Zero Assumption Recovery (ZAR) version 6.3 Partition Finder (ZARPARTN) USER'S MANUAL Copyright (C) Alexey V. Gubin, 1999-2002 *** PURPOSE *** ZAR Partition Finder allows you to scan through a physical disk looking for pieces of information that look like boot sectors or partition tables. Program output is written to a report file. This file can be manually reviewed, and information contained in it can be used to either rebuild a partition table by hand or to specify ZARFAT analysis parameters. The program does not modify the partition table in any way. Two modes of operation are available for physical disks: * Fast mode (only looks at predetermined locations that are likely to contain partitioning information). * Full mode (checks all sectors on disk). Fast mode is not available for disk image files. Cuurent version of ZARPARTN looks for the following objects (only) * Partition table elements (Master Boot Record and Extended Partition Pointers - EPP) * FAT16 boot sectors * FAT32 boot sectors * NTFS boot sectors * Windows 98/ME \SUHDLOG.DAT file, which contains MBR and boot sector copies backed up for Windows uninstallation (Note: SUHDLOG.DAT can only be found with "Full" scan mode). * Missing objects (if a reference to an object exists, but the object itself is missing) *** PROGRAM USAGE *** 1. Run ZARPARTN.EXE. 2. You will be prompted for a log file location. You can either accept default path and file name, specify another file name, or enter "NUL" without quotes to disable logging feature. If you accept default path, make sure there is at least 500Kb of free space on disk you are going to write log file to. Please note that log file is not the same thing as a report file. When program runs, execution information is written to log file (for troubleshooting purposes), but program output (about boot sectors found) is written to a report file. 3. Then, you will be prompted for a language you want to use. Select a language from list. Note: report file will be written in the language you selected. 4. Select a physical disk you want run ZARPARTN against. You can also load an disk image file to scan. 5. After the disk is selected, the following warning message may appear: -------------------------------------------------------------------------------- There is an error in a drive geometry info reported by BIOS. It is reported to be of 0 tracks, cylinders or sectors. Enter a Sectors Per Track value : -------------------------------------------------------------------------------- This can be a case with modern BIOSes not reporting a drive geometry at all. Common Sectors Per Track value for IDE disks with LBA translation is 63. You can verify it in BIOS Setup (for AWARD BIOS, check "Standard CMOS Setup" section where your drives are listed; if you have AUTO mode there, try "IDE Hard Hisk Detection" option, do not modify anything there, but write down a number of sectors autodetection reports for suggested operation mode, typically LBA). If you are not sure what number of sectors per track is on your disk, enter "1". This will force Full Mode scan (even if Fast Mode is selected) (see below). 6. As soon as physical disk is selected, you need to configure options. Few options are available, namely: "Scan Mode": can be either "Fast" or "Full". "Fast" mode only looks at predetermined locations on disk, where partitions are usually stored (namely, first sector of each track). "Full" mode examines each sector of the disk. "Fast" mode is about 30 times faster than "Full", but it has the following limitations: * It cannot be applied to disk image. Disk image requires "Full" mode. * FAT32 backup boot sector will not be found in "Fast" mode. * Windows SUHDLOG.DAT will not be found in "Fast" mode. * If Number of Sectors Per Track was manually set to 1 (see above), "Fast" mode is equal to "Full" mode. "Save copies of sectors": can be either "Yes" or "No". When enabled, ZARPARTN saves copy of each sector it detectes to be related to partitioning and boot process into a file (named as a number of sector). After options are set, select "Proceed". 7. You will be asked about report file name and location. Again, choose a drive with plenty free space on it (probably the same drive you put logfile on). Normally, 500Kb of space is enough for both log and report files. 