Menu Analyse

From CGSecurity

Jump to: navigation, search

TestDisk queries the BIOS or the OS in order to find the Hard Disks and their characteristics ( LBA size and CHS geometry). TestDisk does a quick check of your disk's structure and compares it with your Partition Table for entry errors. If the Partition Table has entry errors, TestDisk can repair them. If you have missing partitions or a completely empty Partition Table, TestDisk can search for partitions and create a new Table or even a new MBR if necessary.

However, it's up to the user to look over the list of possible partitions found by TestDisk and to select the one(s) which were being used just before the drive failed to boot or the partition(s) were lost. In some cases, especially after initiating a detailed search for lost partitions, TestDisk may show partition data which is simply from the remnants of a partition that had been deleted and overwritten long ago.

Contents

Analyse

TestDisk 6.5-WIP, Data Recovery Utility, October 2006
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
Current partition structure:
     Partition                  Start        End    Size in sectors
 1 * FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]
 2 P Linux                 1011   0  1  1023 254 63     208845 [/boot]
 3 E extended LBA          1024   0  1 14592 254 63  217985985
 5 L Linux RAID            1024   1  1  3573 254 63   40965687 [md0]
   X extended              3574   0  1  4210 254 63   10233405
 6 L Linux RAID            3574   1  1  4210 254 63   10233342 [md1]
   X extended              4211   0  1 14592 254 63  166786830
 7 L Linux                 4211   1  1 14592 254 63  166786767






*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
[Proceed ]  [ Backup ]

                            Try to locate partition

Analyzes a drive's current partition structure and seeks partitions, making it possible to recover lost partitions.

Partition checks

TestDisk's Analyse does a quick check of the partition structure. TestDisk can handle several type of partitions: - Intel - Mac - None (ie: small media without partition) - Sun - XBox

Intel partition structure is composed of the MBR table and extended partitions. The MBR is limited to four entries. One of the entries can be an extended partition allowing several logical partitions. Each logical partition is contained by an extended partition/container. The MBR and each extended partition must end with the two bytes 0x55 and 0xAA, in that order; which make up the Hex Word 0xAA55 (since x86 CPU systems are 'little-endian'). A partition entry is composed of: - start of partition in CHS - end of partition in CHS - filesystem type - logical start - size in sectors - boot flag Only one primary partition can have the boot flag set. CHS information storage is limited to a maximum of 1024 cylinders (0-1023), that's why we have the famous 8 GB limitation (1024*255*63 = 16450560 sectors = 8422686720 bytes).

Modern operating systems and BIOS chips use LBA mode to access the data, but FAT12/16/32 boot sectors still make reference to CHS geometry. TestDisk checks that each value is in the authorized range: i.e., no sector value less than 1 nor higher than the number of sectors per head. The partition entries are read using logical start and size in sectors, then TestDisk checks if the logical values match the CHS values. TestDisk also checks that no partition data shows a partition as ending after the end of the disk, and that none of them are overlapping each other.

Sun label can have up to 8 partition entries. Entrie number 2 is reserved for the whole disk.


Filesystem checks

Following the filesystem type, TestDisk runs some basic checks on the boot sector/superblock of each filesystem. As ext2/ext3/reiserfs/jfs share the same filesystem type: 0x83, TestDisk has to check for each filesystem. The checks are the same as those used when TestDisk is searching for partitions: - presence of magic value or signature (i.e., 0xAA55 at offset 0x1FE of either FAT or NTFS boot sectors). - coherent values (i.e., free_blocks_count lower than blocks_count for ext2) This phase is very quick as the checks are minimal.

Partition recovery

In a second step, TestDisk searches for 'lost partitions' without making use of any results from the previous step. This is the heart of TestDisk's powerful capabilities! TestDisk assumes the existence of partitions and scans all relevant drive cylinders for them. A primary partition starts at the beginning of a cylinder (head=0, sector=1), while a logical partition starts a little further along (head=1, sector=1). For each possible partition starting location, TestDisk can search for the presence of a filesystem header (FAT or NTFS boot sector, EXT2/EXT3 superblock, BSD disklabel...), which confirms the presence of a known partition type. Thus, the size of a partition is determined directly from its structure on the disk. Each partition that TestDisk discovers is added to a list of found partitions.

To detect a FAT32 partition, TestDisk searches for a 0xAA55 endmark and the signature FAT32, it also runs the corresponding FAT filesystem checks: - jump signature must be of the form 0xeb 0xXX 0x90 or
0xe9 0xXX 0xXX
where 0xXX could be any byte, and...

 0xeb: A Short Jump, displacement relative to next instruction (only 8 bit).
0x90: NOP (do nothing).
0xe9: A Near Jump, displacement relative to next instruction (32 or 16 bit).

- sector size is 512 - cluster size must be 1, 2, 4, 8, 16, 32, 64 or 128 - there must be 2 FAT copies - the media must be 0xF8 (no other value is seen, it's an obsolete feature) - If you follow MS guidelines, the signature FAT32 is meaningless but your filesystem should have it.

 Following the number of cluster, TestDisk determine the kind of FAT (number of cluster is more or equal to 65525 for a FAT32).

