mbr and partition table recovery - Page 3
Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 33

Thread: mbr and partition table recovery

  1. #21
    Senior Member WolfeTone's Avatar
    Join Date
    Jun 2007
    Location
    Ireland
    Posts
    197
    So what would format /u achieve?

    The /u switch signals an "unconditional" format which means that no unformat information is stored, all files are erased and all filespace is overwritten with zeroes (actually hex F6h). This ensures that commands like unformat or undelete and utilities such as Norton Unerase will not be able to recover the
    data.
    Last edited by WolfeTone; June 29th, 2007 at 11:03 AM.

  2. #22
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    So what would format /u achieve?
    Not a lot in this situation, that is an old DOS switch. It would not "see" the NTFS partition and wouldn't be able to reformat it as ReiserFS.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #23
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Quote Originally Posted by SirDice
    And if someone can point me to a MS knowledge base article that states that a format actually overwrites or nulls the data I'd be happy to apologize. Until then I stand by my statement.
    Well, this is something that I have found on the MS KB:

    http://support.microsoft.com/kb/929662

    Look under the MORE INFORMATION section
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  4. #24
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Now I must say that the article solely applies to Windows Vista (as stated at the end of the article).

    Well, the read was interesting. However I have a question:

    Why afterall the /u switch writes "F6h" on the disk? Is is not possible to write 00h? If it is not possible then why?

    Once again, what information is stored onto the disk after a format (assuming the file system and the size of the partition to remain the same)?
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  5. #25
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    NTFS stores a backup copy of the boot sector at the end of the partition and a copy of the MFT (Master File Table) somewhere in the middle. If you can recover those you can restore the filesystem. However I suspect Reiser will overwrite some data at the beginning of the partion (128k maybe?) to store its own data and superblock.As Sir Dice mentioned the data is not explicitly overwritten that I am aware of and I concur that Vista is most likely no different,

    I remember using "debug" to jump to the ROM on the MFM controller to do a low-level format. Those were the days......

    -Maestr0
    Last edited by Maestr0; June 30th, 2007 at 02:19 AM.
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  6. #26
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Actually Vista is different...............from the MS KB929662:

    When a full format is completed in Windows Vista, any data that previously existed on the hard disk or the removable media is overwritten with zeros.
    Previous Windows versions up to and including XP did not do this.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #27
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Ummm... well, yes, NTFS does so but then, what about the FAT? I do not see any BACKUP copy in case of FAT/FAT32? How does one recover data from that one?

    Once again, I do not agree that NTFS keeps a backup copy for the MFT. I am open to change; however, here are some lines from the book Inside Microsoft Windows 2000:

    The MFT's own file record is the first entry in the table; the second file record points to a file located in the middle of the disk called the MFT mirror (filename $MftMirr) that contains a copy of the first few rows of the MFT. This partial copy of the MFT is used to locate metadata files if part of the MFT file can't be read for some reason.
    This one contradicts the statement ... as a backup copy is something which an "entire" copy of the main / original thing. So if we happen to read the $MftMirr file, we can only read some records, not all of them. Since, even a High-level format will recreate the MFT as a series of BLANK records, the file location info is lost.

    I think that the recovery in this case is done by reading the files on the disk, not the LOST MFT records.

    Kindly tell me if I am wrong somewhere. Again, One of my questions remains unaswered:

    Why afterall the /u switch writes "F6h" on the disk? Is is not possible to write 00h? If it is not possible then why?
    I am unable to find the answer on Google (or anywhere else for that matter).

    Thanks in advance.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  8. #28
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    For a detailed explanation of the NTFS file systems please look here:

    http://technet2.microsoft.com/Window...c59481033.mspx

    Please remember that a "copy" as in "backup" is not neccessarily an exact mirror image. There is sufficient data to perform a recovery providing the metadata are not corrupted. Think of it as a sort of copy of the indexing files.

    Certainly in the past a lot of "backup" systems stored files in a compressed form with a key or master file to allow recreation of the original data. The same concept as data compression.

    F6h or 00h? The question is irrelevant, as the objective is simply to produce a "clean" installation environment. There is no secure erasure requirement, which would require a more complex, multiple overwriting pattern. An incidental feature is that this process tests the writability of sectors/clusters as well as their readability.

    Since, even a High-level format will recreate the MFT as a series of BLANK records, the file location info is lost.
    It doesn't alter the recovery data.

    I think that the recovery in this case is done by reading the files on the disk, not the LOST MFT records.
    It isn't.................. you only have to use recovery software to see that. Programs that recover files from their raw fragments take hours to run. The others (more common) take minutes.

    FAT32 has a recovery mechanism as well:

    http://support.microsoft.com/kb/154997

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #29
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    I have the info on NTFS already; thanks still for the info though.

    You have cleared the scene a lot. Actually all my doubt was dependent on the word backup. When Maestr0 said that a "BACKUP COPY" is stored, I took it as a "Complete" backup copy. And all my question about the NTFS MFT and $MftMirr was based on that 'backup' word. Anyway thanks a lot.

    It doesn't alter the recovery data.
    Well, I already know that. Now as you told that
    It isn't.................. you only have to use recovery software to see that. Programs that recover files from their raw fragments take hours to run. The others (more common) take minutes.
    Does that mean that even after a format, some software can read the previous MFT records and recover the files?

    Thanks for the FAT32 link too; it however did not contain anything in DETAIL, but was a nice read.
    Last edited by jockey0109; July 1st, 2007 at 11:46 AM.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  10. #30
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Does that mean that even after a format, some software can read the previous MFT records and recover the files?
    Yes the second two links that I gave will do this.

    The first link is to straight file recovery software that will even work on damaged media. This takes a long time, believe me.

    Might I suggest you try to get hold of an old HDD of 1.7Gb to 4Gb to experiment with? You don't want a large one because of the time it takes
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides