To discuss data recovery, Let's first look at the simplest situation: simpleHard DiskPartition TableDamaged (non-hardware damaged). symptom: partition loss. Hard Disk ReconstructionPartition TableTo understand how hard disk partitions are organized, we will first introduce the background knowledge.
I. Hard Disk File System addressing: CHS and LBA
1. CHS addressing mode
CHS is the abbreviation of cylinder (cylindrical)/head (head)/sector (sector.
Why are there these parameters? This should begin with the hard disk structure. A hard disk is usually composed of several disks. Each disk is accessed by a head, and the disk is divided into many concentric rings. This is the track, and each track is divided into many segments, each segment is called a sector. The unit of hard disk storage is sector, and data is stored in the sector.
The so-called 3D Parameter (Disk geometry) is generated, that is, the number of cores (heads) and the number of cylinders. The so-called cylinders are composed of several tracks with the same radius and different disk surfaces) number of sectors and corresponding addressing methods. See the figure below:
In the hard disk file system, the following rules are stipulated:
The number of magnetic heads (heads) indicates that the hard disk has a total of several heads, that is, several disks,
The maximum value is 255 (which is stored in 8 binary bits );
Cylinders indicates the number of tracks on each disk of the hard disk,
The maximum value is 1024 (10 binary digits are used for storage );
The number of sectors (sectors) indicates that each track has several sectors,
The maximum value is 63 (6 binary digits are used for storage ).
Each slice is generally 512 bytes. In theory, this is not necessary, but it seems that there is no other value.
Therefore, the maximum addressing range of the CHS mode is:
255*1024*63*512/1000/1000/1000 = 8.4 GB.
In the CHS addressing mode, the value ranges of the head, cylinder, and sector are
0 to heads-1, 0 to cylinders-to sectors (note that it starts from 1 ).
When the hard disk needs to read data from a certain sector, first determine the cylinder number, then determine the track (head) number, scale down the range step by step, and finally determine the sector number. This completes the addressing process. As long as you determine the CHS parameter, the hard disk will specify the corresponding head to the corresponding track and sector to read and write data.
It should be noted that the so-called CHS parameter does not correspond to the actual cylinder number, head number, and fan area number of the hard disk. Generally, there are several hard disk heads, which cannot reach as much as 255. There is a certain Conversion Relationship between the physical cylinder number, the head number, and the fan area number and the CHS parameter in the file system. This is done by the hard disk firmware, so we don't have to worry about it. Here, we only focus on the CHS parameters in the file system.
2. LBA addressing
With the continuous development of hard disk technology, its capacity is also increasing, and the current hard disk capacity has already exceeded 8 GB, the use of CHS addressing in the hard disk file system can no longer meet the needs, so how is addressing in the modern hard drive file system? Currently, the hard disk file system uses linear addressing to sequentially number all available sectors on the hard disk (assuming the number is n) from 0 to n-1, when reading and writing data on a hard disk, It is addressable by the sector number. This is the logic block address (LBA), and the slice number is the LBA address of the slice.
Although LBA has become the mainstream addressing mode for hard disk file systems (partitions smaller than GB still need to bePartition TableNote the CHS parameter in. In a partition larger than 8.4g, the CHS parameter is meaningless and must be addressed in LBA mode ), however, in windows, the logical structure of the entire hard disk is still organized in the traditional CHS mode, and the hard disk file system is composed of integer cylinders. The number of cylinders in the modern hard drive file system has exceeded the limit of 1024, and the maximum number of magnetic heads and fan areas is still 255 and 63. Compared with LBA, the CHS mode is more intuitive. Therefore, the disk editor uses the CHS mode to divide the logical structure of disks.
Ii. MBR (Master Boot Record), DPT (Disk Partition Table ),
Primary partition and extended partition)
And logical Partition)
The first sector of the hard disk is called as the Main Boot Sector. It is often referred to as MBR. The CHS parameter is 0, 0, 1, and the LBA parameter is 0. It contains the hard disk boot program and the hard disk.Partition Table(DPT) is very important. If the MBR sector is damaged, the system will not be able to access the disk.
