Basic knowledge-Introduction to hard disks, partitions, and file systems
Hard Disk Internal Structure
There have been a lot of articles on hard disk structure, but if you really want to make it clear, you can't finish writing a book, so I won't go into detail here.
The most basic components of a hard disk are hard metal disks coated with magnetic media. The number of disks varies with the disk capacity. Each disk has two sides and information can be recorded. A disk is divided into multiple slices. Each slice is called a slice. Each slice can store 128x2 n (N = 0.1.2.3) bytes. In DOS, each sector is 128 × 2 to the power of 2 = 512 bytes. The disc surface is centered around the disc. concentric circles with different radius are called magnetic channels. In a hard disk, a cylindrical disk is composed of tracks with the same radius of different disks. Both the track and the cylinder are circles with different radius. In many cases, the track and the cylinder can be used interchangeably. We know that each disk has two sides and each side has a head, it is customary to use the head number to distinguish. The sector, track (or cylinder), and head number constitute the basic parameters of the hard disk structure. In old-fashioned hard drives, the old CHS (Cylinder/Head/Sector) architecture is used. A long time ago, when the disk capacity was very small, people used a structure similar to a floppy disk to produce the hard disk. That is, each track of a hard Disk has the same number of sectors, resulting in a so-called 3D Parameter (Disk Geometry), that is, the number of magnetic Heads (Heads) and the number of Cylinders) sectors and corresponding 3D addressing methods. All new hard disks do not adopt such a structure, but adopt a more scientific structure, currently, hard disks are linearly addressable, that is, they are directly accessed by fan area numbers. Hard Disks below GB use 32-bit integers as fan area numbers, for hard disks larger than GB, a 48-digit integer is used as the fan area number.
CHS Architecture
Among them, the number of Magnetic Heads indicates that the hard disk has a total of several heads, that is, the number of disks with a maximum size of 255 (stored in 8 binary bits ); the number of cylinders indicates the number of tracks on each disk of the hard disk. The maximum value is 1023 (10 binary bits are used for storage). The number of sectors indicates that each track has several sectors, the maximum value is 63 (6 binary digits are used for storage). Each slice is generally 512 bytes. Theoretically, you can take any value you like, however, it seems that no other value has been found. Therefore, the maximum disk capacity is:
255 × 1023 × 63 × 512/1048576 = 8024 MB (1 M = 1048576 Bytes)
Or hard disk vendor commonly used units:
255 × 1023 × 63 × 512/1000000 = 8414 MB (1 M = 1000000 Bytes)
Because the number of sectors of each track is equal in the CHS structure of the old hard disk, the record density of the external track is much lower than that of the internal track, which wastes a lot of disk space (the same is true for floppy disks ). To further increase the disk capacity, hard disk manufacturers now use the same density structure to produce hard disks. That is to say, the track length of each sector is equal, and the sector of the outer ring track is more than that of the inner ring. After this structure is used, the hard disk no longer has actual 3D parameters, and the addressing mode is changed to linear addressing, that is, addressing is performed in units of sectors. To be compatible with the old software that uses 3D addressing (such as the software using the BIOSInt13H Interface), the vendor usually installs an address translator inside the hard disk controller, it translates old 3D parameters into new linear parameters. This is also why there are multiple options for the current 3D parameters of the hard disk (different working modes can correspond to different 3D parameters, such as LBA, LARGE, and NORMAL ). With the increase in disk density, the further complexity of the mechanism, and the increase in functions and speed, today's hard disks are all divided into a relatively large disk capacity, a region called a "system reserved area", used to store various information, parameters, and control programs of a hard disk, some even make the Fireware of the hard disk A system reservation (the original information is stored on the chip of the hard disk Control Board ). In this way, although the production process can be further simplified to speed up production and reduce production costs, on the other hand, it greatly increases the probability of fatal damage to the hard disk and shortens the service life of the hard disk.
