Where has my hard drive gone?

Page 2 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
You can see the partition table at offsets 0x1BE - 0x1FD. There are two entries, partition #1 and partition #4. The second and third entries are empty.

00 00 02 00 EE FF FF FF 01 00 00 00 FF FF FF FF
...
00 00 02 00 DE FE FF FF 01 00 00 00 FF FF FF FF

The first partition is a "protective MBR" (type 0xEE) and is used to hide GPT partitions from legacy OSes such as Windows XP. Sector 1 contains the actual GPT partition information. Could you upload that for us?

The other partition is a Dell partition type (0xDE). It is also pointing to sector #1 for some reason. I have seen 0xDE partitions in Dell machines, but only as "recovery" partitions or MediaDirect partitions. I have no idea why it exists on your drive, or whether it has a special purpose. The MBR code looks like a standard Windows 7 MBR, not a Dell proprietary MBR.

Here are references which may be useful:

An Examination of the Windows 7 MBR:
http://thestarman.pcministry.com/asm/mbr/W7MBR.htm

List of partition identifiers for PCs"
http://www.win.tue.nl/~aeb/partitions/partition_types-1.html

EE --- Indication that this legacy MBR is followed by an EFI header
DE --- Dell PowerEdge Server utilities (FAT fs)
 
Sector 1 is indicating that the drive has a single 2TB partition. It begins at sector 34 (= 0x22) and ends at sector 0xE8E0888E.

The capacity of the physical drive appears to be ...

0xE8E088B0 x 512 = 2 000 398 934 016 bytes

An Examination of Windows 7 & 8 GPT 'Protective' MBR & EFI Partitions:
http://thestarman.pcministry.com/asm/mbr/GPT.htm

FirstUsableLBA = 0x22
LastUsableLBA = 0xE8E0888E
AlternateLBA = 0xE8E088AF

Therefore ISTM that the "DE" partition is bogus and is possibly a remnant of the drive's previous life in a Dell machine. I would first examine sector 34 and confirm that it is in fact an NTFS boot sector. I would also confirm that its data matches the data in sector 1.

If all is OK, I would then go to sector 0 and zero out the 0xDE partition bytes. That is, replace the first 14 bytes at offset 0x1F0 with 00. Leave the 55 AA bytes at the end. These signature bytes are required to validate the MBR.

In DMDE you would select Edit -> Edit Mode, make the changes, and then select Edit -> Write Changes. Then reboot to ensure that Windows re-examines the file system.

Could we now see sector 34?
 
Your result is puzzling. The first sector of the 2TB partition is blank, and sector 2048 is also blank. This would suggest that the first 1MB or so of the partition is empty?!

You can see the layout of a GUID Partition Table in the following article:
http://en.wikipedia.org/wiki/GUID_Partition_Table

It confirms that LBA 34 is the start of the partition. Maybe we should also examine LBA 2?

BTW, I still think that deleting the "DE" partition bytes in sector 0 would be advisable. Then perhaps Disk Management will see a 2TB drive instead of a 4TB. If things go wrong, you could easily undo the changes.

Edit: Is it possible that your data recovery software created the "DE" partition? TestDisk's documentation suggests that it is aware that "DE" is a Dell partition type, so I can't imagine that TestDisk would be responsible.

http://66.14.166.45/whitepapers/datarecovery/testdisk/TestDisk%20Installtion%20and%20Usage.pdf
 
Maybe we should also examine LBA 2?
Click to expand...


Sector 2...





I would then go to sector 0 and zero out the 0xDE partition bytes. That is, replace the first 14 bytes at offset 0x1F0 with 00. Leave the 55 AA bytes at the end. These signature bytes are required to validate the MBR.
Click to expand...

Please see image below of Sector 0...



Am I replacing all of the letters and numbers inside the box with zeros?


Edit: Is it possible that your data recovery software created the "DE" partition? TestDisk's documentation suggests that it is aware that "DE" is a Dell partition type, so I can't imagine that TestDisk would be responsible.
Click to expand...

I don't think so, although it was a few months ago. As far as I can remember the hard drive was showing to be 4 TB after I reinstalled widows 7.
 
I'm sorry, I forgot that you were using HxD, not DMDE. In your case you would write zeros to the block of data that you have outlined. Then exit HxD and you will be prompted to save the changes. However, when you Open Disk you must uncheck the "Open as Readonly" box.

As for sector 2, it shows two partitions.

The "Microsoft reserved partition" begins at sector 34 (= 0x22) and ends at sector 0x40021.

The "Basic data partition" begins at sector 264192 (= 0x40800) and ends at sector 3907028991 (= 0xE8E087FF).

Therefore sector 264192 will probably contain an NTFS boot sector, not sector 34 as I previously thought.

AFAICT, you have two issues. Deleting the DE partition from sector 0 should clear up the misreporting of the bogus 4TB capacity. The second issue appears to be that there is possibly some file system corruption in the "Basic data partition".

If you would like to continue with our investigation, then the next step would be to examine sector 264192.
 