8. The scan process starts as soon as report file is specified. Pressing any key during scan aborts it. *** REPORT FILE FORMAT *** Generally, a report file looks like the following: ******************************************************************************** Sector 0 seems to contain a Master Boot Record Partition layout as recorded in sector : Filesystem type Start End Rel Start Abs Size Cyl Head Sec Cyl Head Sec FAT32 0 1 1 254 254 63 63 4096512 DOS EXTEND 255 0 1 786 254 63 4096575 8546580 Empty 0 0 0 0 0 0 0 0 Empty 0 0 0 0 0 0 0 0 Information computed from the above data Abs start Abs size Approximate volume size, Mb 63 4096512 2000.3 4096575 8546580 4173.1 0 0 0.0 0 0 0.0 ******************************************************************************** Sector 63 contains a FAT32 boot sector Volume label : NO NAME OEM ID : MSWIN4.1 Sectors per cluster : 8 Reserved sector(s) : 32 Sector(s) per FAT : 3997 Total sectors on disk : 4096512 Approx. volume size, Mb : 2000.3 ZAR: Disk area - start sector : 63 ZAR: Disk area - size in sectors : 4096512 ZAR: CF/SS pair : 8/8073 ZAR: FAT start sector : 95 ZAR: FAT size in sectors : 3997 ******************************************************************************** Sector 4096575 should contain a boot record, but nothing was found ******************************************************************************** In the above example, 6.1 Gb hard disk was partitioned into two drives: 2.0 Gb primary FAT32 partition and 4.1 Gb FAT32 logical drive in the extended partition. The Master Boot Record correctly identifies the primary partition and the extended partition. The scan was aborted immediately after a first boot sector was found, resulting in a message about missing boot record in sector 4096575. Partition layout shows raw MBR information as follows: Filesystem type Start End Rel Start Abs Size Cyl Head Sec Cyl Head Sec FAT32 0 1 1 254 254 63 63 4096512 DOS EXTEND 255 0 1 786 254 63 4096575 8546580 "Cyl/Head/Sec" specifiy start and end of the partition (absolute positions on disk). Notes: 1. C/H/S addressing mode uses zero-based numbering for cylinders and heads (first head has number of 0), while sector numbers are 1-based (from 1 to 63). 2. C/H/S addressing has a 8Gb limitation. If either partition starting or ending sector is above 8Gb boundary, placeholders are written instead of actual C/H/S values. These placeholder values are 1023/254/63. "Rel Start" specifies a distance from the partition table sector to the first sector of a volume. For this example, starting sector for primary FAT32 partition is equal to (0 + 63), where 0 is a Master Boot Record sector number, and 63 is a "Rel Start" value. "Abs Size" specifies a number of sectors for a volume (or multiple volumes contained in the extened partition). ZARPARTN computes some data from the partition table, namely "Abs start" - number of a first sector for a volume (see above, "Rel Start"). "Abs size" - same as a raw vaule, provided here just for convinience. These two values can be entered in ZARFAT when specifying the area containing data to be recovered. CAUTION: "Abs start" parameter is computed using an absolute Master Boot Sector position on a disk. In cases where backup sector is found (which is not on actual boot sector position), these values will be incorrect. This applies to all boot sector backups, such as Norton Image files. "Approximate volume size, Mb" - can be used to identify volume by its size. Boot sector dump shows raw information as well as some data computed from it, with the following entries being most important: Sector 63 contains a FAT32 boot sector 1. Volume label : NO NAME 2. Approx. volume size, Mb : 2000.3 Volume label and size are shown for volume identification only. Note that reported volume size is slightly greater than a "free space" value displayed in Windows. 3. ZAR: Disk area - start sector : 63 4. ZAR: Disk area - size in sectors : 4096512 These two values can be entered in ZARFAT when specifying the area containing data to be recovered. 5. ZAR: CF/SS pair : 8/8073 CF stands for Cluster Factor - number of sectors per cluster. SS stands for Start Sector - sector number for cluster 0. These are two of the four significant volume parameters. CF/SS pair controls how cluster-to-sector translations are performed. These two values can be entered in ZARFAT instead of performing a CF/SS analysis. It is however recommended (except for Windows NT/2000/XP mirrored FAT volume) that you should tell ZARFAT to use "Reduced Dataset Brute-Force" algorithm (the default method to determine volume parameters; it will be used automatically if ZARFAT operates in "Simple Mode"). You should use boot-sector analysis results only as a last resort whan automatic determination fails. 6. ZAR: FAT start sector : 95 7. ZAR: FAT size in sectors : 3997 These two values can be entered in ZARFAT if (and only if) its native FAT search fails (or if you want to override its result for some reason). CAUTION: The following parameters are computed using an absolute boot sector position on a disk: 1. ZAR: Disk area - start sector 2. ZAR: CF/SS pair 3. ZAR: FAT start sector In cases where backup sector is found (which is not on actual boot sector position), these values will be incorrect. This applies to 1. FAT32 backup boot sectors (usually placed +6 sectors from their corresponding primary boot sectors) 2. Other boot sector backups, such as Norton Image files. Finally, the information about missing partition/boot sectors is written in the report file.