Basic data recovery knowledge

When it comes to data recovery, we can't help but mention the hard disk data structure, file storage principles, and even the operating system startup process. These are the basic knowledge you have to take advantage of when restoring hard disk data. Even if you do not need to recover data and understand this knowledge (even if you only know a little more), it is very helpful for your usual computer operations and applications.
Let's start with the hard disk data structure ......
Hard Disk Data Structure
We can't use a hard disk when we buy it. You need to partition and format it before installing the operating system. Take the Win9x/me series that we have been using until now, we generally want to divide the hard disk into five parts: the Main Boot Sector, the Operating System Boot Sector, fat, Dir, and data (only the Main Boot Sector is unique, others increase with the increase in the number of partitions ).
Primary Boot Sector
The primary Boot Sector is located in the zero track, zero cylinder, and one sector of the entire hard disk, including the hard disk primary Boot Record MBR (Main Boot Record) and Partition Table DPT (Disk Partition Table ). The primary Boot Record is used to check whether the partition table is correct and which partition is the boot partition. Program At the end, the Startup Program (that is, the operating system boot sector) of the partition is transferred to the memory for execution. As for the partition table, many people know that the start mark is 80 h or 00 h, and the end mark is 55aah, Which is 64 bytes in total and is located at the end of the local slice. It is worth mentioning that MBR is generated by a partition program (such as DoS fdisk.exe). This sector may be different for different operating systems. If you have this intention, you can write one by yourself, as long as it can complete the aforementioned task, which is also the reason for implementing multi-system startup: A lot of boot zone viruses occur because the primary Boot Record is easy to write ).
Operating System Boot Sector
Obr (OS Boot Record) is the operating system boot sector, usually located in the hard disk's 0 track 1 cylindrical 1 Sector (this is for DOS, systems that are started in Multi-boot mode are located in the first sector of the corresponding primary/extended partition), which is the first sector that the operating system can directly access, it also includes a Bootstrap program and a local partition parameter record table called BPB (BiOS parameter block. In fact, each logical partition has an obr. Its parameters vary depending on the partition size and operating system category. The main task of the Bootstrap program is to determine whether the first two files in the root directory of the partition are operating system boot files (such as msdos or Win9x/me Io originating from msdos. sys and msdos. sys ). If so, read the first file into the memory and grant control to the file. The BPB parameter block records the starting sector, ending sector, file storage format, hard disk media descriptor, root directory size, fat number, and allocation unit (Allocation unit, also called a cluster) of the current partition). Obr is generated by an advanced formatter (for example, DOS format.com ).
File Allocation Table
Fat (File Allocation Table) is a file allocation table in the DOS/Win9x system. For data security, fat generally performs two backups, and the second fat is the first fat backup, the size of the fat area is determined by the size of the partition and the size of the file allocation unit. There have always been many options for the fat format. Microsoft's DOS and Windows use the fat12, fat16, and FAT32 formats we are familiar with, but there is no other format of fat, such as Windows NT, OS/2, Unix/Linux, and Novell all have their own file management methods.
Directory Area
DIR is short for directory, which is the root directory. After the second fat table, Dir cannot locate the file on the disk only when it is fat, fat must also work with dir to locate the file accurately. Dir records the Starting Unit (this is the most important) of each file (directory) and the attributes of the file. When locating the file location, the operating system can know the specific location and size of the file on the disk based on the starting unit in the Dir and the fat table. After the Dir area, it is the real data storage area, that is, the data area.
Data Zone
Although data occupies the vast majority of the hard disk space, it does not have the previous parts. For us, it can only be some boring binary Code . Here, we usually refer to formatting programs (Advanced formatting, for example, the format program under DOS) without clearing data in the data area, only the fat table is overwritten. As for partition hard disks, only MBR and obr are modified. The data in most data areas is not changed, this is why many hard disk data can be repaired. But even so, if one of MBR/obr/fat/DIR is damaged, it is enough for the so-called DIY birds to be busy for a long time ...... Please note that if you organize disks frequently, the data in your data zone may be continuous, even if MBR/fat/DIR is all broken, we can also use the disk editing software (such as diskedit in DOS). As long as we find the initial storage location of a file, the file may be recovered (of course, this requires a premise, that is, you did not overwrite this file ......).
Hard Disk partitioning
We usually talk about three partition concepts: Primary partition, extended partition, and logical partition.
The primary partition is a relatively simple partition, usually located in the first area of the hard disk, forming a logical C disk. Other logical disks cannot be created in the primary partition.
