home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2005 August
/
CHIP_CD_2005-08.iso
/
bonus
/
photo_rest
/
files
/
setup.exe
/
{app}
/
DOS
/
MANUALS
/
zarpartn.txt
< prev
Wrap
Text File
|
2002-01-21
|
11KB
|
230 lines
Zero Assumption Recovery (ZAR) version 6.3
Partition Finder (ZARPARTN)
USER'S MANUAL
Copyright (C) Alexey V. Gubin, 1999-2002
*** PURPOSE ***
ZAR Partition Finder allows you to scan through a physical disk looking
for pieces of information that look like boot sectors or partition tables.
Program output is written to a report file. This file can be manually
reviewed, and information contained in it can be used to either rebuild a
partition table by hand or to specify ZARFAT analysis parameters. The program
does not modify the partition table in any way.
Two modes of operation are available for physical disks:
* Fast mode (only looks at predetermined locations that are likely to
contain partitioning information).
* Full mode (checks all sectors on disk).
Fast mode is not available for disk image files.
Cuurent version of ZARPARTN looks for the following objects (only)
* Partition table elements (Master Boot Record and Extended Partition
Pointers - EPP)
* FAT16 boot sectors
* FAT32 boot sectors
* NTFS boot sectors
* Windows 98/ME \SUHDLOG.DAT file, which contains MBR and boot sector
copies backed up for Windows uninstallation (Note: SUHDLOG.DAT can only be
found with "Full" scan mode).
* Missing objects (if a reference to an object exists, but the object
itself is missing)
*** PROGRAM USAGE ***
1. Run ZARPARTN.EXE.
2. You will be prompted for a log file location. You can either accept
default path and file name, specify another file name, or enter "NUL" without
quotes to disable logging feature. If you accept default path, make sure there
is at least 500Kb of free space on disk you are going to write log file to.
Please note that log file is not the same thing as a report file. When program
runs, execution information is written to log file (for troubleshooting
purposes), but program output (about boot sectors found) is written to a
report file.
3. Then, you will be prompted for a language you want to use. Select a
language from list. Note: report file will be written in the language you
selected.
4. Select a physical disk you want run ZARPARTN against. You can also
load an disk image file to scan.
5. After the disk is selected, the following warning message may appear:
--------------------------------------------------------------------------------
There is an error in a drive geometry info reported by BIOS.
It is reported to be of 0 tracks, cylinders or sectors.
Enter a Sectors Per Track value :
--------------------------------------------------------------------------------
This can be a case with modern BIOSes not reporting a drive geometry at
all. Common Sectors Per Track value for IDE disks with LBA translation is 63.
You can verify it in BIOS Setup (for AWARD BIOS, check "Standard CMOS Setup"
section where your drives are listed; if you have AUTO mode there, try "IDE
Hard Hisk Detection" option, do not modify anything there, but write down a
number of sectors autodetection reports for suggested operation mode,
typically LBA).
If you are not sure what number of sectors per track is on your disk,
enter "1". This will force Full Mode scan (even if Fast Mode is selected) (see
below).
6. As soon as physical disk is selected, you need to configure options.
Few options are available, namely:
"Scan Mode": can be either "Fast" or "Full".
"Fast" mode only looks at predetermined locations on disk, where
partitions are usually stored (namely, first sector of each track). "Full"
mode examines each sector of the disk. "Fast" mode is about 30 times faster
than "Full", but it has the following limitations:
* It cannot be applied to disk image. Disk image requires "Full" mode.
* FAT32 backup boot sector will not be found in "Fast" mode.
* Windows SUHDLOG.DAT will not be found in "Fast" mode.
* If Number of Sectors Per Track was manually set to 1 (see above),
"Fast" mode is equal to "Full" mode.
"Save copies of sectors": can be either "Yes" or "No".
When enabled, ZARPARTN saves copy of each sector it detectes to be
related to partitioning and boot process into a file (named as a number of
sector).
After options are set, select "Proceed".
7. You will be asked about report file name and location. Again, choose a
drive with plenty free space on it (probably the same drive you put logfile
on). Normally, 500Kb of space is enough for both log and report files.
8. The scan process starts as soon as report file is specified. Pressing
any key during scan aborts it.
