Data Recovery classification: Hard recovery and soft recovery. The so-called hard recovery is physical damage to the hard disk, such as the failure of bad sectors on the disk, burning of the circuit board chip, abnormal sound on the disk, and so on. As a result, normal users cannot easily retrieve the data in the disk, so we fix it and retain the data or the data in the later recovery. These are called data recovery, but these faults are easy and difficult. The so-called soft recovery, that is, the hard disk itself is not physically damaged, but data loss (such as formatting and partitioning by mistake) caused by man-made or virus damage. Such data recovery is called soft recovery. Here, we mainly introduce soft recovery, because hard recovery also requires the purchase of some tool equipment (such as pc3000, soldering iron, various chips, circuit boards), and a little understanding of the circuit basics, all the knowledge we have mentioned here involves a wide range and deep layers. It has both the data structure principle and the basis for manual and accurate data recovery, as well as the use methods and techniques of various data recovery software, it is convenient for us to quickly recover data, and all software is downloaded online, so we don't need to invest a penny. Prerequisites for data recovery: data cannot be damaged or overwritten twice! About digital and code: I don't want to talk about the conversion between binary, hexadecimal, and octal, because it is not helpful for our data recovery and it is easy to confuse us. If you are interested in learning more, you can go to Baidu to search for more information. There are already a lot of such information, so I don't need to talk about it any more. We mainly use the hexadecimal editor for data recovery: winhex (preferred software for data recovery). Let's first look at the data structure: Below is a data structure of the entire hard disk divided into three zones.
| MBR |
Drive C |
EBR |
Disk D |
EBR |
Elastic Block Storage |
MBR, that is, the Master Boot Record, is located in the entire hard disk's 0-cylinder, 0-track, 1-sector, a total of 63 sectors are occupied, but only one sector is used (512 bytes ). In a total of 512 bytes of Master Boot records, MBR can be divided into three parts: The first part: The Boot Code, which occupies 446 bytes; the second part: the Partition Table, which occupies 64 bytes; part 3: 55aa, ending mark, occupies two bytes. We will talk about how to use winhex software to restore the wrong partition, which is mainly to restore the second part: Partition Table. Guiding code: enables the hard disk to be bootable. If the boot code is lost and the partition table is still there, the hard disk is still used as the data in all partitions of the slave disk, but the hard disk cannot be used to start the system. If you want to restore the Boot Code, run the fdisk/MBR command in DOS. This command is only used to restore the Boot Code and will not cause partition changes or data loss. You can also use tool software, such as diskgen and winhex. However, if the partition table is lost, the result is that the entire hard disk does not have a partition, as if you just bought a new hard disk without partition. Is a region that many viruses like to destroy. EBR is also called extended MBR ). Because the Master Boot Record MBR can only describe up to four partition items, if you want to divide more than four partitions on a hard disk, you need to use the MBR extension method. Mbr and ebr are generated by partitions. For example, mbr and ebr both occupy 63 sectors, and drive C occupies 1435329 sectors ...... The data structure is as follows:
| 63 |
1435329 |
63 |
1435329 |
63 |
1253889 |
| MBR |
Drive C |
EBR |
Disk D |
EBR |
Elastic Block Storage |
|
|
Extended partition |
Each partition is composed of DBR, fat1, fat2, Dir, and data5. For example, the data structure of drive C is as follows:
| Drive C |
| DBR |
Fat1 |
Fat2 |
Dir |
Data |
Winhexwinhex is the most widely used tool and a hexadecimal editing software running in windows. This software is very powerful and has complete partition management and file management functions, automatically analyzes the partition chain and file cluster chain, backs up the hard disk in different ways and different degrees, and even clones the entire hard disk; it can edit binary content of any file type (displayed in hexadecimal format). Its disk editor can edit any sector of a physical disk or Logical Disk, is the preferred tool for manual data recovery. First, install winhex. After installation, you can start winhex. the startup screen is as follows: the start center dialog box appears first. Here we want to operate the disk, select "Open disk", and the "Edit disk" dialog box appears: In this dialog box, we can choose to open a single partition, you can also open the entire hard disk. hd0 is the 40 Gb System Disk of Western data that I am currently using. hd1 is the hard disk we want to analyze, and it is extended by 2 GB. Here we choose to open the entire hd1 hard disk, click OK, and then we will see the entire working interface of winhex. At the top is the menu bar and toolbar. The largest window below is the work area. Now we can see the content of the first sector of the hard disk, which is displayed in hexadecimal format, the corresponding ASCII code is displayed on the right, and the detailed resource panel on the right is divided into five parts: status, capacity, current position, window condition, and clipboard condition. These situations are very helpful for grasping the entire hard disk situation. In addition, you can right-click the resource details panel and window, or close the resource panel. (If the resource panel is closed, you can choose View> display> detailed resource panel to open it ).