1. MBR Bootstrap Overview
Among the 512 bytes of data in the MBR sector, the first 446 bytes (0 to 0x1bd) store the hard disk boot program code. When a computer starts from a hard disk, the system first reads the MBR boot code from the hard disk. The process is roughly as follows:
(1) Move the program code from 0: 7c00h to 0: 0600 H (Note: BIOS places MBR at 0: 7c00h)
(2) Search for bootable partitions, that is, 80 h mark
Success: goto 3
Failed: Jump to Rom basic
InvalidPartition Table: Goto 5
(3) read Boot Sector
Failed: goto 5
Success: goto 4
(4) check whether the final Boot Sector is 0xaa55h
Failed: goto 5
Success: goto 6
(5) print errors into infinite Loops
(6) Jump to 0: 7c00h to start the next step.
Then the MBR boot program gives control of the system to the operating system boot program.
If the MBR is damaged and the hard disk cannot be accessed, enter the following in DOS:
Fdisk/cmbr x (x = 1, first hard disk; X = 2, second hard disk), overwrite the Master Boot Record.
2. Hard DiskPartition Table(DPT)
The last 66 bytes of the MBR sector remove the ending sign 0xaa55h (the flag of all boot sectors. Because the display content in the disk editor is arranged from low to high, aa55 is shown as 55aa), the remaining 64 bytes are called hard disks.Partition Table. Hard DiskPartition TableContains four items, each of which is 16 bytes, representing the parameters of the four partitions.Partition TableThe meaning of each byte is as follows:
Offset meaning
0 auto-Raising flag (80 is the active partition, 00 is the non-active partition)
1 starting head number H
2 start fan ID s
3. Start cyl (the CYL's 2-bit high is stored in the second byte's 2-bit high)
4 partition format flag (05: DOS extended; 06: bigdos fat16;
07: NTFS; 0b: FAT32;
0C: FAT32 (use LBA for the INT 13 H command );
0e: fat16 (use LBA for the INT 13 H command );
0f: Extended (use LBA for the INT 13 H command );
82: Linux swap; 83: Linux; 85: Linux extended)
5 termination head number H
6. End the fan id s.
7. Terminate cyl
8-11 Number of slice used before the current partition (that is, the LBA address of the partition,
WhenPartition TableThis value is the position of the first sector of the extended partition when it belongs to the record in the extended partition)
12-15 Total number of sectors in the current Partition
3. Primary partition and extended partition)
And logical Partition)
Partitions that can be defined in DPT include primary partitions and extended partitions. The primary partition refers to the disk partition that can be used by the system in DPT. It can be set as active, that is, the operating system can be guided, and one hard disk can only have one active partition; extended partitions cannot be used by the system. They break through the limitation that DPT can only define four partitions.
The practice is: let DPT define the excess capacity as an extended partition after defining the primary partition, specify the starting position of the partition, and point to a certain sector of the hard disk according to the starting position, it is called virtual MBR and defines the nextPartition Table. If there is only one partition, define the partition and end it. If there are more than one partition, define a basic partition and an extended partition. The extended partition points to the next one.Partition Table, In the nextPartition TableContinue to define the partition until the end. In this way, a partition chain can be formed to describe all partitions.
AnyPartition TableThere can only be one extended partition, and the extended partition cannot boot the operating system. A disk partition that can be used by the system in an extended partition is called a logical partition. A logical partition cannot be set as an active partition. Because the concept of extended partitions and logical partitions is defined, the disk drive letter used by windows can be up to Z, see.
CTRL + mouse wheel to zoom in/out "nclick =" If (! This. resized) {return true;} else {window. open ('HTTP: // response);} "nmouseover =" If (this. width> screen. width * 0.7) {This. resized = true; this. width = screen. width * 0.7; this. style. cursor = 'hand'; this. alt = 'click here to open new window/nctrl + mouse wheel to zoom in/out';} "nmousewheel =" Return imgzoom (this ); "Title =" click an image to open "style =" cursor: pointer; ">
Iii. Analysis of hard disk partition structure instances
You can use the disk editor to directly access hard disk data. Generally, the disk editor displays data in hexadecimal format. Winhex, a widely used software in the field of data recovery, is recommended. This software can directly read and write disk sectors in windows. Open winhex, click the "Tools" menu, and select "disk Editor"-"physical media"-"hd0 ...... in this way, the data of the entire hard disk is displayed in hexadecimal format in the editing box. The editor used in this article is ultraedit. Next we will analyze my hard disk partition situation.
