Switch to full style
Discussions related to Atola Insight data recovery/Forensic suite, Atola Bandura standalone imager
Post a reply

Re: imaging doubt "all partions with data"

March 17th, 2014, 10:29

Dmitry Postrigan wrote:mediaman, I don't have that version on hand, but I can help you via Teamviewer. PM me your Teamviewer details and I will have a look.

Dmitry, thanks, I think I have found a solution: use a NEW imaging session with custom range starting one block up from previous session.

fzabkar wrote:If you could show us the MBR code and boot sector code, then that will tell us which OS was responsible for each sector.

As for the "NTFS boot sector at: 63", that appears to be a FAT boot sector. The sector count of 61448562 corresponds to about 31GB at 512 bytes per sector. That's about what you would expect if you tried to create a FAT32 partition in Windows XP and later.

Sector 2048 does appear to be a standard NTFS boot sector, but its size amounts to about 104MB (= 204799 x 512). That's the size of the reserved partition in a Windows 7 system. There must be a second NTFS boot sector at about the 104MB mark. You should also be able to locate its backup by reverse searching the drive.

In short, it does appear that the drive's owner is not telling you the truth.

Viewing Master Boot Record at: 63

Disk signature: 80 C6 10 8E

Partition 0:
Boot Indicator: 94
System ID: 111
Starting Sector: 1176528750
Sectors: 1147495794

Partition 1:
Boot Indicator: 79
System ID: 0
Starting Sector: 0
Sectors: 0

Partition 2:
Boot Indicator: 0
System ID: 0
Starting Sector: 0
Sectors: 0

Partition 3:
Boot Indicator: 78
System ID: 69
Starting Sector: 1394614348
Sectors: 21337

Viewing Master Boot Record at: 2048

Disk signature: 73 73 69 6E

Partition 0:
Boot Indicator: 13
System ID: 79
Starting Sector: 1936269394
Sectors: 1836016416

Partition 1:
Boot Indicator: 112
System ID: 115
Starting Sector: 1917848077
Sectors: 544437093

Partition 2:
Boot Indicator: 67
System ID: 43
Starting Sector: 1818575915
Sectors: 544175136

Partition 3:
Boot Indicator: 114
System ID: 97
Starting Sector: -1450442742
Sectors: 54974

The curios thing is that the File recovery feature of Atola appears to use a different logic to the "image all partitions with data" as it produces the result shown attached. Showing an initial 104mb partition, as Part 0 and the correct 733Gb rest as Part 1.
FileRec.jpg (21.2 KiB) Viewed 8000 times

Re: imaging doubt "all partions with data"

March 17th, 2014, 17:55

I don't see anything wrong with Atola's interpretation. Atola simply examined the partition table and reported what it found. It is up to the operator to make sense of the report. To this end one would expect that the operator would examine the usual suspects, namely sectors 63 and 2048.

IME users often repartition (aka "initialise") their drives and/or format them in some desperate attempt to recover their data. In fact it's obvious that your drive was repartitioned and formatted at least three times in its life.

Since the drive was in a laptop, it would be reasonable to expect that a user would attach it to another machine, either directly via SATA, or via a USB port. This seems to be the standard advice in the user forums. Unfortunately your customer appears to have encountered a 4KB sectored enclosure. Windows most probably reported nonsensical partition sizes, and the user has then compounded the original problem by repartitioning the drive.
Post a reply