The bottom column shows useful auxiliary information, such as the current sector/total number of sectors ...... When you pull down the scroll bar, you can see a gray horizontal bar. Each horizontal bar is a sector, with a total sector of 512 bytes. Each two digits is a byte, such as 00. Next, let's analyze the MBR, because we have said that the first 446 bytes are the boot code, which is meaningless to us. Here we only analyze the 64 bytes in the partition table. A partitioned table consists of 64 bytes and can describe a total of 4 Partition Table items. Each partition table item can describe a primary partition or an extended partition (for example, the preceding partition table, the first Partition Table item describes the primary partition drive C, the second partition table describes the extended partitions. The third and fourth Partition Table items are filled with zero unused values.) Each partition table item occupies 16 bytes. The meanings of each byte are as follows: (h indicates hexadecimal)
| Byte location |
Content and meaning |
| 1st bytes |
Guide flag. If the value is 80 h, it indicates the active partition. If the value is H, it indicates the non-active partition. |
| 2nd, 3, 4 bytes |
Start head number, Fan area number, and cylindrical number of this partition |
| 5th bytes |
Partition type: 00 h -- indicates that the partition is not used 06h--fat16 basic partition 0bh--fat32 basic partition 05 h -- extended partition 07h--ntfs partition 0fh -- (LBA mode) extended partition 83 H -- LINUX partition |
| 6th, 7, 8 bytes |
End head number, Fan area number, and cylindrical number of this partition |
| 9th, 10, 11, 12 bytes |
Number of slice used before this partition |
| 13th, 14, 15, 16 bytes |
Total number of sectors in the current Partition |
The first partition table (MBR) of this hard disk is analyzed as follows: The first Partition Table item (disk C) 1st bytes 80: indicates that this partition is an active partition; 5th bytes 0b: indicates that the partition type is FAT32; 9th, 10, 11, 12 bytes system hidden sector 3f 00 00 00: the so-called system hidden sector is the number of sectors used before the current partition (disk C), this is a hexadecimal number, note: The actual number of hidden sectors should be entered in turn (for example, if the number of hidden sectors is 3E 4D 5A 6f, then 6f 5A 4D 3E, which is the actual number of hidden sectors ). Then, if 3f 00 00 is written as 00 00 003f, that is, 3f, convert it into a decimal number to know the actual number of hidden sectors. This can be calculated using a calculator. Click the "Calculator" button on the toolbar. For example, there are two types of the calculator. We need to convert the calculator into hexadecimal format, select "scientific". For example, if we want to convert hexadecimal 3f to decimal, we need to first select "hexadecimal" and then input 3f and then select "decimal ", convert the hexadecimal 3f to a decimal value of 63. Think about what we have mentioned earlier. MBR occupies 63 sectors, that is, the number of sectors used before disk C is 63, and the number of 64th sectors is the first sector of disk C, the LBA address of the entire hard disk starts from scratch ~ 62 slice is MBR. 13th, 14, 15, 16 bytes total number of sectors in the current partition (of course, this is the size of the C disk): C1 E6 15 00, similarly, the actual hexadecimal number is the opposite, that is, 00 15 E6 C1, which is converted into a hexadecimal number of 1435329. Let me give you a question. Do you know which slice is the ebr of the d Drive? Let's take a look at it. Do you still remember the table in the previous data structure? Isn't drive C followed by drive D's EBR? The first sector of an EBR disk is MBR + C, that is, 63 + 1435329 = 1435392.