1. MBR sector Diagram
, MBR sector 0 ~ The 1bd section is the MBR boot code,
1be ~ 1dd a total of 32 bytes represents twoPartition TableThe end 0 x H is the identifier of the boot sector.
Parameters of the first partition are as follows:
, 00, 0C, Fe, FF, FF, 3f, 00, 00, F8, 02.
Item 80 indicates that the partition is active (the operating system can be guided );
The starting position is 0 cylinder, 1 Head, and 1 sector;
0C indicates that the partition is in the FAT32 format. Fe, ff, and FF indicate the sequence number for terminating the cylindrical head sector,
Because the partition is larger than 8 GB, its CHS parameter is meaningless;
3f, 00 is the LBA address of the first sector of the partition, 0x3fh, or 63;
F8, 93,32, 02 indicates the number of sectors of the partition.
(The number of sectors should be 0x23293f8h, and the number of sectors is 36869112, since the segments are arranged from low to high ).
Parameters of the second partition are as follows:
, C1, FF, 0f, Fe, FF, FF, 37,94, 49, E8, C9, 04.
The first item 00 indicates that the partition is not active;
The start chs parameter is invalid. The head number is 0 and the fan area number is 1. 0f indicates that the partition is an extended partition;
2329437, 36869175, is the LBA address of the first sector of the partition, 0 x H, equal;
49, E8, C9, 04 indicates the number of sectors in the partition, which is 0x4c9e849h, with a total of 80341065 sectors.
2. Expand the first sector (Virtual MBR) of the partition
(1) first expanded partition first sector (Virtual MBR) diagram
As mentioned above, because DPT can only record information of four partitions, windows records information of more than four partitions through extended partitions. The extended partition in DPT is called the first extended partition, and its first sector is called the virtual MBR.
From the example, we can see that there is no MBR boot code in the first sector of the extended partition, onlyPartition TableThere are two records, indicating a logical partition and an extended partition.
Parameters of the first partition:
, 01, C1, FF, 0b, Fe, FF, FF, 3f, 37, 02.
The first item 00 indicates that the partition is not active;
The start chs parameter has an invalid cylindrical number, with the head number 1 and fan area number 1. 0b indicates that the partition is a FAT32 file system;
3f, 00, and 00 are the LBA address of the first sector of the partition (63 relative to the first sector of the first extended partition;
40965687, represents the number of sectors in the partition, a total of sectors.
Parameters of the second partition:
, C1, FF, 05, Fe, FF, FF, D3, D1, 58,02.
The first item 00 indicates that the partition is not active;
The start of the CHS parameter is invalid. The head number is 0 and the fan area number is 1. 05 indicates that the partition is an extended partition;
, Is the LBA address of the first sector of the partition (relative to the first sector of the first extended partition );
D3, D1, 58,02 indicates the number of sectors in the partition. There are 39375315 sectors in total.
(2) diagram of the first sector (Virtual MBR) of the second extended partition
The extended partition only contains one logical partition. ItsPartition TableThe parameters are as follows:
, 01, C1, FF, 07, Fe, FF, FF, 3f, D1, 58,02
The first item 00 indicates that the partition is not active;
The start chs parameter is invalid. The head number is 1 and the fan area number is 1;
07 indicates that the partition is an NTFS file system;
3f, 00, and 00 are the LBA address of the first sector of the partition (63 compared to the first sector of the second extended partition;
94, D1, 58,02 indicates the number of sectors in the partition. A total of 39375252 sectors are supported.
To sum up, the partition structure of the hard disk has been clarified.Partition TableIncluding a primary partition (active) and the first extended partition; the first extended partition contains a logical partition and the second extended partition; the second extended partition contains a logical partition ,.
3. Diagram of the primary partition and the first sector of the logical Partition
As mentioned above, the hard disk has three partitions: Zone C is the primary partition and FAT32 format. Zone D is the logical partition and FAT32 format, while Zone E is the logical partition and NTFS format. Let's take a look at the characteristics of the first slice of the three shards.
