Want to know How to Recover Data from Crashed Hard Disk?. A few days back, Someone told me that he was working on a Virtual Machine and his system suddenly hanged as he was working on an important project of his company and later he realized that his system was badly infected with a virus, after seeing this he restarted the system and saw that an error occurred displaying a message “No Drive Found”. Then he realized that the drive got corrupted and was so shocked when he saw this because he didn’t take any backup of coding. He asked me if there any solution to recover virtual NTFS partition data? So, I am writing this article so that other users can also solve their queries related to How to Recover Data from Crashed Hard Disk manually.
Data Recovery from corrupted hard drives is not that simple. If you want to recover corrupted data, then it is necessary to understand hard drives, file systems, their structures, their features, and their working. Moreover, you have to understand the corruption level. The only thing that this project needs is full concentration and dedication. I will try my best to provide you all kind of information that is necessary for recovering the corrupted data.
Save your time by using Data Recovery Software.
Few Important Conceptions to know How to Recover Data from Crashed Hard Disk
- There are many spinning magnetic disks like CDs in CD cases by which hard drives are created. Data is stored on both sides of each disk and contains two reads and write HEADS. Data is stored in CYLINDERS which contains concentric rings. Cylinders are further divided into sectors or blocks.
- Note: Each SECTOR is 512 bytes long by default.
- The smallest unit is 1 bit in computers. When you are working with computers the smallest unit of accessing the data and processing the data is 1 byte but you cannot work on bits. The smallest unit of read and written data on a hard drive is SECTOR. However, if the data you want to read or write data which is 10 or 20 bytes then the computer reads or writes 512 bytes.
- If you want to know How to Recover Data from Crashed Hard Disk then you have to deal with sectors, not bytes, for example retrieving 512 bytes (sector) in every shot.
- If you want to search for a particular hard drive, then the location is addressed by cylinder, head, and sector. This addressing scheme is called CHS Addressing Scheme.
- As CHS Addressing algorithm is disapproved so there is a new algorithm known as the Logical Addressing Algorithm (LBA). LBA maps CHS addressing scheme into a sequential set of addresses: First sector = LBA (0), second sector = LBA (1), so on and it’s easy to understand.
- Note: If you need to know your HD size then
- HD (Size) = Block Size * Total No. of blocks.
- Where Block Size = 512 Bytes (Default)
- But you have to understand three things before going to the recovery process:
- Master Boot Record (MBR): This is from where you have to begin. It always exists in the first LBA or sector (512 bytes) in Drives. If this thing is present then the drive is bootable otherwise non-bootable. Bootable drives are those drives that contain operating systems.
- Volume Boot Record (VBR): Volume Boot Record can be called by volume boot sector, partition boot sector, or partition boot record. VBR has introduced by IBM Personal Computer. It is used to create the partition of your hard drive for e.g. C:\, D:\, E:\ and etc.
- File Systems: File systems are in the form of algorithms that is responsible for some conditions about storing the files and Memory (Space) wastage and complexity. For data recovery, it is required to know the category of file system present in the drive whether it is NTFS or FAT32.
Also, Read – Recover data from RAID
Talking about Data Corruption
Data Corruption is a state in which operating system is not able to recover files and their information. This may happen due to the corruption of the file system, hard drive, pen drive, failure, or because of the physical alteration of MBR or VBR. The data can be easily recovered from the drive if corrupted drive fulfills few requirements if
- Your drive and its sector easily recognized by the operating system.
- Drive and its Sector is easily accessible by your program.
The most important purpose of How to Recover Data from Crashed Hard Disk is to recover the leftover data that is present in the drive after the occurrence of corruption and distortion which means you have to traverse each and every LBA to search your files which operating system can no longer do.
Structure of data corruption
A Complete structure of how MBR, VBR, and File System placed in your drive is shown below….
The above figure displays an abstract view of bootable drive
- VBR must be contained by every drive in first sector of partition
- MBR consists of Partition Table which includes an address to every VBR.
- VBR has every single address of sector from where data begins.
- The drive contains many files or folders in the form of B+ Tree Structures.
- Non-Bootable drives like pen drives, no MBR existed only VBR and the rest existed.
Level of Corruption to Know How to Recover Data from Crashed Hard Disk
If you want to know How to Recover Data from Crashed Hard Disk, then first it is required to know the level of drive, which means at what level your data is corrupted. The level tells about how much data a user can recover from the drive. The levels are listed below:
At this point, you traverse and search every LBA or sector to search for the VBR and once you find your VBR you can find you data.
- Level 1: In this level, only the partition table of MBR gets corrupted. You will find your data when you traverse and search each sector or LBA to search VBR and when you find the VBR.
- Level 2: In this level some VBR fields get corrupted, in which operating system could not be able to recognize your file system. It is necessary to analyze the VBR, if you want to address the field of your root directory in FAT32 and MFT in NTFS. If you get conquer in finding VBR then it is easy for the user to search and recover corrupted and deleted data otherwise user have to traverse and search the sector all over again.
- Level 3: From the above level we conclude that each node containing the address of its succeeding nodes like a tree for e.g. MBR contains the address of the corresponding VBR’s and VBR contains the address to the start of your file nodes and so on. Therefore, data recovery would not be possible if these addresses and references get corrupted.
