『楼 主』:
数据恢复[转帖]
使用 LLM 解释/回答一下
数据恢复
雷正海
赤壁市地税
摘 要 本文从数据的物理存储层面,使用较早的数据操作工具对数据的安全恢复做简单的探讨。
关键字 数据,安全,恢复
长期以来对计算机领域的数据恢复似乎缺乏全面的认识,我们首先应当给计算机数据一个广义的概念。某些人觉得只有类似文本文件、数据库中的记录或表这样的东西才是数据;其实从广义上说,任何位于计算机存储介质上的信息都是数据,无论是哪种介质,也无论其具体作用如何,他们都是数据。与这种概念对应,任何使这些信息发生非主观意愿的变化都可视为破坏。
数据恢复就是一个把异常数据还原为正常数据的过程。
对数据的潜在威胁
1、 恶意的程序:大家最熟悉的恶意程序就是病毒,2、 很多人认为病毒对数据的影响仅仅是病毒的破坏性,3、 这是不4、 正确的,5、 实际上病毒的感染本身就是一种破坏。一个病毒无论修改你的引导区、可执行程序还是office文档,6、 都能改变你的正常的数据,7、 当然,8、 你可能举良性伴随性病毒这种极端的例子。但毫列疑问,9、 它同10、 样对数据构成了破坏,11、 至少它减少了你的硬盘的可用空间。恶意的程序还包括特洛伊木马、逻辑炸弹等等。它们造成的破坏可能是最难恢复12、 的。
13、 其它恶意的破坏:即使不14、 借助病毒或其它的工具,15、 只要拥有足够的权限,16、 任何系统都有一定的“自毁”能力。比如依靠系统正常的删除、移动、格式化等操作可以导致数据破坏。随着网络技术的发展,17、 威胁已经不18、 公仅仅限于本机。
19、 误码操作:很多数据丢失源于使用者的操作失误,20、 比如误删除,21、 误格式化等等。
22、 操作系统或应用软件的错误:随着操作系统和应用程序的代码成倍23、 增加,24、 BUG也不25、 断增加。我们最常用的桌面系统WIN9X就是一个BUG大王。操作系统和应用软件的错误,26、 往往会给人的工作带来一些不27、 可预期的影响。比如前阶段Frontpage 98 的一个BUG,28、 触发后会把你目录下的文件全部删除,29、 另外,30、 象著名31、 的游戏神话II,32、 出现了如不33、 安装默认目录中可能会使你丢失扩展分区这样严重的问题。
34、 加密和权限:尽管加密和权限设置是你保护数据的有效手段,35、 但遗忘密码也会带来很大的问题。
36、 掉电:机器突然掉电的后果可能不37、 仅仅是内存数据的丢失,38、 也可能造成磁盘数据的丢失,39、 或导致系统无法正常启动。
40、 内存溢出:导致内存溢出或者进程非法终止等低层错误的原因很多,41、 它就象掉电一样,42、 会使你损失当前的工作。
43、 升级:软件系统升级有时会带来一些问题,44、 后面我们将举相应例子。
45、 硬件损坏和失窃:这可能是最严重的威胁之一。有时这把你恢复46、 数据的可能降低为零。
数据丢失的各种逻辑现象
对数据的恢复,基本上是一种逻辑处理。只有对情况有一个准确的判定,才能做出准确的应对。一般来说,可以归纳为以下几种情况。
1、 硬盘无法完成正确引导:因物理故障造成的逻辑损坏、引导区故障、重要扇区崩溃等等,2、 都会使系统不3、 能完成正常的自举过程。
4、 文件丢失:有意破坏、误删除等等都会造成数据的丢失,5、 这种归类不6、 仅仅包括某个或几个文件,7、 也适用于目录,8、 分区或卷的丢失。
9、 文件无法正常打开:由于病毒感染、加密、文件头损坏等情况,10、 会使文件无法正常打开。
11、 数据紊乱:由于各种因素的影响,12、 数据库中的信息、文本文件等,13、 可能面目全非。
系统工作机理的简单介绍
1、DOS(DOS兼容系统)硬盘数据的构成
DOS磁盘系统,可以按照逻辑分区的概念管理物理空间,不同分区可以装载不同的OS系统。
FAT结构的每一分区都有独立的引导记录,FDT表,FAT表等。同时,系统还有一个最为重要的主引导记录,在0柱0面1扇区,今后我们用CYL代表柱、SIDE代表面、SEC代表扇区。
以下简单介绍一下重要的部分:
主引导记录又称主分区表、MBR等等:MBR占一个扇区,在CYL 0、SIDE 0、SEC 1,由代码区和数据区构成。其中代码区是一段标准的程序,完成BIOS自举到OS BOOT之间的工作,为OS启动做最后的准备。标准代码区可以由FDISK/MBR重建,但对于多系统引导的不标准MBR,将被这一操作破坏。MBR的数据区记录了分区情况。
系统扇区:CYL 0、 SIDE 0、SEC 1-CYL 0、SIDE 0、SEC 63,共62个扇区。
引导区又称BOOT区:CYL 0、SIDE 1、SEC 1,过去称为DOS引导区。也占一个扇区。
隐藏扇区:CYL 0、SIDE 0、SEC 1,如果是FAT16那么占一个扇区,如果是FAT32则占32个扇区。