Principles and Methods of data recovery
When a hard disk fault is detected and data needs to be restored, the first step is to check the disk Fault Cause and data damage level.
The correct steps can be taken to restore data only when the disk damage level and Fault Cause are clearly identified:
Internal Failure of the hard disk, usually manifested in the form of CMOS which cannot identify the hard disk and abnormal sound of the hard disk. the possible causes of the failure are physical track damage, internal circuit chip breakdown, and head damage, the following repair methods can be used: internal circuit repair and opening cavity repair in the room, which can only be sent to professional data recovery companies.
Hard Disk external circuit failure. If CMOS cannot identify the hard disk and there is no abnormal sound on the hard disk, the possible cause of the failure is damage to the external circuit board, chip breakdown, unstable voltage burning, etc. The possible means are external circuit repair, or change the circuit board of the same type of hard disk, usually need to send to professional data recovery companies.
Soft fault. If CMOS can identify the hard disk, it is generally a soft fault on the hard disk. The cause of the damage is generally data loss caused by system errors, accidental partitioning, accidental deletion, accidental cloning, software conflicts, and virus damages, you can use dedicated data recovery software or manual methods.
The following describes the soft fault data recovery methods.
1. Confirm the Fault Cause of data loss
1. Hard Disk Data loss. fault causes include:
Virus damage, clone by mistake, hard disk formatting by mistake, partition table loss, file deletion by mistake, mobile hard disk drive letter cannot recognize (data cannot be read, hard disk is not damaged), hard disk partition by mistake, the disk has a logical bad partition, and the hard disk has a physical bad partition.
2. file data corruption, such as Office data file corruption, Zip, MPEG, asf, RM, and other file data corruption.
2. Use corresponding measures and steps based on the Fault Cause
1. Backing up data determines whether to back up data based on the importance of the data. The general procedure for backing up data is
1. Remove the damaged hard disk and connect it to another intact machine. Note that there is sufficient hard disk space for backup on the new machine.
2. Use the raw mode of ghost to back up the damaged disk to an image file in one slice and one slice. If there is a physical bad track on the hard disk, it is best to create a disk image using the ghost method, and then all the * operations are performed on the disk image, in this way, the original disk is not further damaged and data can be restored to the maximum extent. -- I guess the author is talking about restoring the disk content to another disk to avoid writing to the original disk.
3. Repair hard disk data. There are two types of Hard Disk Data to be repaired. One is to directly modify the data on the original hard disk, and the other is to store the read data on other hard disks. The basic idea is to deduce the information of the lost partition and file system based on the existing information of the disk to the maximum extent, and restore the damaged file and system. If the information is lost too much, therefore, data cannot be recovered. For example, if a large file is copied after an error is deleted, most of the deleted files are overwritten by the newly copied files, and almost cannot be recovered.
A common sense is that if you want to recover data, do not run software such as scandisk or Norton Disk Doctor that directly fixes file system errors on the faulty Disk. Remember.
Zero track, MBR and Partition Table DPT:
The zero track is in a very important position on the hard disk, and the master guide record area (MBR) of the hard disk is in this position. If the zero-track path is damaged, the Master Boot Program and partition table information of the hard disk will be seriously damaged, resulting in Hard Disk Auto-lifting.
MBR:
When a hard disk is partitioned using Fdisk or other partitioning tools, the partitioning software will create MBR (Main Boot Record) in the disk's 0-cylinder, 0-head, and 1-sector, that is, the primary Boot Record area, located in the first sector of the entire hard disk. In the Master Boot Sector of a total of 512 bytes, the master boot program occupies only 446 bytes, 64 bytes are handed over to the DPT (Disk Partition Table). The last two bytes (55 AA) are the Partition end mark. The main Bootstrap program is used to check whether the partition table is correct and which partition is the boot partition. At the end of the program, the Startup Program of the partition is transferred to the memory for execution.