- Level 4: Data Recovery is not guaranteed at this level because corruption due to physical damage could happen like hardware failure. This type of data can be recovered in data recovery labs.
However, now we all have basic knowledge about the drives and data. As we have discussed earlier that the process of the How to Recover Data from Crashed Hard Disk was not a simple task and we will do in parts.
Note: MBR is a crucial part of the Operating System and without this Operating System cannot run. Please do the experiments on MBR carefully. The demo project and tutorial is just for knowledge purpose. The tutorial is not responsible for any damage that you create during experiments or use the demo project. Do at your own risk.
If that drive is bootable then MBR i.e. Master Boot Record always present in the first sector (LBA (0)) of a particular drive (HD, PD, MC and etc.). This is totally responsible to bootstrap into the operating system on Basic I/O System (BIOS) based computer. MBR includes some few things to help boot into the system. If the drive is bootable then its first sector (LBA (0)) of a particular drive (PD, MC etc) is occupy by the Master Boot Record.
Bootstrap Code: When you boot your system it requires to execute the code to load the operating system or whatever software you want. The first set of code exists in BIOS. This checks the code regarding which hardware is present and does some tests to ensure that everything is OK to boot. Then, according to the order of boot you have specified it starts loading the first sector of various disks. After finding one that is marked as an MBR, it continues to transfer executions into it. This code is called Bootstrap Code which has 440 bytes. The role of Bootstrap Code is to look through the partition table for the active partition (e.g. drive boot file of operating system generally exists in C:\. It loads the copy of the boot files from Partition to Memory (e.g. NTLDR, Boot.ini, etc) and transfers control to it and that how the operating system runs.
Partition Table: Because the Partition table includes the information of partitions like C:\, E:\, F:\ and etc so one have to take this section into consideration seriously. Usually, the size of partition table is 64 bytes. Operating system has been logically detached to act and contains independent file system configuration and Hard Drive contains partitions.
Disk Signature: MBR and VBR always include a disk signature (55 AA) of two bytes. This signature helps in identifying if that sector is holding MBR and VBR or not e.g., so to find MBR or VBR in our drive we use disk signature.
Usually, there are two types of partition tables that exist
- Generic 64 bytes primary partition table
- Extended Partition Table
Examine 64 Bytes Primary Partition Table
To examine the master partition table, read between offset 1BEh and 1FDh taking the following structure of the generic partition table into consideration.
Boot Indicator: The first byte of a partition table entry is Boot Indicator that indicates if it is an active partition or not i.e. it is containing the operating system or not. This partition is called an active partition when this filed includes 80H (in hex) (in decimal = 128). Mostly C:\ Partition1 is an active partition and this is called system partition. The field for non-active partition is 00h.
Starting CHS value: As CHS Addressing Algorithm is being disapproved, so overlook it. You don’t need to do something with this value.
Partition Type Descriptor: This is the main field as it is it is one byte long and also contains the information regarding the implementation of the file system in the drive. Every single file system contains an algorithm, so it is very important to know about the implementation of the file system in the hard drive. Here are some hexadecimal flags which you may find in this field:
- 00h ———— No Partition (No File System)
- 01h ———— DOS FAT-12(File System)
- 04h ———— DOS FAT-16(No File System)
- 05h ———— Extended DOS 3.3(Extended Partition File System)
- 06h ———— DOS 3.31(Large File System)
- 07h ———— Windows NT(NTFS File System)
- 0Bh ———— Windows 95(FAT-32 File System)
- For information about other File Systems please click here HEXADECIMAL FLAGS FOR PARTITION TYPES
Terminating CHS value: ignore it.
Address of sector containing VBR: As we have discussed earlier that every partition has a Volume Boot Record (VBR) as its first sector of the partition. VBR is an important field as it contains addresses of the VBR. It contains the address of a sector in hex and a sector is 512 bytes long, so you have to first convert it in decimal, and after converting multiply it by 512 to get that byte offset of VBR from the beginning.
Size of Partition: If you want the size of the partition, then you will get the size from here only. If you are aware of the address of the VBR and the size, then you can assume the address of the last sector of partition given below:
Address of the last sector = address of VBR * (size of partition / 512)
Examine Extended Partition Table
In the above partition table, we have seen that the 16-bit partition table entry exists in one 64 bit partition table but the extended partition table is like a link list. There is more than one partition table containing one partition entry and a reference or address to another partition table. The below figure will explain you in detail.
A partition type of either 05h or 0Fh is included in Extended Partition entries according to the disk size. The only way to know about the number of logical drives within Extended Partition is by going into each Extended Partition table in the Extended Boot Record until you have found the last EBR table. We can say that EBRs is being connected together by each link to the next EBR table from its preceding link. So, if you want to acquire the whole layout of the hard disk that includes Extended Partition, you need a copy or summary of data in the extended partition tables of each EBR as well as the Master Partition Table.
From this exploration, I have learned that MBR is the most important part of the OS. And we should all know about the Windows API. And hopefully, this article comes out useful for you to know How to Recover Data from Crashed Hard Disk.