The concept of extended partitions is complicated, which is also the main cause of confusion between partitions and logical disks. Since the hard disk only saves 64 bytes of storage space for the partition table, and the parameters of each partition occupy 16 bytes, the data in the master boot sector can store a total of 4 partitions. The operating system can only store data in four partitions. If a logical disk is a partition, the system can only store four logical disks. For specific applications, four logical disks cannot meet the actual needs. To create more logical disks for the operating system, the system introduces the concept of extended partitions.
The so-called extended partition is not actually a partition. It is just a pointer to the next partition. This pointer structure will form a one-way linked list. In this way, in addition to the primary partition, only the partition data called the extended partition needs to be stored in the primary Boot Sector, the data of this extended partition can be used to locate the starting position of the next partition (which is actually the next logical disk), and then all the partitions can be found. No matter how many logical disks are created in the system, you can find each Logical Disk one by one in the primary boot sector using the parameters of an extended partition.
Note that each partition after the primary partition is linked through a one-way linked list structure. Therefore, if a problem occurs in the one-way linked list, the Logical Disk may be lost.
Data Storage Principles
Since we want to recover data, of course, we can't help but mention the data storage principle. Here, we also want to introduce the problems related to data deletion and hard disk formatting ......
File Reading
The operating system reads the file information from the directory area (including the file name, suffix name, file size, modification date, and the cluster number of the first cluster of the file stored in the data area ), let's assume that the first cluster number is 0023.
The operating system reads the corresponding data from the 0023 cluster, and then finds the fat 0023 unit. If the content is a file end sign (ff), the file ends, otherwise, repeat the cluster number of the next cluster where the data is stored until the end of the file is reached.
File writing
When we want to save the file, the operating system first finds the relevant information such as the name, size, and Creation Time of the Empty Area written in the Dir area, and then finds the idle space in the data area to save the file, write the first cluster in the data area to the Dir area. The other actions are similar to the read actions above.
File Deletion
After reading and writing the previous files, you may not have the confidence to continue reading them. However, it is very easy to delete Win9x files, simply a small change is made only in the directory area. Changing the first character of the file in the directory area to E5 indicates that the file is deleted.
A small description of fdisk and format
Similar to deleting a file, you can use fdisk to delete a partition and format the Logical Disk. (assume that the unconditional format parameter/u is not used during formatting) data is not directly deleted from the Data Partition. The former only changes the partition table, and the latter only modifies the fat table. Therefore, the deleted partitions and incorrectly formatted hard disks are completely possible to be restored ......
System Startup Process
Different Operating System Startup processes are different. Here we use the Win9x/DOS Startup Process as an example.
Phase 1: system power-on self-check post process. Post is the abbreviation of power on self test, that is, power-on self-check. The microcomputer executes the program at the memory ffff0h (here is a fixed Rom program ), checks system hardware (including memory.
Stage 2: Read partition records and boot records. After the computer detects that the hardware is normal and consistent with the CMOS settings, start the device from the corresponding device according to the CMOS settings (we assume that the disk is started here) and read the partition record of the hard disk (DPT) and the Master Boot Record (MBR ).
Stage 3: Read the DOS Boot Record. After the microcomputer correctly reads the partition record and the Master Guide record, if the master guide record and the partition table are correctly verified, execute the primary Boot Record and further read the DOS Boot Record (located in the first sector of each primary partition), and then execute the DOS Boot Record.
Stage 4: Load implicit system files. The hidden file IO of the DOS system. sys enters the memory and loads the basic file system fat. At this time, Starting Windows 9x... io. sys sets Ms. sys reads data into the memory and processes the system. dat and user. DAT file to load the disk compression program.
Stage 5: Real DOS mode configuration. After the system implicit file is loaded, the microcomputer executes the system hidden file, runs the system configuration file (config. sys), and loads various drivers defined in config. sys.
Stage 6: Call the command interpreter (command.com ). The system loads command management programs to coordinate and manage various operating commands of the system (the Internal commands such as Dir and copy we use are provided by command.com ).
Stage 7: Execute the batch processing file (autoexec. BAT ). The microcomputer will execute each command in the batch processing file step by step.
Stage 8: Load win.com. Win.com is responsible for executing various drivers and startup execution files in windows.
The basic knowledge of data recovery is almost introduced here. If you understand the above knowledge, I believe that with the help of tools and software, it is easy to restore your lost data.