*** REPORT FILE FORMAT ***
Generally, a report file looks like the following:
********************************************************************************
Sector 0 seems to contain a Master Boot Record
Partition layout as recorded in sector :
Filesystem type Start End Rel Start Abs Size
Cyl Head Sec Cyl Head Sec
FAT32 0 1 1 254 254 63 63 4096512
DOS EXTEND 255 0 1 786 254 63 4096575 8546580
Empty 0 0 0 0 0 0 0 0
Empty 0 0 0 0 0 0 0 0
Information computed from the above data
Abs start Abs size Approximate volume size, Mb
63 4096512 2000.3
4096575 8546580 4173.1
0 0 0.0
0 0 0.0
********************************************************************************
Sector 63 contains a FAT32 boot sector
Volume label : NO NAME
OEM ID : MSWIN4.1
Sectors per cluster : 8
Reserved sector(s) : 32
Sector(s) per FAT : 3997
Total sectors on disk : 4096512
Approx. volume size, Mb : 2000.3
ZAR: Disk area - start sector : 63
ZAR: Disk area - size in sectors : 4096512
ZAR: CF/SS pair : 8/8073
ZAR: FAT start sector : 95
ZAR: FAT size in sectors : 3997
********************************************************************************
Sector 4096575 should contain a boot record, but nothing was found
********************************************************************************
In the above example, 6.1 Gb hard disk was partitioned into two drives:
2.0 Gb primary FAT32 partition and 4.1 Gb FAT32 logical drive in the extended
partition. The Master Boot Record correctly identifies the primary partition
and the extended partition. The scan was aborted immediately after a first
boot sector was found, resulting in a message about missing boot record in
sector 4096575.
Partition layout shows raw MBR information as follows:
Filesystem type Start End Rel Start Abs Size
Cyl Head Sec Cyl Head Sec
FAT32 0 1 1 254 254 63 63 4096512
DOS EXTEND 255 0 1 786 254 63 4096575 8546580
"Cyl/Head/Sec" specifiy start and end of the partition (absolute
positions on disk). Notes:
1. C/H/S addressing mode uses zero-based numbering for cylinders and
heads (first head has number of 0), while sector numbers are 1-based (from 1
to 63).
2. C/H/S addressing has a 8Gb limitation. If either partition starting or
ending sector is above 8Gb boundary, placeholders are written instead of
actual C/H/S values. These placeholder values are 1023/254/63.
"Rel Start" specifies a distance from the partition table sector to the
first sector of a volume. For this example, starting sector for primary FAT32
partition is equal to (0 + 63), where 0 is a Master Boot Record sector number,
and 63 is a "Rel Start" value.
"Abs Size" specifies a number of sectors for a volume (or multiple
volumes contained in the extened partition).
ZARPARTN computes some data from the partition table, namely
"Abs start" - number of a first sector for a volume (see above, "Rel
Start"). "Abs size" - same as a raw vaule, provided here just for convinience.
These two values can be entered in ZARFAT when specifying the area containing
data to be recovered.
CAUTION: "Abs start" parameter is computed using an absolute Master Boot
Sector position on a disk. In cases where backup sector is found (which is not
on actual boot sector position), these values will be incorrect. This applies
to all boot sector backups, such as Norton Image files.
"Approximate volume size, Mb" - can be used to identify volume by its
size.
Boot sector dump shows raw information as well as some data computed from
it, with the following entries being most important:
Sector 63 contains a FAT32 boot sector
1. Volume label : NO NAME
2. Approx. volume size, Mb : 2000.3
Volume label and size are shown for volume identification only. Note that
reported volume size is slightly greater than a "free space" value displayed
in Windows.
3. ZAR: Disk area - start sector : 63
4. ZAR: Disk area - size in sectors : 4096512
These two values can be entered in ZARFAT when specifying the area
containing data to be recovered.
5. ZAR: CF/SS pair : 8/8073
CF stands for Cluster Factor - number of sectors per cluster.
SS stands for Start Sector - sector number for cluster 0.
These are two of the four significant volume parameters. CF/SS pair
controls how cluster-to-sector translations are performed.
These two values can be entered in ZARFAT instead of performing a CF/SS
analysis. It is however recommended (except for Windows NT/2000/XP mirrored
FAT volume) that you should tell ZARFAT to use "Reduced Dataset Brute-Force"
algorithm (the default method to determine volume parameters; it will be used
automatically if ZARFAT operates in "Simple Mode"). You should use boot-sector
analysis results only as a last resort whan automatic determination fails.
6. ZAR: FAT start sector : 95
7. ZAR: FAT size in sectors : 3997
These two values can be entered in ZARFAT if (and only if) its native FAT
search fails (or if you want to override its result for some reason).
CAUTION: The following parameters are computed using an absolute boot
sector position on a disk:
1. ZAR: Disk area - start sector
2. ZAR: CF/SS pair
3. ZAR: FAT start sector
In cases where backup sector is found (which is not on actual boot sector
position), these values will be incorrect. This applies to
1. FAT32 backup boot sectors (usually placed +6 sectors from their
corresponding primary boot sectors)
2. Other boot sector backups, such as Norton Image files.
Finally, the information about missing partition/boot sectors is written
in the report file.
