One " thrilling " data recovery experience

Recovery | data
A "thrilling" data recovery experience
Owlbird


Cause
A few days ago I was a database administrator when a friend called, his one database server can not start, make his head, and then ask people to look, they opened a 2000, no way to find me to try. My friend of this database operating system is Win2000 Server, the choice of database is sql2000, he work unit is a paging station, this database server is dedicated to store customer information, every half month to the data file into the tape, and the day of the accident exactly is should back up the database files, And my friend bought a D version of the disc ready to read on the service, the CD will automatically run as soon as it is placed, automatically restart, when the system reboots when prompted as follows: Non-system disk,please INSERT A system DISK (it seems that D version is really harmful and harm oneself AH), Obviously you can't boot the system.

Processing
If the computer does not boot from the hard drive, we can try to access the hard drive after booting through a floppy disk. If the hard drive is inaccessible, it is possible that the boot area of the primary boot area or bootable partition is corrupted. At this time, we can apply the debug command and other tools software to see if the hard drive's primary boot area is normal. I use a MSDOS system floppy disk to boot, into the DOS system, because the primary partition of the server is NTFS format, if not Third-party software is unable to view the partition information, but I want to use the debug command to look at the MBR (hard disk master boot record), the operation is as follows:

A:\>debug
Xxxx:xxxx a 100 assembly edit command instruction
XXXX:0100 mov ax,0201 read a sector
XXXX:0103 mov bx,0200 read to current segment memory 0200
XXXX:0106 mov cx,0001 cylinder number = 0, Absolute sector = 1
XXXX:0109 mov dx,80 Magnetic number = 0, drive letter =80
XXXX:010C INT 13 Disk read and write interrupts
xxxx:010e int 3 Breakpoint Interrupted
xxxx:010f Carriage return
Xxxx:xxxx g=100 Execute the above instructions
Xxxx:xxxx d 380 Displays primary partition table content (Hex:1beh)


The above order is detailed in the "IBM-PC Assembly Language Program Design" published by Tsinghua University, edited by Shen Mi-ming Wendong. Let me briefly introduce the primary partition table. The primary partition table is located at the back of the hard drive Master boot record (0 cylinder 0 Head 1 sectors). Starts at 1BEH bytes, takes up 64 bytes, and contains four partitioned table entries. The length of each partitioned table entry is 16 bytes, which contains the boot flag, System flag, starting and ending cylinder number, sector area code, number of magnets, and the number of sectors in front of the partition and the sectors occupied by the partition. Where the boot flag indicates whether the partition is bootable, that is, whether the partition is active. When the boot flag is "80", the partition is active, and the system flag determines the type of the partition, such as "06" for the DOS FAT16 partition, "0b" for the DOS FAT32 partition, "83" for the Linux native partition, and the starting and ending cylinder number, sector area code, Magnetic Number one indicates the starting and ending position of the partition. )

This look does not matter, a look startled, the main partition table parameters are a large number of (HEX) replaced, it seems that the virus maker is a "10" (26H conversion is 38), and really tough. And my friend didn't back up the MBR, which would be a lot of trouble. However, usually the hard disk 0 cylinder 0 Head 2 sector is a 0 cylinder 0 Head 1 sector backup, every time the system boots successfully, the system copies the contents of the 0 cylinder 0 Head 1 sectors to 0 cylinder 0 Head 2 sectors, and if the boot software of SC Commander,lilo is installed, it will occupy 0 cylinder 0 Head 2 sectors, and the 0 cylinder 0 Head 1 sector is copied to 0 cylinder 0 Head 3 sector, this is a problem that we need to pay attention to. So in the absence of a backup of the MBR, find the hidden sector starting with the 0 cylinder 0 head from 2 sectors, looking for the MBR of the backup, and rebooting the MBR with an unlocked partition to boot record information is a good solution. So I did the following:

A:\>debug
Xxxx:xxxx a 100 assembly edit command instruction
XXXX:0100 mov ax,0201 read a sector
XXXX:0103 mov bx,0200 read to current segment memory 0200
XXXX:0106 mov cx,0002 cylinder number = 0, absolute sector = 2
XXXX:0109 mov dx,80 Magnetic number = 0, drive letter =80
XXXX:010C INT 13 Disk read and write interrupts
xxxx:010e int 3 Breakpoint Interrupted
xxxx:010f Carriage return
Xxxx:xxxx g=100 Execute the above instructions
Xxxx:xxxx d 380 shows backup primary partition table content (Hex:1beh)


