NTFS Partition Recovery Concepts - III

by Sharan R

Partition is deleted or Partition Table is damaged. Unformat.


                    The information about primary partitions and extended partition is contained in the Partition Table, a 64-byte data structure, located in the same sector as the Master Boot Record (cylinder 0, head 0, sector 1). The Partition Table conforms to a standard layout, which is independent of the operating system. The last two bytes in the sector are a signature word for the sector and are always 0x55AA.

For our disk layout we have Partition Table:
 
Physical Sector: Cyl 0, Side 0, Sector 1
0000001B0                                              80 01   ..............Ђ.   
0000001C0   01 00 07 FE 7F 3E 3F  00 00 00 40 32 4E 00 00 00   ...?>?...@2N...
0000001D0   41 3F 06 FE 7F 64 7F 32  4E 00 A6 50 09 00 00 00   A?.?d2N.¦P....
0000001E0   41 65 0F FE BF 4A 25 83  57 00 66 61 38 00 00 00   Ae.??J%?W.fa8...
0000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 AA   ..............U?
 

We can see three existing and one empty entries:
  • Partition 1, offset 0x01BE (446)
  • Partition 2, offset 0x01CE (462)
  • Partition 3, offset 0x01DE (478)
  • Partition 4 - empty, offset 0x01EE (494)
Each Partition Table entry is 16 bytes long, making a maximum of four entries available. Each partition entry has fields for Boot Indicator (BYTE), Starting Head (BYTE), Starting Sector (6 bits), Starting Cylinder (10 bits), System ID (BYTE), Ending Head (BYTE), Ending Sector (6 bits), Ending Cylinder (10 bits), Relative Sector (DWORD), Total Sectors (DWORD).

Thus the MBR loader can assume the location and size of partitions. MBR loader looks for the "active" partition, i.e. partition that has Boot Indicator equals 0x80 (the first one in our case) and passes control to the partition boot sector for further loading.
Lets consider the situations which cause computer to hang up while booting or data loss.

1. What will happen if no partition has been set to the Active state (Boot Indicator=0x80)?
Lets remove Boot Indicator from the first partition:
 
0000001B0                                            00 01  ................   
0000001C0 01 00 07 FE 7F 3E 3F  00 00 00 40 32 4E 00 00 00  ...?>?...@2N...
 

When we try to boot now, we see an error message like "Operating System not found". It means that the loader cannot determine which partition is system and active to pass control to.

2. What will happen if partition has been set to the Active state (Boot Indicator=0x80) but there are no system files on that partition?

(it could happen if we had used for example FDISK and selected not the proper active partition).
Loader will try to boot from there, fails, try to boot again from other devices like floppy, and if fails to boot again, we'll see an error message like "Non-System Disk or Disk Error".

3. What will happen if partition entry has been deleted?

If it has been deleted, next two partitions will move one line up in the partition table.
 
Physical Sector: Cyl 0, Side 0, Sector 1
0000001B0                                              80 00   ..............Ђ.
0000001C0   41 3F 06 FE 7F 64 7F 32  4E 00 A6 50 09 00 00 00   A?.?d2N.¦P....
0000001D0   41 65 0F FE BF 4A 25 83  57 00 66 61 38 00 00 00   Ae.??J%?W.fa8...
0000001E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 AA   ..............U?
 

If we try to boot now, the previous second (FAT) partition becomes the first and the loader will try to boot from it. And if it's not a system partition, we'll get the same error messages.

4. What will happen if partition entry has been damaged?

Let's write zeros to the location of the first partition entry.
 
Physical Sector: Cyl 0, Side 0, Sector 1
0000001B0                                              80 00   ..............Ђ.
0000001C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0000001D0   41 3F 06 FE 7F 64 7F 32  4E 00 A6 50 09 00 00 00   A?.?d2N.¦P....
0000001E0   41 65 0F FE BF 4A 25 83  57 00 66 61 38 00 00 00   Ae.??J%?W.fa8...
0000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 AA   ..............U?
 

If we try to boot now, the MBR loader will try to read and interpret zeros (or other garbage) as partition parameters and we'll get an error message like "Missing Operating System".

Thus, the second step in partition recovery is to run Disk Viewer and to make sure that the proper partition exists in the partition table and has been set as active.
 
How can recovery software help you in the above-mentioned scenarios?
  1. Discover and suggest you to choose the partition to be active (even FDISK does so).
  2. Discover and suggest you to choose the partition to be active.
  3. Perform a free disk space scan to look for partition boot sector or remaining of the deleted partition information in order to try to reconstruct Partition Table entry for the deleted partition.
  4. Perform all disk space scan to look for partition boot sector or remaining of the damaged partition information in order to try to reconstruct Partition Table entry for the damaged partition entry.
Why partition boot sector is so important?

Because if recovery software finds it, all necessary parameters to reconstruct partition entry in the Partition Table are there.

What would happen if partition entry had been deleted then recreated with other parameters and re-formatted?

In this case, instead of the original partition entry we would have a new one and everything would work fine except that later on we could recall that we had some important data on the original partition. If you've created MBR, Partition Table, Volume Sectors backup (for example, Active@ Partition Recovery and Active@ UNERASER (Unformat) can do it) before, you can virtually restore it back and look for your data (in case if it has not been overwritten with new data yet).
Some advanced recovery tools also have an ability to scan disk surface and try to reconstruct the previously deleted partition information from the pieces of left information (i.e. perform virtual partition recovery). However it is not guaranteed that you can recover something.

 

1 Response to 'NTFS Partition Recovery Concepts - III'
  1. Sara
    http://sharannetwork.blogspot.com/2010/12/ntfs-partition-recovery-concepts-iii.html?showComment=1293447718405#c5138695613905375417'> December 27, 2010 at 4:31 PM

    Excellent post, Its very useful sharing, Each and every person can now think and develop many things with IT Support though the person is not that much literate. Thanks

     

Post a Comment