Some specific checks for FAT32 are done: - the root cluster number must be between 2 and the maximum cluster number, - some obsolete values (number of directory entries, 16-bit partition size) must be set to 0, - FAT32 version (unused) must be 0.0

To detect an NTFS partition, TestDisk searches for an 0xAA55 endmark and the signature NTFS, it also checks that some FAT specific values are all set to zero (0): The number of reserved sectors, number of FATs, number of directory entries, 16-bit size of filesystem, 32-bit size of filesystem, Sectors per FAT. The number of Sectors per Cluster must be greater than zero.

For FAT and NTFS filesystem, the size of the partition will be read in the bootsector itself.

TestDisk 6.5-WIP, Data Recovery Utility, October 2006
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
Analyse cylinder   1011/14592: 00%


  FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]













  Stop

Once the analysis is complete, TestDisk generates a report of found partitions.

TestDisk 6.5-WIP, Data Recovery Utility, November 2006
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
     Partition               Start        End    Size in sectors
* FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]
P Linux                 1011   0  1  1023 254 63     208845 [/boot]
D Linux                 1024   1  1  3573 254 63   40965687
D Linux RAID            1024   1  1  3573 254 63   40965687 [md0]
D Linux                 3574   1  1  4210 254 63   10233342
D Linux RAID            3574   1  1  4210 254 63   10233342 [md1]
L Linux                 4211   1  1 14592 254 63  166786767






Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use LEFT/RIGHT Arrow keys to CHANGE partition characteristics:
*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
     ENTER: to continue
FAT32, 8315 MB / 7930 MiB

You can list files of NTFS, FAT, EXT2/EXT3 and ReiserFS partition by pressing P.
Notes:

  • FAT directory listing is limited to 10 clusters, some files may not appears but it doesn't affect recovery.
  • For NTFS, it's possible to copy files by pressing *c*.
TestDisk 6.5-WIP, Data Recovery Utility, October 2006
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

   * FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]
Use right arrow to change directory, q to quit
Directory /

-rwxr-xr-x     0     0   805306368 20-Jul-2005 10:35 PAGEFILE.SYS
drwxr-xr-x     0     0         0 14-Feb-2005 22:41 WINDOWS
-r-xr-xr-x     0     0      4952 28-Aug-2001 15:00 Bootfont.bin
-r-xr-xr-x     0     0    251712  3-Aug-2004 22:59 NTLDR
-r-xr-xr-x     0     0     47564  3-Aug-2004 22:38 NTDETECT.COM
-rwxr-xr-x     0     0       212 14-Feb-2005 22:51 BOOT.INI
drwxr-xr-x     0     0         0 14-Feb-2005 22:47 Documents and Settings
dr-xr-xr-x     0     0         0 14-Feb-2005 22:55 Program Files
-rwxr-xr-x     0     0         0 14-Feb-2005 22:56 CONFIG.SYS
-rwxr-xr-x     0     0         0 14-Feb-2005 22:56 AUTOEXEC.BAT
-r-xr-xr-x     0     0         0 14-Feb-2005 22:56 IO.SYS
-r-xr-xr-x     0     0         0 14-Feb-2005 22:56 MSDOS.SYS
drwxr-xr-x     0     0         0 14-Feb-2005 23:02 System Volume Information
-rwxr-xr-x     0     0   536399872 20-Jul-2005 10:36 HIBERFIL.SYS





Using the list of found partitions, you can edit the partition table.

There are three kinds of edits:

  1. You can change the partition type with *T*
  2. You can add a new partition with *A*.
  3. You can change the status of the selected partition using the left/right arrow key. The available statuses are Primary, * bootable, Logical, Deleted.

As you make edits, watch the status of the partition table's structure. It will be either Ok or Bad.

Structure: Ok should appear if everything is ok, i.e., no primary partition between two extended partitions, only one or no bootable partitions, no partitions using the same disk space.

When you are satisfied with the edited partition table, press Enter. If you've made any edits, TestDisk gives you a choice of writing that data to the drive's Partition Table, or of running a more detailed analysis.

  • Quit

Quits (exits) from the TestDisk program without making any changes (unless you pressed the ENTER key while Write was 'highlighted').


  • Search!

The quick first scan may have miss some partitions. Search! will also search for FAT32 backup boot sector, NTFS backup boot superblock, EXT2/EXT3 backup superblock to detect more partitions, it will scan each cylinder.


  • Write

Writes the changes that have been made in TestDisk's memory buffer to the hard drive. If you are unsure of the changes (often to the MBR's Partition Table), then don't use this function!

  • Extd Part

If there is logical partition, this flag lets you decide if the extended partition will used all available disk space or only the required (minimal) space.

TestDisk 6.5-WIP, Data Recovery Utility, October 2006
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63

     Partition                  Start        End    Size in sectors
 1 * FAT32                    0   1  1  1010 254 63   16241652 [NO NAME]
 2 P Linux                 1011   0  1  1023 254 63     208845 [/boot]
 3 E extended LBA          1024   0  1 14592 254 63  217985985
 5 L Linux RAID            1024   1  1  3573 254 63   40965687 [md0]
 6 L Linux RAID            3574   1  1  4210 254 63   10233342 [md1]
 7 L Linux                 4211   1  1 14592 254 63  166786767









[  Quit  ]  [Search! ]  [ Write  ]

                       Return to main menu

Here TestDisk asks you to confirm the Write operation; so you have the final choice over what TestDisk will actually do.

TestDisk 6.5-WIP, Data Recovery Utility, October 2006
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Write partition table, confirm ? (Y/N)



Back to Running the TestDisk Program

Data Recovery