I'm sorry, I forgot that you were using HxD, not DMDE
Click to expand...

No problem, I find HxD simpler to use. I want to unplug my other 2TB drive before I go ahead and do this to remove any doubt that I am playing with the correct drive. I will do this tomorrow evening.

If you would like to continue with our investigation, then the next step would be to examine sector 264192.
Click to expand...

Hell yeah, we seem to be getting somewhere and I'd really like this hard drive back.

Sector 264192...




Thanks again for taking the time to help me.



 
That's looking better. It's actually an NTFS boot sector. It confirms that the volume begins at sector 0x40800 and is reporting a size of 0xE8DC7FFF.

The end of the volume is ...

0x40800 + 0xE8DC7FFF = 0xE8E087FF

... which matches the data in sector 2.

So all this tends to confirm that the "DE" stuff is not needed.

BTW, if you don't care about your data and just want your drive back, then you could just delete the stuff in the partition table and rebuild your drive using Disk Management. But that's no fun. 🙂
 
I can't quite believe it. My hard drive is now working. It's showing up in windows explorer, accessible and seems to be all fine.

I have one final question...

What do you recommend I do with this drive now i.e format / wipe are there anymore checks I need to carry out to make sure it is functioning correctly?
 
Use a tool such as HD Sentinel to examine the raw SMART data. Look for reallocated, pending, or uncorrectable sectors.

You could run a full surface scan with Data LifeGuard (but you have already done that). A complete zero-fill would force any "pending" sectors to be reallocated.

Run CHKDSK in readonly mode to verify that the file system has no errors.

Previously you stated that "it seems a few of the [recovered] files are corrupt", so I would re-examine those files. If they turn out to be OK, then this would beg the question, why was TestDisk not able to recover these files in an intact state?

Assuming everything is OK, that would still leave us with a few puzzling questions.

Where did the "DE" stuff come from?

Why did Disc Management use the bogus data in sector 0 to determine the drive's physical capacity instead of asking the drive itself? The ATA standard provides an Identify Device command for this purpose. The drive responds with a 512-byte block of data which includes its model number, serial number, firmware version, capacity in sectors, and its feature set.

BTW, thanks for your patience and excellent feedback. This was the first time I had examined a GPT drive, so it was a very useful learning experience for me. That said, I was careful not to put your data at risk -- we always had a foolproof undo strategy.
 
My message from last night wasn't very clear so I wanted to post exactly what I've done (taking advice from fzabkar) to make my hard drive visible on windows explorer and (so far) work normally ...

Using HxD disc editor (in hexidecimal mode) in sector 0 I zeroed out the 0xDE partition bytes. That is, replaced the first 14 bytes at offset 0x1F0 with 00 leaving the 55 AA bytes at the end.
 
Use a tool such as HD Sentinel to examine the raw SMART data. Look for reallocated, pending, or uncorrectable sectors.
Click to expand...

I've run HD Sentinel (nice software) and I believe that everything is okay - see image



Run CHKDSK in readonly mode to verify that the file system has no errors.
Click to expand...

I'm not sure how to do this.

I am using Tune-Up Disc Doctor http://www.tune-up.com/products/tuneup-utilities/features/check-hard-disk-for-errors/to scan the drive (this will take a few hours) I'll post the results later.

Previously you stated that "it seems a few of the [recovered] files are corrupt", so I would re-examine those files. If they turn out to be OK, then this would beg the question, why was TestDisk not able to recover these files in an intact state?
Click to expand...

All the files seem to be okay. They were mainly videos and they work fine.

Where did the "DE" stuff come from?
Click to expand...

No idea. A few months have passed since this all started but as far as I can remember the drive just wasn't visible straight away after reinstalling windows 7.

Why did Disc Management use the bogus data in sector 0 to determine the drive's physical capacity instead of asking the drive itself? The ATA standard provides an Identify Device command for this purpose. The drive responds with a 512-byte block of data which includes its model number, serial number, firmware version, capacity in sectors, and its feature set.
Click to expand...

Again, no idea. I'll be happy as long as the drive continues to work and just hope this issue doesn't happen again.

BTW, thanks for your patience and excellent feedback. This was the first time I had examined a GPT drive, so it was a very useful learning experience for me. That said, I was careful not to put your data at risk -- we always had a foolproof undo strategy.
Click to expand...

It's me who should be thanking you. I am glad you have also got something out of helping me.




 
HD Sentinel's report looks OK to me, too.

AIUI CHKDSK defaults to readonly mode as long as you don't specify the /r or /f options.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/chkdsk.mspx

"Chkdsk corrects disk errors only if you specify the /f command-line option."

If you find errors, you will have to use your discretion whether you will allow Microsoft to repair the file system. CHKDSK tends to make a big mess if there are numerous bad sectors.

As for the "DE" stuff, I notice that the two partition entries (EE and DE) look very similar. I'm wondering if the DE stuff could be Dell's proprietary version of a protective GPT MBR.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom