Anything related to computer forensics (new section!)
July 22nd, 2015, 14:26
I have a Big Problem. While trying to build a Hackintosh I destroyed my Windows boot data. In Order to get a Bootable USB drive I had to get on my data from one of my HDD. So i removed the HDD and installed it into my fathers PC. Not knowing which one of his drives was the Windows drive I tried the first one which wasnt the right one so I changed it. Booted the PC and my drive was shown as RAW with only 32 MB. I thought it was an error at his PC and put it back into my PC. After I reparied my Windows install the same problem with my HDD occured. So i did a bit of searching and found out that old Gigabyte Boards have a bug which happens if no HDD with an OS is plugged in and you try to boot the PC. The BIOS copies itself on the first HDD in the PC which leads to this problem I have.
Well then i got myself a bootable USB Ultimate Boot CD and tried diffrent tools. I put the ATA option into IDE and started with Seagatools in which I set the max size of the HDD to max native size. In Windows it still was showing RAW with 32MB. But when I ran HDAT2 the drive was shown with 1 TB. So I read that I have to delete the HPA with HDAT2. I followed the instructions in the cookbook but there was no HPA to delete so I "installed" one with 100 sectors and about 50KB. Well you guessed it wasnt a success. My next step was to install EaseUS Partitin Master. After a short search he didnt find anything but today I ran a deep search and he managed to find this:http://prntscr.com/7vqomp
Under "Boot" he has the folder "System Volume Information" and under "EFISECTOR" he finds "EFI" --> "BOOT" --> "BOOTX64.EFI". I didnt wanted to restore them without asking somebody who knows whjat he is doing. I am clearly do not
So what do you guys say? Just restore these files? From the names it sounds like I am exactly looking for those files but I really need to get at my data so I dont want to risk my success chances just because I am inpatient.
Excuse my bad english I am german =)
July 22nd, 2015, 19:16
ISTM that SeaTools restored the full 1TB capacity of the drive, but Windows had already damaged the logical structure during the prior "repair".
I would first remove any HPA that you have created, and then I would examine the disc with a disc editor (eg DMDE freeware). Can you show us DMDE's Partitions window?
July 23rd, 2015, 5:55
Thx for your reply fzabkar =)
But I didnt do any repair yet?! I just let the programm search for these things but didnt restore them? Or do you mean any other "repairs" windows does by itself?
I will remove the HPA and download DMDE and try to get you the Partitions Window.
July 23rd, 2015, 6:43
Oh I get where the missunderstanding occured =) The drive which is "broken" now isnt my Windows drive. My Windows is on one of my 2 SSD's and works fine again. The drive that is corruped is a normal 1 TB HDD just for data storage. So there wasnt any repair attempts done from my side yet.
Like i described EaseUS found those 3 things. Should I restore them? Or just get the DMDE's Partition Window?
July 23rd, 2015, 15:46
I'm reasonably familiar with DMDE, but don't know anything about EaseUS. If you are lucky, DMDE may have a single-click solution, but I would like to see the partition structure before proceeding.
July 23rd, 2015, 18:58
Okay so I am going to delete the HPA and make myslef familiar with DMDE and try to get you that list =)
Thx so far. btw I like your avatar
July 24th, 2015, 7:21
Okay so I did what you asked me for =) HPA is disabled atleast thats what HDAT2 says =)
And here is the Partitions list that you asked for. I hope its the right one?!http://prntscr.com/7wezh0
July 24th, 2015, 11:00
It looks like only sector 0 was "repaired", in which case the fix should be an easy one.
R-click the FAT(04) partition and select Remove the Partition.
Double-click the first "found" NTFS volume and expand the Root. Do you see your original file/folder tree? If so, then go back to the Partitions window, r-click the same NTFS volume and select Insert the Partition (Undelete). Then select Drive -> Apply Changes. You may also need to select Edit -> Edit Mode.
Now reboot to ensure that Windows re-examines the file system. Your data should all be back.
July 24th, 2015, 12:05
Well I almost cried when I saw the drive shown right again and found all the important data again. You have no idea how much that means to me. Thank you VERY MUCH! Seriously you made one person very happy =)
Powered by phpBB © phpBB Group.