Hey Guys, these new larger capacity drives seem to be plagued with issues and early failures. I may be beating a dead horse here but I believe my drive and data are toast at this point.

Victim: WD5000AAKS PWB/2060-701477-001RevA
Tag/2061-701477-800AC [XC4D050A7D90005360 7365]

Format: Basic Single NTFS data partition Volume G on WinXP Pro 64 system. This drive has been used for data and backups only since new and has never had any OS directly installed. The drive had many directories which contained .rar archives. It had no bad clusters and was defragged once per month.

Scenario: I pulled and installed a friends Boot drive on my system hooked directly to my SATA controller. I backed up her drive with DriveImage XML to the root of my G:\ Drive and once the backup was safe and sound I rebooted with Hirens BCD and ran Dban in hopes of wiping her drive in order to slipstream an unattended install to her bare drive. After starting Dban I noticed straight away that I had mis-ticked the drive selection from within Dban and it started wiping my G: drive instead. I caught this within 2-3 seconds and stopped Dban. (I know; I should get the "butt-head" of the day award for this one). After two cups of coffee and about 20 cigarettes I had stopped shaking enough to start my rescue attempts. I ran chkdsk on my G volume and it found and fixed boo-ku file structure errors. Whew! What a relief I exclaimed; "Maybe my data is safe"! NOT! After reboot XP could not read my G: volume so I ran fixmbr from the Hirens cd. After running fixmbr I chose to make an image of G:. After the image was created and saved to a different drive I noticed a slight smokey smell coming from my tower. I immediately powered down and found the victim drive a little warmer than usual and the smell was in fact coming from that drive. I removed the PCB and found D3, Q2, Q3, L2 and R47 burnt up and all the smoke had leaked out. At this point my main concern was my data on G:\ so, using several different popular recovery tools I opened and scanned the image and all the sectors are out of bounds, cross linked and phantom-ized. Great! Now I feel my only option is to send it out to the pros in order to save my data but this is not a viable solution for me due to financial constraints.

Can any of you experts care to comment on this. (Please be gentle- I realize the error in my way) I have attached and R-Studio log file.

Thanks

If DBAN had already begun overwriting your drive it would no longer have shown up as a letter (G: or whatever) at all. So chkdsk would not have been possible. Are you sure you haven't confused the drives somewhere?

Secondarily, if the image you are trying to scan contains another image, it is definitely going to confuse the recovery software.

_________________
You don't have to backup all of your files, just the ones you want to keep.

Thanks drc...

you may be right, I think I have confused things a little. At some point during this time chkdsk ran and spent several minutes repairing files. It may have been after I ran fixmbr. The thing that really worries me is the fact that all of the demo recovery software I have tried has failed to find the original single NTFS Partition or its directories and files. The original partition was only about 49% capacity of the entire drive so there was at least 50% free space. I have search for the MFT at sector 0 and sector 63 but the results are erroneous and incorrect. The softwares are very good at finding old deleted image backups of various drives over the years. Oh well, I will continue my research in hopes of finding a viable alternative to professional recovery.

DBAN for 2-3 seconds probably overwrote about 100000-200000 sectors. enough to wipe out the MBR and boot sector for sure, and any MFT entries that were that early in the drive. The bulk of the MFT should still be intact, as well as the backup boot sector

_________________
You don't have to backup all of your files, just the ones you want to keep.

OK that makes sense! can you suggest where I should look for the 64K $MFTmirr other than sector 0 or sector 1 if those 2 sectors have been overwritten by Fixmbr or Dban. Sectors 3-33 are all Zero and Sectors34-62 are all AF. Sector 63 looks to be identical to Sector 0 and Sector 64 is all 94 Sectors 65-110 are random text data. I have attached a rar file with three of the sectors for anyone who cares to look at it.

You don't need $MFTMirr for anything. I would start by finding your backup boot sector (probably after last sector in the partition) and working backward from there.

_________________
You don't have to backup all of your files, just the ones you want to keep.

Been MIA for a while and thought I had better contribute more to this discussion.

DRC...first off, thanks for your patience. I would like to do exactly that, find my original backup boot sector but my LBA count on this image is showing 976773167. I feel that if I could somehow manage to rebuild the partition back to full size I could recover this drive and if it is a failure I still have the physical disk to work with once I locate a good donor PCB and do the MCU swap. Am I thinking right here? Weird thing too is the fact that many of the programs I have used during this endeavor are showing strange partitions when the only partition on the physical drive has always been basic NTFS with no other partitions since formatted when brand new.

