June 18th, 2018, 21:46
Partition Start End Size in sectors
1 * DiskSecure MB 13578 105 19 13310 178 61 1920221962
Bad relative sector.
2 * Sys=74 33885 131 23 153418 150 44 1920298864
Bad relative sector.
3 * Linux Swap 14043 1 25 47914 125 15 544145418
3 * Linux Swap 14043 1 25 47914 125 15 544145418
Bad relative sector.
4 * SpeedStor 171841 203 21 171845 2 60 51637
Bad relative sector.
Problems occurred between the communication of the disk and the host 237 times. In case of sudden system crash, reboot, blue-screen-of-death, inaccessible file(s)/folder(s), it is recommended to verify data and power cables, connections – and if possible try different cables to prevent further problems.
More information: http://www.hdsentinel.com/hard_disk_cas ... _error.php
June 18th, 2018, 23:32
June 19th, 2018, 1:07
June 19th, 2018, 1:43
June 19th, 2018, 2:03
June 19th, 2018, 2:46
June 19th, 2018, 3:16
June 19th, 2018, 3:53
June 19th, 2018, 8:23
June 19th, 2018, 15:06
AISI, the partition table and NTFS boot sector seem OK. I don't know where TestDisk is getting its information from.
Spildit wrote:jermy wrote:clone the drive
AGREEE !!! DO IT NOW !!!
And stop messing with the original one ...
We don't even know if the drive is ok ...
You should check S.M.A.R.T., clone the drive with hddsuperclone and then run a full MHDD/VITORIA scan on the surface !
Why is Dmde showing the drive as a raid volume?
June 19th, 2018, 16:37
June 19th, 2018, 16:51
If you don't want to clone the drive you should extract the files that you do need right away with R-Studio as your drive most likely will die very shortly. Just retrieve all the files that you can.
Cloning should be the best option but extracting the files is an option as well.
Do NOT try to fix the drive partition, etc UNLESS YOU DO HAVE A CLONE.
If you do mess up you might loose access to the file allocation table and you will end up having to do a raw recovery.
Also be aware that the drive might die at any moment leaving you without any data at all.
June 19th, 2018, 17:21
June 19th, 2018, 17:41
June 19th, 2018, 18:14
You stated this :
For me the drive does have bad sectors/bad blocks that did affect the file allocation tables.
If this were to be my drive i would :
- Backup firmware.
- Patch sysfile 93.
- Use hardware based imaging/cloning tools and build map based on file structure.
- Select the needed / important files.
- Image.
- Select the rest of the files.
- Image.
(as alternative select the rest of the drive space).
June 20th, 2018, 2:04
CHS mode assigns 10 bits for the cylinder number, resulting in a limit of 1024 cylinders (0 - 1023). In CHS mode, sector numbers count from 1, not 0 (seems crazy, but that's the way it is).
This site should tell you everything you want to know about partition tables:
MBR/EBR Partition Tables:
http://thestarman.pcministry.com/asm/mbr/PartTables.htm
I have just tested an NTFS volume and confirmed that the first cluster of the $MFT is byte-for-byte identical to the first cluster of $MFTMirr.