Right? click the "go to Sector" button on the toolbar. The "go to Sector" dialog box is displayed, enter 1435392, and click "OK ", it's 1435392 slice (you can use it to switch back to 0 slice). This is the ebr of the d disk, that is, the partition table of the d disk. How do you know? Because the mbr and ebr have the same structure and occupy 63 sectors, only the first sector is used, and the remaining 62 sectors are not required. The first 446 bytes of the first sector are the boot code, the last 64 bytes are the partition table, and the last two bytes are the 55aa ending mark. Because EBR is not an active partition and does not need to guide code, the first 446 bytes are zero. Another method is to directly find the ebr of the d disk, and click the "access" drop-down button -- "partition 2" -- "partition table" to go directly to the 1435392 sector. in this way, the first Partition Table item in the Partition Table is analyzed in 16 bytes. Next let's look at the second partition table item (extended partition ).
1st bytes 00: indicates the partition is not active.
5th bytes 05: extended partition
9th, 10, 11, 12 bytes 00 E7 15 00: the number of sectors before the current partition (before the extended partition is the MBR and the C disk, as if we have calculated this number before ?) Similarly, first convert it to 1435392 in decimal format, that is, 00 15 E7 00. It seems that we have calculated this number before. 13th, 14, 15, 16 bytes 40 09 29 00: the total number of sectors in the partition. That is, the total number of slices of the extended partition. It should be 2689344 in decimal format. Think about it. Isn't it exactly 1435392 of the total number of sectors of the entire hard disk? In this way, if the partition table is damaged, we only need to calculate these values and fill them in. Will the partition table be restored? So, why don't we analyze 2nd, 3, and 4 bytes (Starting head number, Fan area number, and Cylinder Number of the current partition) and 6th, 7, and 8 bytes (the ending head number, Fan area number, and cylindrical Number of the current partition? This is because C/h/s (cylindrical/head/sector) is an old hard disk addressing method, which is inefficient at managing hard disks; currently, almost all hard disks support the LBA (logical block address) addressing method, which is simple and efficient. In the LBA mode, the system numbers all physical sectors in a uniform order from zero to a maximum value, so that only one ordinal number is used to determine a unique physical sector.
TIPS: we do not need to remember the number of LBA (slice) on a hard disk, because it can be detected by various tools and software (such as mhdd winhex. We only need to know about it. For example, a 10g hard disk has about 20 million sectors, a 20G hard disk has about 40 million sectors, and a 40g hard disk has about 80 million sectors ...... Therefore, a 2G hard disk has about 4 million sectors.
So, you may have to ask: if you want to restore the partition table, should you fill in the starting head number, Fan area number, cylinder number, end head number, Fan area number, and cylinder number? It is very simple. I will tell you when I restore the partition table later. If you fill it in directly, no calculation is required. Are you interested in analyzing the EBR of drive D?
In fact, we do not analyze the ebr of the d disk or the EBR of the E disk, because it is nothing more than a partition table. It has the same structure as MBR, but it is easy to confuse us, because EBR is generally not easily damaged, I do not recommend analyzing EBR.
But if you must analyze it, analyze it.
Click the "access" drop-down button -- "partition 2" -- "partition table" to go directly to the 1435392 sector, that is, the partition table ebr of the d disk. The first Partition Table item (disk D ):
1st bytes 00: indicates the partition is not active
5th bytes 06: fat16 Partition
9th, 10, 11, 12 bytes 3f 00 00: number of sectors used before the current partition, that is, the number of EBR, 63.
13th, 14, 15, 16 bytes C1 E6 15 00: Total number of slice in the current partition, that is, the number of slice in the D disk. In turn, the number is 00 15 E6 C1, convert to decimal to 1435329.
The second partition table item (after disk D ):
1st bytes 00: indicates the partition is not active
5th bytes 05: extended partition
9th, 10, 11, 12 bytes 00 E7 15 00: number of sectors used in the current partition, that is, the total size of the D Drive EBR plus the D Drive, 63 + 1435329 = 1435392
13th, 14, 15, 16 bytes 40 22 13 00: Total number of sectors in the partition, 1253952, that is, the size of the E disk plus the number of an EBR.