(1) diagram of the first sector in Area C
The end of the first sector in Area C is 0xaa55h, And the CHS parameter is 0, 1, and 1.
Mswin4.1 appears on the first line of the slice ("M" is omitted due to incorrect text display ),
It indicates that the partition is a FAT32 file system, and the offset is 52 ~ There is also FAT32 in section 59.
The pilot code of the partition is stored in the first sector of Area C. This is omitted. We only focus on 1C ~ Field 23.
Among them, 1C ~ The 1f field is 3f, 00, and 00. This is the LBA address, indicating 63 sectors before the partition;
20 ~ The 23 fields are F8, 93,32, 02, indicating the total number of sectors of the partition.
The above information is very important, and it is critical for us to manually restore the disk partition structure below.
(2) diagram of the first sector in Area D
The end of the first sector in Area D is 0xaa55h, And the CHS parameter is X,. msdos5.0 is displayed on the first line of the sector.
(Due to text display problems, "M" is omitted ),
It indicates that the partition is a FAT32 file system, and the offset is 52 ~ There is also FAT32 in section 59.
1c ~ The 1f field is 3f, 00, and 00. This is the LBA address of zone D, indicating 63 sectors before the partition.
(Relative to the first sector of the extended partition), 20 ~ The 23 field is 37, 16, and 02, which is the total number of sectors of the partition.
(3) diagram of the first sector in Area E
The end of the first sector in the e-zone is 0xaa55, And the CHS parameter is X, 1, and 1. The NTFS character appears on the first line of the sector.
("N" is omitted due to text display issues.) It indicates that the partition is an NTFS file system.
28 ~ The 2f field is 93, D1, 58,02, 00,00, 00,00, which is the total number of sectors available in the E zone,
And second extensionPartition TableThe total number of sectors in the E area is 1. Why is the difference 1? That's because NTFS
The file system uses the last sector of the partition to save the backup of the first sector.
The slice is retained and cannot be used by users. Generally, when the number of reserved sectors is 1, but the value is greater than 1,
The number of available sectors andPartition TableThe difference in the total number of sectors recorded in is not 1.
4. Summary
To sum up, we should pay attention to the following experiences:
(1) The end of all boot sectors is 0xaa55h.
(2) The CHS parameter of the hard disk MBR sector is 0, 0, 1;
The CHS parameter of the first sector of all extended partitions is X, 0, 1;
The first slice of the primary partition and logical partition is X, 1, 1, and 1,
The CHS parameter of the primary partition can also be X, 0, 1,
The first sector of the primary partition and logical partition may not be Sector 1. This phenomenon exists.
(3) All extended partitions, primary partitions, and logical partitions are terminated with the following CHS parameters: X, 254,63.
In summary, (2) and (3), the size of all partitions is an integer cylinder and cannot exist across cylinders.
(4) All extended partitions generally only containPartition TableData and 0xaa55h flag, generally without guide code.
(5) The LBA address of the first extended partition is relative to the MBR, And the LBA address of the subsequent extended partition is calculated
It is based on the position of the first extended partition.
(6) The first sector of the primary partition and logical partition often contains strings such as FAT32 and NTFS,
Mswin4.1 and msdos5.0 indicate FAT32 partitions. msdos5.0 may also be
The identifier of the fat16 partition. The Guide fan stores the size data of the partition. For NTFS
For partitions, the number of partition sectors andPartition TableThe number of data records in the difference,
Usually 1. This is critical for us to retrieve the lost partition.
(7) it seems that the first extended partition type is 0f, and the later extended partition is 05, and the primary partition is in FAT32 format,
The type is 0C, and the logical partition is 0b if the format is FAT32.
Iv. Hard DiskPartition TableRestore practical experience
1. Use the tool software to automatically restore Hard Disk Partitions
Here, we use the hard drive from the mountains and red leaves.Partition TableThe management software is used to perform operations, and the demonstration process is carried out in the virtual machine.
(1) first, check the hard disk partition. There are three partitions. Area C is the active primary partition, NTFS format, D and E are logical partitions, and FAT32 format, to simulate partition loss, use the partition software to delete all partitions of the hard disk ,.