文件分配表以称FAT,是记录文件占用簇的情况和连接关系的地方。一般有两个FAT表,起到备份的作用。FAT12、FAT16的第一FAT表一般均在0-1-2,FAT32的第一FAT表在0-1-33。由于FAT表记录文件占用扇区连接的地方,如果两个FAT表都坏了,后果不堪设想。由于FAT表的长度与当前分区的大小有关,所以FAT2的地址是须要计算的。
根目录区(ROOT、FOT):这里记录了根目录的目录文件项等,ROOT区跟在FAT2后面。
数据区:跟在ROOT区后面,这才是数据内容。
其实,MBR、隐含扇区、BOOT区的重建都比较容易。数据恢复的关键在于恢复数据文件。由于FAT表记录了文件在硬盘上占用扇区的链表,如果两个FAT表都完全损坏了。那么恢复文件,特别是恢复占用多个连续扇区的文件就相当困难了。
2、主引导记录简单说明
主引导记录是硬盘引导的起点,关于代码区不多说了,其数据区,比较重要的是2个标志,80H和55AA,80H一般在偏移1BE处,80是分区激活的标志表示系统可引导,且整个分区表只能有一个80标记。另一个就是结尾的55AA标记,用来表示主引导记录是一个有效的记录。另外,各个分区自身的引导记录,也是以55AA结束,这是我们查找分区的标志。我们后面在介绍主引导记录时,给出了一个完整的分区表的例子,大家可对照查看。
数据区中,用10H字节表示一个分区,最多可表示4个分区,分别从1BE、1CE、1DE、1EE开始,我们后面给出了分区表项对应地址的含义。大家可以对应分析一下以下分区的情况。
80 01 01 00 0B FE BF FC 3F 00-00 00 7E 86 BB 00
① ② ③ ④ ⑤ ⑥
1 激活标2 记,3 80表示可引导分区。
4 分区开始的磁头号为01、开始的扇区号为01、开始的柱面号为00,5 由于开始的扇区号为2进制6位,6 而7 开始的柱面号为2进制10位,8 因此扇区号所用字节的高两位要加在柱面号高两位。
9 分区的系统类型FAT32(0B),01是FAT12,04为FAT16,06为BIGDOS,07为NTFS,其他参见分区类型表。
10 分区结束磁头号254、分区结束扇区号63、分区结束柱面号764。
11 首扇区的相对扇区号63。
12 总扇区数12289622。
数据可恢复的前提
数据恢复,作为一个数据再现的过程,一定要解决两个问题,第一是从哪里恢复,第二是怎么恢复。解决了这两个问题,我们事实上就把握了数据恢复的。这一部分就是探讨从哪里恢复的问题。
1、 有效而2、 及时的备3、 份是数据恢复4、 最可靠的来源:在许多人倡导备5、 份到秒的今天,6、 恐怕不7、 会有人怀疑这点。而8、 有些备9、 份机制则是系统内建的,10、 比如两份FAT表。
11、 数据的实际有效性的判定是关键:对我们来说,12、 硬盘无法自举、文件找不13、 到、文件打不14、 开等现象,15、 其实并不16、 与数据丢失划等号。因为此时往往只是逻辑丢失,17、 在物理意义上,18、 它仍然存在或部分存在。最明显的就是文件删除的例子,19、 事实上,20、 这只是把文件首字节改为0E5而21、 已,22、 文件体依然存在。
23、 数据损坏过程的可逆性分析:对数据的改变无非两种,24、 取代和变换,25、 前者是不26、 可逆的,27、 后者则是可逆的。我们以杀毒为例,28、 对于大多文件性病毒来说,29、 那些以附加而30、 非代换方式感染的文件型病毒,31、 理想的杀毒过程就是感染的逆过程。这种分析也适用于重要信息被隐藏搬移或者被加密的情况,32、 但分析将比较复33、 杂。
34、 数据本身是否是标35、 准信息:有些信息实际是通用或局部通用的,36、 你无须考虑如何从本机抢救。只要有相同37、 或相近的系统版本就可以了,38、 比如BOOT区、隐含扇区、WINDOWS的DLL文件等等。典型的例子如分区表代码区,39、 这是一段标40、 准代码,41、 事实上,42、 它就放在你的FDISK程序里面,43、 你可以用DEBUG把他提取出来。
44、 数据本身是否可以由其它信息统计再生:有些信息尽管丢失了,45、 也没有备46、 份。但它实际可以从其他数据中间接求得。最典型的就是主分区表中的分区信息,47、 即职使你把它清零也不48、 必害怕,49、 因为你可以从你几个分区中计算再生。
50、 破坏的完成程度:事实上,51、 FDISK、FORMAT都不52、 会彻底破坏数据,53、 一般只有低格和扇区覆盖操作才会彻底破坏数据。但有时,54、 破坏过程或者误码操作过程会因人工终止、死机等原因不55、 能完成。最明显的就是CIH病毒的例子,56、 由于CIH是以1024字节为单位覆盖扇区,57、 这当然是不58、 可逆过程,59、 于是我们最初都认为,60、 破坏是很难恢复61、 的,62、 除非人工终止。事实上,63、 当病毒覆盖某些扇区时会与WIN9X系统发生冲突,64、 从而65、 造成死机,66、 使数据得到了保护。
常用的基本操作
