1, CIH basic knowledge of hard drive data recovery
1, DOS (DOS compatible system hard data) of the form
Primary and extended partitions on the basic structure is similar to the following example to the primary partition.
Master boot record (MBR): MBR sector accounts for one in CYL0, SIDE0, SEC1, and the partition table from the source area composition. Code area which can be FDISK / MBR reconstruction.
System sectors: CYL0, SIDE0, SEC1-CYL0, SIDE0, SEC63, a total of 62 sectors.
Boot (BOOT): CYL0, SIDE1, SEC1 This is our past, said the DOS boot sector. Also accounted for a sector.
Hidden sector: CYL0, SIDE0, SEC1, FAT16 so if one sector accounted for, if it is FAT32 then this accounts for 32 sectors.
File Allocation Table: FAT tables generally have two, FAT12, FAT16 FAT tables generally the first in the 0-1-2, FAT32 first FAT table 0-1-33. FAT table is the log file connection occupied sector where, if the two FAT tables are broken, consequences would be disastrous. As the length of the table with the FAT partition of the size of the current address is needed so FAT2 calculated.
Root zone: (ROOT) recorded the root directory where the directory file entry, etc., ROOT area with the FAT2 behind.
Data area: ROOT area in the back with, this is the data content.
2, brief description of the master boot record
Hard disk master boot record is the starting point for guidance, not much said on the code area, the partition table, the more important is the two signs in the offset 1BE, Department said 80 of the tag system can boot, and only the partition table a 80 tags. Another is the end of the 55AA marker. Used to represent the master boot record is a valid record.
In fact, regardless of sector or MBR or implied BOOT area, not important, they are relatively easy to rebuild. Data recovery for the success of the recovered data file is important. In addition, because FAT table records the file on the hard disk sectors occupied by the list, if the two FAT tables are completely damaged. Then restore files, especially files occupy several non-contiguous sectors is quite difficult.
The basic idea is:
1, FAT2 not damaged, covered with FAT2 FAT1.
2, FAT2 also been damaged, I usually just look forward to retrieve some critical files. We are most looking forward to these documents is continuous. If not, then continuously, it is not impossible, but often need to know some details of documents, including some documents have their own understanding of the connection structure. If FAT2 not completely destroyed, there is some use, and the other, in general, FAT16 hard drive as FAT table * before the destruction of more serious, usually two FAT tables are bad, small hard drive is also very difficult to restore.
Second, CIH is a basic hard drive data recovery of damaged hard drive data recovery is an example CIH
A friend has asked to resume manual techniques to restore a number of recent pieces by CIH damaged hard drive, why choose this time, because despite the resumption of success, but some mistakes, it is noteworthy.
Commissioned to restore the user: a banking system
Hard case: CIH attack with the unit staff had used KV300F10 computer repair, but without success, but also to restore the saved MBR.
Ready to floppy 3:
DISK1: WIN98 boot disk (with DEBUG)
DISK2: DISKEDIT and other tools (this site do not write-protected)
DISK3: DOS a tool for the next kill CIH
My hard drive off, hang to be restored to the hard drive, boot into SETUP, test drive, the parameter record.
CLY620HEAD128PRECOMP0LANDZ4959SECTOR63MODELBA.
Start with a prepared floppy disk:
A:> C:
Show Invaliddrivespecification
FDISK / MBR master boot record reconstruction (this is a habit), re-boot floppy disk (may not be necessary): At this point have been able to see that C: drive. Start DISKEDIT, start the process shown InvalidmediatypereadingDRIVERC, Oh, come on, come before the empty partition table with DEBUG, and home signs 80 and 55aa. Restart, then run DISKEDIT, display set to READONLY, it does not matter, the CONFIGURATION option to remove the read-only, save the file, OK, you can edit the.
Since then the hard drive was more blocks, I was a piece as the only C partition (which is awaiting repair of the other hard drive), so do not look at other things, we look forward to FAT2 no damage to cover with FAT2 FAT1, DEBUG DISKEDIT at this time much easier than in FINDOBJECT choose FAT, check the start sector, a good, in CYL0SIDE68SEC14, 0000H, F8FFFF0F (FAT32), the good, FAT2 not bad. In fact, if the can not DISKEDIT DEBUG investigation, offset 0000 of F8FFFF.
Since that only C partition, so come on FIND to find IOSYS (IO and SYS in need spaces) to find ROOT area. After the observation to find if there is C: under the common document. Yes, ROOT area not be destroyed. A note of the sector: CYL0, SIDE68, SEC14, spare.
FAT1 generally have been destroyed earlier, but should still be behind, which can serve as a check. Because 32-bit, FAT1 generally CYL0SIDE1SEC33. Because of ROOT FAT table area and then the length should be calculated, because FAT2 sectors so far prior to the ROOT, so very simple.
You can then use FAT2 cover FAT1, here or DISKEDIT DEBUG can be used, if DEBUG is generally used with INT25 read absolute sector, then INT26 write, but generally several times. :-) Yeah I remember to retain breakpoints can MARKFAT2 content with DISKEDIT COPY down the WRITE to FAT1.
You can then restore the master boot record, hidden sector and BOOT area, you can use NDD to repair partition table first, then consider a standard covering method, if you want the next step by the NORTONUtilities, to take over these can not do. I have taken from another FAT32 on to the corresponding part of the writing inside. It is found that if I have a D drive. A look at speak. Well, off string on my hard drive, with NORTONUtilities scan C drive, documents recovered, on the C drive antivirus, WHY, did not find the virus, for the two kinds of anti-virus software or not the virus, even worse, shows C drive is 948M, has a D drive, but 95 can not browse, DOS under the garbage.
Then call to verify the situation at that time turned out to be 26 that day, put a CD drive light is on for a while, crazy ring on the hard disk, blue screen of death was. I presume should be confirmed as a CD-ROM AUTORUN procedures CIH virus. So there is no real defense capability of software is meaningless. In addition, they did two areas hard, and important documents in the D zone. (Mad at me!)
D drive and then fix it, go back to DOS, use the DEBUG symbol for the 55AA to find the end of the sector, from the structure to determine whether the extended partition. Size can be calculated at this time to return to the main partition table. Of course, many of the tools can also be good to complete this work. If you are not sure, you use them to complete better.
CIH's Experience of hard disk data recovery
1, do not listen to or from memory to a hard disk that is kind of how we must see for yourself, I just made this mistake.
2, KV300F10 indeed, as some users saying, that there are some hidden dangers, if the bank's computer staff in dealing with KV300F10 not backed up before, you may find some trouble to give me.
3, recovery data must be based on several principles:
a, first backup, then I write this is the reason HD-MIRROR;
b, first save the most critical data;
c, in the case of first sound of the eggs out the most stable (should be fixed first extended partition, and then fix C), the best part of the back part of the repair;
d, first ready, not busy in the wrong, because I had not installed the machine NORTON, first extract, used to knock a D: TEMP, Only to think of it almost Solution file is not fully repaired in the C drive.
In fact seems that if there is no damage to FAT2 under C drive data recovery is very easy and can be programmed. If FAT2 damaged, of course, the easiest to restore only the files occupy a sector and continuous file.
Above is on the hard disk data recovery methods and CIH instance brief.