DPT:
The Partition Table DPT (Disk Partition Table) divides the hard Disk space into several independent continuous storage spaces, that is, partitions. The partition table DPT starts with 80 h or H, and ends with 55AAH. The partition table determines the number of partitions in the hard disk, the start and end sectors of each partition, the size, and whether the partitions are active partitions.
By destroying DPT, you can easily damage the hard disk partition information. Partitioned Tables are divided into primary partition tables and extended partition tables.
The primary Partition Table is located at the back of the hard disk MBR. Starting from 1 beh bytes, a total of 64 bytes are occupied, including four Partition Table items, which is why the sum of the primary and extended partitions of a disk can only be four. The length of each partition table item is 16 bytes, it contains the pilot flag of a partition, the system flag, the start and end of the cylinder number, the sector number, the head number, and the number of sectors before the partition and the number of sectors occupied by the partition. The "pilot flag" indicates whether the partition is bootable, that is, whether the partition is active. When the boot flag is "80", this partition is an active partition. The system flag determines the type of the partition, for example, "06" is a DOS FAT16 partition, "0 B" is DOS FAT32, "63" is a UNIX partition, etc. The start and end of the cylindrical number, sector number, and head number indicate the start and end position of the partition.
The 16 bytes of the Partition Table item are allocated as follows:
1st Bytes: boot flag
2nd Bytes: Starting head
3rd Bytes: the lower 6 bits are the start slice, and the higher 2 bits and 4th bits are the start cylinder.
4th Bytes: 8-bit lower of the starting Cylinder
5th Bytes: System flag
6th Bytes: terminated head
7th Bytes: the lower 6 bits are the ending slices, and the higher 2 bits and 8th bits are the ending cylinders.
8th Bytes: Minimum 8 bits of the ending Cylinder
9-12 Bytes: number of sectors before the partition
13-16 bytes: number of sectors occupied by the partition
As a primary partition, an extended partition occupies a table item in the primary partition table. The sector indicated at the starting position of the extended partition (that is, the first sector of the partition) contains the first logical Partition Table, also starting from 1 beh bytes, each partition table item occupies 16 bytes. A logical Partition Table generally contains two Partition Table items, one pointing to the Current Logical partition, And the other pointing to the next extended partition. The first sector of the next extended partition contains a logical partition table, and so on, the extended partition can contain multiple logical partitions. For convenience, we numbered this series of extended partitions and logical partitions separately. The primary extended partition is the 1st extended partition, the two partitions in the first logical partition table are marked as logical partition 1 and extended partition 2, and so on.
Partitions in the primary partition table are primary partitions, while in the extended partition table are logical partitions. Only one extended partition exists.
FS is a file system located within a partition. It is used to manage the storage of files in the partition and various information, including the file name, size, time, and disk space occupied. Common windows file systems include FAT12, FAT16, FAT32, and NTFS.
DBR (Dos Boot Record) is the * System Boot Record area. It is located in the first sector of each partition of the hard disk and is * the first sector that the system can directly access, it generally includes a * system boot program located in the partition and a related partition parameter record table.
A cluster is the smallest data storage unit in a file system. It consists of several consecutive sectors. The size of the hard disk sector is 512 bytes (almost all hard disks ), that is to say, a byte file also needs to be allocated to one cluster space. The remaining space is wasted. The smaller the cluster, the higher the efficiency of storing small files, the larger the cluster, the higher the file access efficiency, but the waste of space is serious.
FAT (file allocation table) is a file allocation table that records the usage of clusters in the partition. The size of the FAT table is related to the partition size of the hard disk. for data security, FAT is generally used for two backups. The second FAT is the first FAT backup, which is used in FAT12, FAT16, and FAT32 file systems.
DIR is short for DIRECTORY, which stores the file or DIRECTORY information (including the file name, size, the disk space, etc.). The DIR of FAT12 and FAT16 follows the second FAT table, while the root directory of FAT32 can be any cluster in the partition.
MFT (Master File Table) is a data structure that stores various information about files in NTFS, including the File size, time, and occupied data space.