1、读出主引导记录:这是系统级数据恢复可能涉及最多的程序之一。
例:
DEBUG
-a100; 从此处开始汇编
126C:0100 MOV ax,201; 读操作一个扇区
126C:0103 mov bx,300; 送入地址300
126c:0106 mov cx,1; 0面1扇区
126c:0109 mov dx,80; 80H为硬盘,头为0
126c:010c int 13
126c:010e int 3
126c:010f
-g=100; 执行
AX=0050 BX=0300 CX=0001 DX=0080 SP=FFEE
BP=0000 SI=0000 DI=0000
DS=126C ES=126C SS=126C CS-126C IP=010E
NV UP EI PL NZ NA PO NC
这里用了I/O中断13,涉及的寄存器含义为:
ah,操作方式,02H为读,03H为写
al,送扇区数
bx,送准备装入扇区的内存偏移地址
cx,送从那一道那一扇区开始,我们一般依靠改换cx来读写不同逻辑盘某个逻辑扇区
dx,送盘符和头数
int 3是断点中断,使程序运行到此停止。
2、显示引导区内容:我们把扇区读到某个内存地址并不是为了看到它的内容,在DEBUG中D命令可以方便地查看内存单元的内容。
续前例,如果我们要看到主引导区的内容的话,既然装载到300。
-d300 1200就可以查看了,一个引导区的映象可以直观地看到我们前面所提到的代码区和数据区。
3、反汇编主引导区内容:判定MBR的代码区是否正常,对于数据区的基本情况,我们可以通过直观观察得出,但对于引导型病毒,或者引导区出现异常代码的情况,我们可能须要分析MBR中代码区的指令。这一般要对已经读入内存引导区进行反汇编。反汇编用指令U。
续前例:
-u300 115D; 反汇编主引导扇区代码区内容
126C:0300 33C0 XOR AX,AX
126C:0302 8ED0 MOV SS,AX
...................
126C:045C 65 DB 65
126C:045D 6D DB 6D
4、写内存单元:在我们的前例中,主分区类型是0B是FAT32的,假定这个类型实际是NTFS的,我们该如何修改呢?由于主分区类型的偏移是4C3H,我们可以用E命令写到内存单元中,从附表中查得NTFS的类型为07。因此-e4c3 7
再比如说,假定我们想把无效的分区表清零,那么,我们应当用另一个命令F,这个命令可以填充一个内存地址范围。清零分区表的操作就是-f4be 4ff 00,以下两个操作也比较常见。
重置80标记,-e4be 80
重置55AA标记,-f4ff 4fe 55 aa
不要忘记了,此时仅仅是改动了内存中的数据,并未写到硬盘上。因此需要用int 13中断把改写的结果写回硬盘。
续前例,
-a100
126c:0100 mov ax, 301 ; 写操作一个扇区
-g=100; 执行
其实,我们相当于修改了刚才输入的读主引导扇区程序,使程序变为。
126C:0100 mov ax ,301;写操作一个扇区
126C:0103 mov bx ,300;从内存地址300
126C:0106 mov cx,1 ;0面1扇区
126C:0109 mov dx,80 ;80H为硬盘,头为0
126C:010C int 13
126C:010E int 3 ;断点
5、绝对磁盘内容的读出与写入:类似操作在FAT32结构硬盘被CIH破坏的修复中比较常见,我们后面将讲到恢复的基本思路就是用第二FAT表覆盖第一FAT表。那么无疑要读出第二FAT表的内容,再回写到第一FAT表的位置上。一般来说,大量连续扇区的读出写入DiskEDIT进行非常方便,如果用DEBUG做则要写一段子程序,不过程序的主要技巧就是利用int 25绝对磁盘读中断读出的内容,而用int 26绝对磁盘写写入内容。
恢复实例
恢复处理过程能够表现一定思想,而不是纯粹的技术手段,其本身并不算复杂,在不出现汇编程序的情况下一般能够理解;但恢复本身并不完美,中间可能犯一些错误,有的甚至局部失败。
被CIH破坏硬盘恢复一例
硬盘情况:CIH发作,蓝屏死机,用KV300 F10进行修复不成功,又恢复了保存的MBR。
修复工具:准备3张软盘 DISK1-WIN98启动盘(带DEBUG);DISK2-DiskEDIT等工具;DISK3-DOS下杀CIH的工具
基本思路:
1、 FAT2没有损坏的情况,2、 用FAT2覆盖FAT1。
3、 FAT2也已经损坏的情况,4、 一般只期待找回其中某些关键的文件了。
我们最期待的是这些文件是连续的。如果不连续的话,也并非没有可能,但这往往还要知道文件的一些细节,包括对一些文件本身的连接结构有了解。如果FAT2没有完全破坏,是有一定用处的,另外,一般来说,FAT16的硬盘因为FAT表靠前破坏的比较严重,一般两个FAT表都破坏了,小硬盘也很难恢复了。