Fortunately, the virus maker is also a bit of a conscience, and does not damage the backup of the primary partition table records information, then we can use the back of the MBR record information to rebuild the primary partition table, the following actions: (note I did not exit Debug)
Xxxx:xxxx a 100
XXXX:0100 mov ax,0301 write a sector
Xxxx:xxxx a 106
XXXX:0106 mov cx,0001 cylinder number = 0, Absolute sector = 1
Xxxx:xxxx g=100 Execute the above instructions
Then pull up the primary partition table to see if it is written correctly:
Xxxx:xxxx a 100
XXXX:0100 mov ax,0201 read a sector
Xxxx:xxxx g=100 Execute the above instructions
Xxxx:xxxx d 380 Displays primary partition table content (Hex:1beh)
Everything's fine. However, for insurance purposes, the MBR content is backed up to a floppy disk. The operation is as follows:
XXXX:XXXX R BX
: 00
XXXX:XXXX R CX
: 0200 set the primary partition table size is 512 bytes, BX record high byte, CX record low byte
xxxx:xxxx N a:\mbr.dat file naming
Xxxx:xxxx W 0200 writes the contents of memory address 0200 to a floppy disk
XXXX:XXXX Q Exit Debug

Think everything OK, but when the reboot is still prompted as follows: Non-system disk,please INSERT A SYSTEM DISK, seems to be a lot of problems. You have to remove the hard drive and connect it to another computer that has the Win2000 server in the NTFS format as a from disk. However, when I double-click the partition, the prompt is as follows: "Cannot access d:\, $volume corrupted and unreadable", it appears that the virus is not small, can be directly interrupted under the Win2000 server, can also modify the MFT, virus manufacturers are really not shallow. I used the chkdsk command to try to fix $volume, which prompted me not to fix it. It seems that I want to completely restore this server is not likely, so now the most critical problem is actually restore the database files, which is my friend and I really care, according to my friend said he has two important user database files, named Client1,client2, So all of our concerns were given to these two databases, and these two databases are respectively by the suffix named MDF file (user database main file), suffix named log file (user database log file, sql2000 database master file by its corresponding log file to control the content). Of course, The King of Kings Recovery is my best choice, I use the recovernt version. Recovery is fairly simple to use, and note that files read with recovery cannot be restored to the same hard drive and must be restored to other hard drives. Unfortunately, when I use recovernt to read D partition, because the MFT damage, Kings can not read a file, repeatedly tried several times or not, had to take up. As soon as I got home, I made up my mind to study the Win2000 NTFS format, I have two books on hand, one is the MCSE winning treasure WIN2000 Server, and one is inside Microsoft Windows 2000,third Edition's Chinese version of Windows 2000 is the internal disclosure, it is the book to time the side hate less. And to search the internet around the information, after two days of specialized research, after a bold idea, detailed analysis, made a so far I still do not believe the method.

Climax
I'm going to format the D disk that I can't read (note the advanced format rather than the lower grid), and then read the file through Recovernt. Why do I have to do this, let me slow down. First of all, I want to talk about the principle of Windows file system, we all know that Windows has Fat12,fat16,fat32,ntfs and other file formats, and Fat12,fat16,fat32 file format can be considered as a class, for short, fat format, The NTFS file format can also be considered a class. I will briefly introduce the data structure of the file system in fat format, according to its different characteristics and functions can be broadly divided into

1. Boot sector.
The 2.DBR zone (DOS boot record) is the meaning of the operating system boot recording area.
The 3.FAT table (file alloction table), after DBR, typically has two, one for another, and its important role is to store pointers to the cluster in which the file resides (the concepts I will introduce when discussing the NTFS file format).
The 4.DIR area (directory) is the file root area.
5.DATA area, as the name implies this area is the place where the user holds the data, occupies most of the disk space, it is the most important place.