Taking FAT32 as an example, the 0-2 Sector of the FAT32 partition is the backup of the dbr of the FAT32 file system, that is, the boot sector, and 3-5 sectors as the 0-2 sector. Sector 6-31 is blank, and Sector 32 is the first FAT table. The size of the FAT table is related to the partition size of the hard disk. Then there are 2nd FAT tables, and the remaining space is occupied by actual files, including directories and files. The root directory of the FAT32 file system is not necessarily the first cluster in the Data zone. It can be located in any cluster in the Data zone, this is also the reason that the root directory size of FAT32 is not limited by 255 files, which is one of the reasons that FAT32 supports long file names.
The partition table is lost, indicating that all or some of the original partitions of the hard disk are missing. In the Disk Manager (winxp win2000 win2003), you can see unpartitioned hard disks or unpartitioned space. There are multiple possibilities:
Virus. cih viruses used invalid data to fill the data in the Partition Table and the first partition. In this case, from the nature of the partition described above, the data on disk C is hard to be restored, however, the actual data in the partitions such as the D disk and the E disk is not damaged, but only the partition table is lost. Therefore, you only need to find the correct start and end positions for the partitions such as the D disk and the E disk, it is easy to recover.
Re-partitioning: Use fdisk to re-partition the disk space distribution. The original Partition Table is replaced by a new partition table. At this time, the data in the original partition is not damaged, only the Partition Table points to an incorrect position.
Restore deleted objects by mistake
What is the recovery principle of accidentally deleted files? Why can I restore the deleted file? Can all deleted files be recovered?
When we store a file, * the system first finds enough space for our new file in a table that records all space usage, then, write the file content to the corresponding hard disk sector, and mark the occupied space in the table.
When we delete a file, we generally do not perform * on the sectors occupied by the actual file, but only specify in the table that the space is blank, it can be allocated to other files. At this time, the actual content of the deleted file is not damaged and can be recovered. If we delete a file and recreate it, the sector occupied by the deleted file may be used by the newly created file, at this time, the deleted files cannot be restored. Therefore, once the file is deleted incorrectly, you must note that you do not write * to the partition where the file is located. Otherwise, the deleted file may be overwritten, leading to data recovery failure.
We have many options for accidentally deleted files, such as finaldata, recover4all, and easyrecovery. These software is easy to use and can be directly followed by instructions in the Wizard.
The following describes a method to manually restore deleted data. In particular, when the automatic method is used to restore invalid data, this method is suitable for restoring simple files with obvious features, such as text files, if the format is complex, you need to write a similar program to restore it. The principle is to directly find the content of the deleted file in the partition.
One example is Microsoft's vc6. The vc6 ide has a bug that has not been fixed. It means that when the program code is stored and written, a dialog box appears occasionally saying that the file cannot be stored, at this time, you must save the file again. If you close vc6 directly, you will find that the file was deleted (this bug was confirmed by Microsoft, until the sp5 patch of vc6 is not fixed ).
A friend of mine encountered this bug when using vc6. He thought that vc6 had a problem and directly disabled vc6, as a result, a long file that has been debugged is missing.
I first tried finaldata and easyrecovery, and found many previously deleted files, which are not needed. If there is no way, you have to use the force search method.
1. Run winhex, select opendisk from the tools menu, and select the Logical Disk c Where the accidentally deleted file is located,
2. Select the search menu and use the find text command to directly search for the feature string "added to process Reg_Expand_SZ" in the program code on the opened drive C ",
3. After a period of time, copy all the front and back sections of the Code to a new file, and retrieve the original code.
For documents with a strong recovery structure, if the automated method does not work, you can write a small program to search for the documents and make judgments, or directly use the interfaces provided by winhex to write a script, if data is important, such a method is also required. If the file is scattered in multiple partitions, you also need to re-organize the document according to the internal structure of the document to completely restore the data.
The principle of incorrect formatting is also very similar. It can be restored only when the original data is not overwritten during quick formatting.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