(2) Open the hard diskPartition TableRepair and Management Software Partition Table doctor 3.0, click the "operation" menu, and select "recreate"Partition Table"-Interactive mode. The software automatically searches for three partitions ,.
(3) Select save in the "file" menu, and the lost partition is returned ,.
Hard Disk ReconstructionPartition TableThere are still a lot of tools, commonly used diskgenius, the use method is similar.
2. Use the disk editor to manually restore the diskPartition Table
Some may ask why it takes time and effort to manually recover the software automatically? In fact, the manual recovery process is cumbersome, but it gives us a clear understanding of the structure of the disk partition. Besides, although the software is good, it is not intelligent enough, and we can't do anything in case of complicated situations, in this case, you can only use the disk editor for manual recovery. As long as you understand the principle, you can easily solve the problem in the actual situation.
(1) Open the hard diskPartition TableRepair and Management Software Partition Table doctor 3.0, click "Sector"-"Edit Sector" to bring up the hexadecimal disk editor. The first display is the primary Boot Sector of the hard disk, CHS, 1 ,.
You can see from the figure thatPartition TableThe partition is cleared.Partition TableAs long as the related items inPartition TableData, the lost partition is retrieved.
(2) Restore partition C:
Move the sector to the positions 0, 1 and 1. This is the first sector of Area C.
From the figure, we can see that the partition is an NTFS system,
The size is 7f, E2, 5d, 00. The actual size must be 1, which is 80, E2, 5d, 00.
Move the slice to 0, 0, 1, and enter 1be ~ 1cd field.
Because the partition size is less than 8 GB, the CHS parameter must be set correctly.
The initial CHS parameter is 0, 1, and the ending CHS parameter is 382,254, 63.
You can terminate the cylindrical number as follows:
(End cylindrical number + 1) x 255x63 = Total number of partitions + total number of sectors before the partition.
ThereforePartition TableThe parameters are as follows:
, 01, 07, Fe, 7f, 7E, 3f, E2, 5d, 00,
Enter and save.
(3) restore the first extended partition:
The LBA address of the first extended partition must be 63 + C,
BF, E2, 5d, 00 (6152895 ).
The initial CHS parameter is 1043,254, 0, 1, and the ending CHS parameter is, 63.
(If the cylinder number is greater than 1023, enterPartition TableIs calculated as 1023 ).
The size of the extended partition is 10618965 slice, which is converted to the hexadecimal format of 55,08, A2, and 00.
Move to the Main Boot Sector of the hard disk and edit 1ce ~ 1dd field, input:
, 41, 7f, 0f, Fe, FF, FF, BF, E2, 5d, 08, A2, 00, save.
(4) Restore partition D:
Move the disk editor to 383,1 and 1slice. This is the first slice of Area D.
The figure shows that the partition is in the FAT32 format and the size is 80, E2, 5d, and 00.
Move the slice to the position, 0, and 1. This is the first slice of the first extended partition. Enter the 55aa sign at the end.
The initial CHS parameters are 765,254, 1, 1, and the ending CHS parameters are, 63.
As a resultPartition TableThe parameters are as follows:
, 01, 41, 7f, 0b, Fe, BF, FD, 3f, E2, 5d, 00,
Enter 1be ~ Save the 1cd field.
(5) Restore partition E:
The first sector of the second extended partition is located at, 0, 1;
The LBA address is the number of sectors in Area D + 63, which is equal to BF, E2, 5d, and 00.
Move the current sector of the disk editor here and findPartition TableStill intact ,.
In this way, the rest of the process is very easy.Partition TableWe can know that the e-zone size is, 25,
We can see that the second extended partition size is the number of sectors in the E zone + 63, which is equal to, and 00.
Move the disk editor to, 0, 1, that is, the first sector of the first extended partition,
Edit 1ce ~ 1dd:
, 81, Fe, 05, Fe, FF, FF, BF, E2, 5d, 00, save.
So far, all the lost partitions have been retrieved.
The above is my new basic knowledge on disk partition restoration. It is definitely an amateur, and it is not worth any attention. I have worked hard to write documents, but hope to help new friends who are interested.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