Click the "access" drop-down button -- "partition 3" -- "partition table", directly to the 2870784 sector, that is, E
The partition table EBR of the disk. Because there is no partition behind the edisk, there is no second partition table item. Here we will not study it any more. If you are interested, you can prepare one more hard disk as the slave disk, and then study it in different regions. Through the above research, we will summarize that when defining a partition, MBR defines the excess capacity as an extended partition, specifying the starting and ending positions of the extended partition, point to a certain sector of the hard disk according to the starting position, and act as the next Partition Table item. Then, define the partition in this sector. If there is only one partition, define the partition and end it; if there are more than one partition, define a basic partition and an extended partition. The extended partition points to the description sector of the next partition. Continue to define the partition according to the above principles until the partition definition ends. These are used to describe the partition sectors to form a "partition chain" through which all partitions can be described. At startup, the system searches for partitions according to the connection sequence of the partition chain until all partitions are found. This chain is obviously an open chain structure. If a ring is formed, the system itself will not judge it. It just faithfully searches for partitions Based on the chain, without any additional detection and processing. The so-called hard disk logical lock is to make the partition chain form a ring, so that the system will cycle in the Partition Table during startup, as the system is unable to boot, that is, the disk is started from a floppy disk, and cannot enter the hard disk. After understanding its structure and principles, it is easy to solve this problem. There are many ways to solve this problem. We will discuss it later. The system uses this method to make a hard disk partition look like multiple hard disks. The only way for the system to find a logical disk other than disk C is to search for a partition along the blockchain described by EBR. In fact, EBR is usually not damaged, or the probability of destruction is extremely low. Generally, only MBR is damaged. In this case, we only need to restore the MBR partition table to 64 bytes, and other partitions follow the chain provided by the partition table. So how can we restore a partitioned table? This is achieved by combining computing with winhex's powerful functions. Next we will simulate the partition table being damaged by viruses, and fill in all MBR. First, select the slice where the MBR is located. Point to the first byte, right-click, select start from block, point to the last byte of MBR, right-click, select "End of selected blocks", right-click inside the selected area, and select "edit". A menu is displayed, and then we select "fill selected blocks ", in this way, a fill block selection dialog box is displayed, and "00" is entered in the input box "fill in hexadecimal form ", click "OK". In this case, all the sectors of the MBR are filled with "00". If you want to cancel the selection, drag the mouse to select an area. Then, the original selection will be canceled. Note: If the sector data is modified and the data is not stored on the disk, it will change to another color. After modifying the sector, the disk has not yet taken effect. If you want the disk to take effect, select the "file" menu "Save Sector" command. At this time, a prompt will appear, if you do not want to save the disk, click Cancel, if you want to save the disk, click OK, and then click yes. Well, the disk is saved, and the data modified by the sector turns black again. In this way, the partition table is deleted. At this time, it must be restarted to take effect. If you open my computer, you will find that the three partitions (f, g, h) are still there, and the data in it can be used normally. Now, we close all the programs and restart the computer ...... After a long wait, the computer started up. Let's open my computer and see if the three partitions F, G, and H are missing. Start winhex and find that all MBR instances are zero. Next, we will start to manually restore the partition table. First, we will restore the boot code, which is the simplest, just copy the boot code from winhex to another system disk. Isn't there two hard disks hanging on my current machine? A maxcompute 2G, A Western data 40g, and a western data 40g are my system disks. Copy them from this disk. Click the disk editor button and select hd0 WDC WD400EB---00CPF0 in the edit disk dialog box. Click OK so that the Partition Table of the system disk is opened, now we open two windows. The current window is "Hard Disk 0", which is displayed on the title bar. In addition, you can also see that the current window is checked. If you want to switch back to the original window, click Hard Disk 1 ". First, select the Boot Code of the system disk, right-click the selection area, and select "edit" to display another menu, select "copy and select block"-"normal", switch back to Hard Disk 1 window, right-click the first byte of the zero sector, select "edit" and select "Clipboard data" -- "write ......" A window prompt appears, click "OK", and we will copy the boot code on a normal system disk. Next, we will start to restore the Partition Table (a total of 64 bytes, divided into 4 Partition Table items, each partition table item occupies 16 bytes, generally only use the first two Partition Table items ), first, we will restore the first partition item (that is, used to describe the C disk ). First, fill in the partition guide flag at the second byte (the fifth line to the bottom of the 0 sector, and the second to the last byte). Because drive C is an active partition, fill in 80.
Next are 2nd, 3, and 4 bytes (start head number, Fan area number, and Cylinder Number of the partition). Fill in: 01 01 00.
5th bytes are the partition type characters. Because the original drive C format is FAT32, enter 0b. So what if you don't know the format of drive C? You will ask the customer. What if he doesn't know? Don't worry. I will teach you how to differentiate the partition format when we talk about restoring DBR later.
