk using a specific geometry and file system, wouldn't I get the same values each time? I'm trying to understand why if I have some known values about the disk, a single partition and file system, that I can't predict where files and structure are stored. It seems like if that were possible that TestDisk would have already done that so I want to learn what the challenges are.
- Using testdisk-7.2-WIP.win64
- HDD is Maxtor DiamondMax Plus 9 120GB ATA/133
- Original OS is WinXP Pro, likely SP3 with `EFS` directories
- Image snapshot made after failure
--- Operational status ---
HDD used with single partition for many years as primary OS/disc. Transferred data to new computer and backups of most files are *probably* intact. However, confirmation is desired. HDD was booted in original or similar computer. HDD would not boot and ended in blue screen error. Upon reboot the error ```No bootable drive present``` was displayed.
--- Mistake: Snapshot of drive in initial state was not captured ---
Rather than initially booting in an enclosure and capturing a disk image, the drive was booted in a machine of similar configuration to the original. After the disk error, the machine was powered off and transferred to an external enclosure on a separate machine. This initial boot after years of storage may have damaged the MBR or boot files after initial access.
On powering up in the external enclosure and connected to a Win10 machine, the OS detected the drive as RAW and unformatted. Additionally, the drive appeared to be producing 'click of death' sounds during read operations.
In an attempt to preserve data on the drive, an image was created resulting in an `image.dd` file that was approximately the size of the original drive (120GB) and a log file is available and will be posted next. Once the image was created the original drive was powered down and all operations were attempted on a copy of the image file. As the volume contains encrypted directories which are the user directories with files, I don't believe that PhotoRec would be able to recover those files.
Both `initial scan` and `deeper scan` have revealed no correct partitions. I believe that the attempt to boot the drive caused some type of error which has destroyed MBR and partition data that TestDisk would ordinarily use to recover files. Initially loading TestDisk and providing the `image.dd` file as a parameter have shown three odd sectors when I think there should be one. I cannot tell if some partitions are supposed to be related to the above EFS directories as I do not have the technical background to understand how EFS directories were stored. The partitions are listed as ```Sys=72, Sys=74, and Netware 3.11+```. But, none of the detected values seem to make sense. Image of detected values available.
A quick search has revealed no partitions found.
A deeper search has revealed no partitions found.
--- Questions ---
Am I missing a setting to properly indicate how TestDisk should analyze the disk image?
While further disk damage is possible if repeated, is there another setting or method that would have captured a better image making recovery more likely?
Can I make a copy of the image file and force write an NTFS partition assuming the entire volume was one partition?
If the correct values for writing an NTFS partition cannot be guessed then would it be possible, even if time consuming, to script brute forcing the values in some way?
Is there a way to directly mount the image file as a virtual drive and use Windows utilities, or others, to restore the partition?
Similar to the previous question, could I write the image file directly to a virtual drive and attempt other recovery methods?
If operating from a bootdisk, restarting makes sense. But, if an image file (image.dd) is being changed is a computer reboot really required?
Within a different OS is quitting TestDisk and restarting the whole computer really required?
Or will restarting the program itself be enough?
--- Learning ---
I am far out of my depth here so this is for my own learning.
When an MBR/partition are created isn't that related to disk geometry? So, if I partitioned the same disk using a specific geometry and file system, wouldn't I get the same values each time? I'm trying to understand why if I have some known values about the disk, a single partition and file system, that I can't predict where files and structure are stored. It seems like if that were possible that TestDisk would have already done that so I want to learn what the challenges are.