I am totally lost at this point. Can you tell?

Right, but not all of that is partitioned. Start at the end and go backwards until you find it. It will probably be the last sector on the drive that is not just 00s (unless you have previously filled it with something else)

_________________
You don't have to backup all of your files, just the ones you want to keep.

I suspect that the partition ends on a cylinder boundary. Since there are usually 255 logical heads and 63 logical sectors/track, then the number of cylinders in the partitioned area would be 60801.

976773167 / 255 / 63 = 60801.3176

Now 60801 x 255 x 63 = 976768065.

This suggests that the last sector of the partitioned area is 976768064.

_________________
A backup a day keeps DR away.

Update:

Here are some screen shots of Sectors 0, 63 and 976768064. Still doesn't appear to be correct and I am still at a loss as to what to do next. Bare in mind that I am working from a 466GB image because the victim drive is FUBAR with a burnt up PCB. If I could locate a valid replacement and swap the MCU to get the drive up and spinning my testing would be more productive...Happy New Year everyone!!!!!!!

Sector 63 is an NTFS boot sector. Sector 976768064 is a copy of sector 63, as expected. Therefore, it appears that the "sectors in volume" figure of 976773104 doesn't match the actual sectors in volume, which appears to be 976768002 (= 976768064 - 63 + 1). I would check sector 976773166 (= 976773104 + 63 -1) to confirm that it does not have a boot sector structure. I suspect that sector 976768065 would be the boot sector of the second primary partition, or the EBR of an extended partition. Could we see a hex dump of its contents?

If the above checks out OK, then you would need to edit sectors 63 and 976768064 so that they reflect the correct volume size.

We would also need to see sector 0 displayed as an MBR and partition table, not as a boot sector. Better still, can we see a hex dump of sector 0? I suspect that FIXMBR may have corrupted the partition table.

_________________
A backup a day keeps DR away.

Thank you! I have enclosed screen shots of the sectors and views you requested and you could be right about FixMBR jacking things up. I will continue working on this as long as you are willing to assist me. This whole mess is my fault and can be attributed to "dumb" operator error!

Thanks again for your dedication...

Sorry, I've had a massive brain fart. I have misinterpreted your sector numbers. Your first screen shots display sectors 0, 63, and 976768064 in reverse order. I have interpreted them in numerical order, as in your text.

Let me get my brain back into gear and I'll get back to you.

_________________
A backup a day keeps DR away.

I'm confused as to why sectors 0 and 63 are both boot sectors.

You say you imaged drive G:.

If the image file is an image of a physical drive, then sector 0 would contain an MBR and partition table. Sector 63 would be the boot sector of volume G:, ie logical sector 0.

If, OTOH, the file is an image of a logical volume, then sector 0 would be the boot sector of volume G:, ie logical sector 0. In this case logical sector 63 should contain some other data, unless I'm mistaken. Furthermore, if there are 976773104 sectors in the volume, then sector 976773104 (or 976773103?) should be the backup boot sector. You may like to examine both sectors.

In any case, I believe you should follow drc's advice and search for the backup boot sector in your image file. Work backwards from the end of the file and look for an "NTFS" text string or, better still, search for the hexadecimal sequence that marks the beginning of an NTFS boot sector, ie ...

EB 52 90 4E 54 46 53

_________________
A backup a day keeps DR away.

OK Guys...Been away awhile but a lot has come to light on this recovery process. Long Story Short- I sent the drive to Gxxxware on the assumption that they could retrofit a working PCB to get the drive spinning again. Meanwhile I ran PhotoRec on the image file and found almost 90% of my files. Every file on the disk was in .RAR format. The directory structure was not available so I spent several days sorting through triple or quadruple copies of each file. Needless to say this was very time consuming because there were hundreds of thousands of files. While doing this I heard back from Gxxxware and they stated that my drive would need to be opened up in clean room due to platter damage at the cost of $1200 plus. I declined of course and asked that they return my drive. Back to the recovery...since I only recovered about 90% of my files I ran TestDisk (TD) on the image to try to salvage the directory structure and have hit a brick wall again. It seems that TD has found multiple instances of my partition and says I have a "Bad Root Cluster" on the partition. I have attached a few screen shots for everyone to look at in hopes of a finding the next direction to head. The image is scanning as I write this. Thanks everyone.