Now let's talk about the basics of the NTFS file format. In NTFS, all the data stored on a volume is contained in a file, including a bitmap of the data structure used to locate and retrieve the file, the bootstrapper, and the Record of the volume (NTFS metadata), which embodies the principle of NTFS: Everything on the disk is a file. Storing everything in a file makes it easy for the file system to locate and maintain data, whereas in NTFS, all of the data stored in the volume is in an array of file records called the MFT, called the Master File table, and the MFT is generated by advanced formatting. The MFT consists of an array of file records. The size of the File record is generally fixed, regardless of the size of the cluster is 1KB, this concept is equivalent to the Inode in Linux. The file record is physically contiguous in the MFT file records array and numbered from 0 onwards. The MFT is used only by the system itself and by the schema file system, which is called Meta Data (Metadata) in NTFS. The following is an important metadata file for the Windows2000 NTFS master file table

0 $MFT
1 $MFTMirr
2 $LogFile
3 $Volume
4 $AttrDef
5 $Directory
6 $Bitmap
7 $Boot
8 $BadClus
9 $Secure
Ten $UpCase
One $Extend

Important metadata files for these NTFS master file tables begin with the $ (dollar sign) name, but the symbols are hidden, and the dir command (or even a/a parameter) cannot be used in Windows2000 to list these metadata files as normal files. In fact, the file system Driver (Ntfs.sys) maintains a system variable ntfsprotectsystemfiles to hide the metadata. But Microsoft offers an OEM TOOL, called NFI.EXE, with which you can dump important metadata files (metadata: Data that is stored on volumes that support file system format management) on the NTFS master file table. It can't be accessed by the application, it can only serve the system, and here's an example I've given:

C:\>nfi D:

File 0
Master File Table ($Mft)
$STANDARD _information (resident)
$FILE _name (resident)
$DATA (nonresident) Logical Sectors 32-21151 (0x20-0x529f)
$BITMAP (nonresident) Logical Sectors 16-19 (0X10-0X13)

File 1
Master File Table Mirror ($MFTMIRR)
$STANDARD _information (resident)
$FILE _name (resident)
$DATA (nonresident)
Logical Sectors 2048284-2048291 (0X1F411C-0X1F4123)
(due to space limitation, the remainder is omitted)

These metadata file files are required by the system driver to assemble the volume, and Win2000 to each partition does not mean that the partition contains a win2000 identifiable file system format, and if the primary file table is corrupted, the partition cannot be read under Win2000. In order to enable the partition to be recognized in Win2000, it is necessary to first reconstruct the Win2000-recognized file system format, which is the primary file table, which can be completed by advanced formatting. This is what you might think, if the partition is formatted, then the contents of the partition are all gone? It seems so, when I open the formatted D disk, it's empty. As we all know, Windows has a cluster number to locate the file in disk storage, the file system in fat format the pointer to the cluster number is contained in the fat table, whereas in NTFS the pointer to the cluster number is contained $MFT and $ MFTMirr file (Note: $MFTMirr for $mft backups, if $MFT records are corrupted, NTFS reads $MFTMIRR files, $MFT and $MFTMIRR data segment locations are stored in the boot sector, and a copy of the boot sector is at the end of the partition). So $mft and $mftmirr files have been rebuilt, so our files are out of sight, but in fact these files do not really disappear, they are hidden in disk media, and recovernt is not a file with the cluster number to locate the file, it uses the lower-order approach, is through the file control block ( FCB) to read the file by means of disk access, this is his brilliant place, not file-coded disk access (which requires extended functionality calls), so when I read the file on D disk with recovernt, it took me 1 hours to find the four files I needed, and I saved them to C:\. MDF file under Home.

At last
Open SQL2000 Enterprise Manager, select an instance, right click Database, select additional database, give the data file corresponding disk location (note that the best master data files and corresponding log files in the same directory), all OK, friends of the customer data back to find.


Postscript:
1. As a database administrator to regularly back up, always careful to avoid not to think of my friend the same effect, otherwise disastrous consequences.
2. My article is not intended to give a specific approach, but to discuss the way of thinking about data recovery.
3. If the virus manufacturers can think more for others, rather than the picture of the moment of happiness, to use their wisdom on the right path.
4. If a friend has a different opinion on this article, please advise.



Contact Way Owlbird@163.com