hey, im trying to test the limits of recoverabilityness for hosed systems. now i had a fresh install of xp on an NTFS partition on a test machine. then I reset the MBR to zero(intentionally). which clears the partition table as well. so what im wondering is, is this still recoverable?

ive been testing the tool by Runtime software called getdataback and btw it does a great job, it let me recover files i used to have about 3 or 4 formats ago. im wondering with help from this tool if its possible to get the partition table data back, and be able to boot up with all data intact? anyone attempted this?

i know its probably beyond the point where most people would give up and format, but im trying to see how far gone the rig can be before its unrecoverable.

Uh....
Since you're running the experiment, and you have the test bed all setup.... shouldn't you be telling us whether or not the program works? :confused:

the program does work. but i dont see why thats relevant? :confused:

im asking if anyone has found a way to do it, and in the meantime im going to try stuff with this method. if you dont know how to do it, please dont reply

well after running getdataback for NTFS. it found every file i had before i zeroed the MBR. including all the NTFS $files(http://www.ntfs.com/ntfs-system-files.htm), which was expected

now if i salvaged these ntfs system files. (i gotta buy it to be able to though. doh) maybe there could be a way to shazam these files into their right places and get all the data back and bootable?

according to that link, these files are generated by format.com. if only i could tell format.com to take these salvaged $files instead of new ones, but that seems farfetched. anyway ill keep trying to figure something out until someone posts saying how its impossible to do. but yeeah if you are experienced in file recovery, feel free to chime in

When doing this, are you just formatting the drive? Have you tried a DoD wipe to see what happens? Tried anything like Autoclave to erase the drive?

I'd be curious as to the results.

Cheers.

The MBR (Master Boot Record) is entirely seperate from the filesystem.

The MBR describes the partitions on the disk and what filesystems they are formatted with.

Even if you managed to restore the NTFS system files it would still not boot nor would the drive be accessable. Because without the MBR the BIOS or operating system do not know what partitions exist on the drive.

The ONLY way to rebuild the MBR is to scan the entire drive, figure out how many partitions exist, their boundries, and type, along with what filesystem they are formatted with. GetDataBack cannot do this.

GBD works by scanning the entire drive looking for file starts and ends. It doesn't rely on MBR information or any info contained in NTFS system files (or the FAT if FAT32). It gives you a list of files based on what it has found. This is why it finds files that have been long since deleted or formatted. When you delete or format the file itself is not actually written over, only the MFT or FAT entry is removed and the space marked as free.


arkamw: such a write would cause GDB to find nothing. You've written over anything it could possibly find. GDB only works because the files it finds HAVEN'T been written over yet.

The MBR (Master Boot Record) is entirely seperate from the filesystem.

The MBR describes the partitions on the disk and what filesystems they are formatted with.

Even if you managed to restore the NTFS system files it would still not boot nor would the drive be accessable. Because without the MBR the BIOS or operating system do not know what partitions exist on the drive.

The ONLY way to rebuild the MBR is to scan the entire drive, figure out how many partitions exist, their boundries, and type, along with what filesystem they are formatted with. GetDataBack cannot do this.

GBD works by scanning the entire drive looking for file starts and ends. It doesn't rely on MBR information or any info contained in NTFS system files (or the FAT if FAT32). It gives you a list of files based on what it has found. This is why it finds files that have been long since deleted or formatted. When you delete or format the file itself is not actually written over, only the MFT or FAT entry is removed and the space marked as free.


arkamw: such a write would cause GDB to find nothing. You've written over anything it could possibly find. GDB only works because the files it finds HAVEN'T been written over yet.

ok, so basically you're saying it IS possible to recover still?. what program could scan the drive and figure out what partitions exist, their boundaries etc..

Active@ Partition Recovery (http://www.partition-recovery.com/partition.htm) will scan a disk and rebuild the partition data. It worked for me when I absent-mindedly formatted my NTFS partition as FAT32.

Also, NTFS maintains a duplicate copy of the boot sector at the end of the partition. I think you can use it to restore the MBR in some situations, but I'm not sure.

looks like a good program. seems like none of these types of programs are freeware

Active@ Partition Recovery (http://www.partition-recovery.com/partition.htm) will scan a disk and rebuild the partition data. It worked for me when I absent-mindedly formatted my NTFS partition as FAT32.

Also, NTFS maintains a duplicate copy of the boot sector at the end of the partition. I think you can use it to restore the MBR in some situations, but I'm not sure.



NTFS maintains a duplicate copy of the MFT, which the filesystem itself uses to ensure filesystem consistency. This and the $LogFile are the reason NTFS does not require scandisk/chkdsk to run after a unclean shutdown. It does not save the MBR.

FAT/FAT32 does something similar, it maintains 2 identical copies of the FAT but it keeps them right next to each other :/ So if one copy is damaged due to a virus or other reasons the second copy will most likely be damaged as well.