June 20th, 2018, 2:34
June 20th, 2018, 18:25
LBA:70021380 vol.sec:6291462 Clus:786432 sec:6 (MFT 3)
[-] File #3 ======== (3) ==== ==================
magic ("FILE"): FILE
fixups offset: 30h
fixups count: 3
LSNlo: 022F0095h
LSNHi: 00000000h
seq. number: 3
hlink number: 1
attrs offset: 38h
flags: 1h
used size: 1F0h 496
record size: 400h 1024
basefileref: 0
0x24: 0h
basefileref seq.: 0
next attribute #: 7
0x2A: 0h
file #: 3
fixup: 0045h
[-] #0 $STANDARD_INFORMATION
Attr. type: 10h
Attr. length: 48h 72
Non-resident: 0
Attrname len: 0
Attrname ofs: 18h
Flags: 0h -- --
Attr. number: 0
Data Size: 30h 48
Data Offset: 18h
created: 2015-05-26 08:59:04.501
modified: 2015-05-26 08:59:04.501
changed: 2015-05-26 08:59:04.501
accessed: 2015-05-26 08:59:04.501
attrs: -HS------------- ----------------
Max versions: 0
Version: 0
Class Id: 0
[-] #1 $FILE_NAME
Attr. type: 30h
Attr. length: 68h 104
Non-resident: 0
Attrname len: 0
Attrname ofs: 18h
Flags: 0h -- --
Attr. number: 1
Data Size: 50h 80
Data Offset: 18h
directory: 5 (5 )
created: 2015-05-26 08:59:04.501
modified: 2015-05-26 08:59:04.501
changed: 2015-05-26 08:59:04.501
accessed: 2015-05-26 08:59:04.501
allocated: 0
size: 0
attrs: -HS------------- ----------------
reparse: 0
name len: 7
posix: 3
name: $Volume
[-] #6 Other Attribute
Attr. type: 40h
Attr. length: 28h 40
Non-resident: 0
Attrname len: 0
Attrname ofs: 0h
Flags: 0h -- --
Attr. number: 6
Data Size: 10h 16
Data Offset: 18h
Hex:
000: DE 28 17 04 10 10 A5 4B B9 35 E0 07 C6 36 F3 9E Þ(....¥K¹5à .Æ6óž
[-] #2 $SECURITY_DESCRIPTOR
Attr. type: 50h
Attr. length: 80h 128
Non-resident: 0
Attrname len: 0
Attrname ofs: 18h
Flags: 0h -- --
Attr. number: 2
Data Size: 68h 104
Data Offset: 18h
Hex:
000: 01 00 04 80 48 00 00 00 58 00 00 00 00 00 00 00 ...€H...X.......
010: 14 00 00 00 02 00 34 00 02 00 00 00 00 00 14 00 ......4.........
020: 9F 01 12 00 01 01 00 00 00 00 00 05 12 00 00 00 Ÿ...............
030: 00 00 18 00 9F 01 12 00 01 02 00 00 00 00 00 05 ....Ÿ...........
040: 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 ... ...........
050: 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 ... ...........
060: 20 00 00 00 20 02 00 00 ... ...
[-] #4 $VOLUME_NAME
Attr. type: 60h
Attr. length: 18h 24
Non-resident: 0
Attrname len: 0
Attrname ofs: 18h
Flags: 0h -- --
Attr. number: 4
Data Size: 0h 0
Data Offset: 18h
Volume Name: ?
[-] #5 $VOLUME_INFORMATION
Attr. type: 70h
Attr. length: 28h 40
Non-resident: 0
Attrname len: 0
Attrname ofs: 18h
Flags: 0h -- --
Attr. number: 5
Data Size: Ch 12
Data Offset: 18h
Hex:
000: 00 00 00 00 00 00 00 00 03 01 00 00 00 00 00 00 ............
[-] #3 $DATA
Attr. type: 80h
Attr. length: 18h 24
Non-resident: 0
Attrname len: 0
Attrname ofs: 18h
Flags: 0h -- --
Attr. number: 3
Data Size: 0h 0
Data Offset: 18h
FFFFFFFFh End Mark
June 20th, 2018, 19:41
fzabkar wrote:If you can find it, here is another good resource:
NTFS Forensics: A Programmers View of Raw Filesystem Data Extraction (Jason Medeiros, Grayscale Research 2008).
June 21st, 2018, 4:06
ISTM that you should take this opportunity to learn about NTFS metafiles. I could watch you and learn something as well.
This seems to be a good resource:
http://dubeyko.com/development/FileSyst ... tfsdoc.pdf
BTW, DMDE can display all the metadata attributes
Powered by phpBB © phpBB Group.