6th, 7, and 8 bytes are the ending head number, Fan area number, and cylindrical Number of the current partition. How can this problem be solved? Do not worry. The current disks are all LBA-oriented and not C/h/s (and cylinder, Head, and sector)-oriented, so it doesn't matter what you fill in here, but I want to tell you there is a general filling method: Fe ff.
9th, 10, 11, 12 bytes. The number of slice used before the current partition, that is, the number of slice occupied by MBR. Isn't that 63? Yes, but you need to convert 63 to a hexadecimal number, and then enter it in reverse order. Do you still remember how to use a calculator? Convert 63 to a hexadecimal value of 3f, and add zero before four bytes, that is, 00 00 00 3f. Then, convert the number from right to left to 3f 00 00. 13th, 14, 15, and 16 bytes are the total number of slices in the current partition, that is, the size of the drive C, which is calculated by a little bit. Because the C drive starts from 63rd sectors, and the C drive is followed by EBR, the first sector in which the EBR is located minus 63 is the size of the C drive. So how can we find the first slice where EBR is located? As we have said before, the EBR structure is the same as that of MBR. Therefore, the end mark of EBR must be 55aa. If we find this end mark, let's see if this slice is not EBR? Click "Search" -- "Search for hexadecimal value ......", Enter "55aa" in the text box, select "all" in the search box, select "condition", and set the offset to "512 = 510 ". Click OK ". The figure is as follows: first find the first "55aa". We can see that the slice is on the 63rd slice, not the EBR we are looking for. Then press F3 to continue searching and find several slice, none of them, so is this slice below? As we have mentioned above, the EBR structure is the same as that of MBR, so the second and last bytes in the last five lines should be 00 01, and the first 446 bytes should be 0, obviously this is not an EBR. Continue to search by F3 ...... Finally, we found the real ebr in the 1435392 sector. TIPS: Hard Disks are relatively large now. It is too slow to search for 55aa by sector. Is there a way to hurry up? Yes, you should first ask the customer about the size of the C drive. Most customers still know it. For example, if he says that the C drive has about 10 Gb, you should not start from scratch, because it is too slow. The 10 Gb is about 20 million sectors, so you can use the command to convert to the sector directly to the 19 million sector. It is much easier to start searching from that place. Use 1435392 minus 63 to get 1435329, and then convert it to hexadecimal format, that is, 15e6c1. if you reverse it, It is c1e61500, which is the size of the C drive. In this case, the first Partition Table item is filled out. Save the item and enter the second partition table item. The second partition table contains 1st Bytes: Write 00 because it is a non-active partition.
2nd, 3, 4 bytes, fill in 01 01 00 (General)
5th Bytes: Fill in 0f because it is an extended partition.
6th, 7, 8 Bytes: Fill in Fe FF (General)
9th, 10, 11, and 12 bytes are the number of slice used before the current partition, which should be the size of the C disk plus 63, that is, 1435392, which was just calculated above, convert to the hexadecimal number. In turn, 00 E7 15 00 13th, 14, 15, and 16 bytes indicate the total number of slice in the current partition, that is, the total number of slice in the extended partition, that is to say, subtract the size of the entire hard disk from the size of the drive C and then subtract 63, that is, 4124736-1435329-63 = 2689344. If it is converted to hexadecimal, It is 290940, which in turn is 40092900. In this way, the second partition table is complete. Don't forget to fill in the final ending sign 55aa. In this way, the MBR will be completely restored. Finally, save and restart ...... After the boot is complete, I can't wait to open my computer and find that all three partitions are back, and the data is intact. Right-click "my computer", select "manage", and a dialog box is displayed. Select "disk management". On the right, you can see three partitions of Disk 1 (FAT32, fat16, NTFS) all of them are back. At this point, the manual recovery of the partition table is successful. Manual data recovery has a high success rate, which is interesting and challenging. It can retrieve files that many silly software cannot find. However, engineers must be patient and stay awake, clear what you are operating, what will happen after the operation, and whether you can return to the previous status. Especially for some destructive operations, we must be considerate. as long as conditions permit, we must back up the data before the operation. Otherwise, it will lead to a "blood" lesson. Remember !!!
The following describes how to manually recover DBR and fat (this tutorial is included in the paid tutorial), which is more complex than manual recovery of partition tables and requires a lot of computing. After using winhex to manually recover data, we will talk about some data recovery software, combined with data