修复过程:
开机,进入SETUP,检测硬盘,把参数记下――CLY 620 HEAD 128 PRECOMP 0 LANDZ 4959 SECTOR 63 MODE LAB。
用准备好的软盘启动:
A:>C:
显示Invalid drive specification
FDISK/MBR重建主引导记录(这是个习惯),新软盘引导(可能没有必要).此时已经看得见C:硬盘.启动DiskEdit,启动过程中显示Invalid media type reading DRIVER C,先用DEBUG清空分区表,并置80和55AA标志。重新启动,再运行DISKEDIT,显示设定为READ ONLY,把TOOLS/CONFIGURATION中的只读选项去掉,存盘,好了,可以编辑了。
由于当时接的硬盘有多块,我把这块当成了是一块只有C分区,所以没看别的东西,我们期待FAT2没有损坏,以用FAT2覆盖FAT1,在这个时候DISKEDIT要比DEBUG容易的多,在FIND OBJECT中选择FAT,查一下起始扇区,好的,在CYL 0 SIDE68 SEC 14,0000H,F8 FF FF 0F(FAT32的),好的,FAT2没坏.其实如果不用DISKEDIT的可以用一段小程序查,偏移0000的F8 FF FF。
由于以为只有C分区,所以,上来就在FIND中查找IO SYS(IO和SYS中要有六个空格)以查找ROOT区。找到后观察,是否有C:\下常见文件。好的,ROOT区没被破坏。记下了该扇区的CYL 0、SIDE 68、SEC 14,备用。
FAT1一般前面已经被破坏了,但后面应该还在,这可以作为检查。因为是32位的,FAT1一般在CYL 0 SIDE1 SEC 33。因为有了ROOT区然后应该计算FAT表的长度了,因为FAT2到ROOT前一扇区为止,所以非常简单。然后可以用FAT2覆盖FAT1,这里用DEBUG还是DISKEDIT都可以,如果用DEBUG一般是用INT 25读绝对扇区,再用INT 26写入,用DISKEDIT则比较简单。
然后可以恢复主引导记录、隐含扇区和BOOT区,可以先用NDD修复分区表,其它可以考虑用标准覆盖法,如果你希望下一步由NORTON UTILITIES来接手这些都可以不做。我从另一台FAT32的机器上取来了相应的部分。写了进去。这时发现有一个D盘。先看一下。关机串上硬盘,用NORTONUTILITIES 4扫描C盘,文件基本恢复,对C盘杀毒,WHY,没有发现病毒,换了2种杀毒软件还是没有病毒,现在显示C盘是948M,有一个D盘,但是95下无法浏览,DOS下乱码。于是再修复D盘,再回到DOS,用DEBUG查找结束标志为55AA的扇区,然后根据后面是否有FAT判定是否为扩展分区。此时可算出大小来返回修订主分区表。当然,许多工具也可以很好的完成这一工作。如果你没有把握,就用它们完成好了。其实我就是用RE做的,否则手工做确实太麻烦。
Data Recovery
Lei Zhenghai
Chibi Local Taxation Bureau
Abstract This article briefly explores the safe recovery of data from the physical storage level of data using earlier data operation tools.
Keywords data, security, recovery
For a long time, there seems to be a lack of comprehensive understanding of data recovery in the computer field. We should first give a broad concept of computer data. Some people think that only things like text files, records or tables in databases are data; in fact, in a broad sense, any information located on the computer storage medium is data, no matter what medium it is or what its specific function is, they are all data. Correspondingly, any change in these information that is not subjectively intended can be regarded as damage.
Data recovery is a process of restoring abnormal data to normal data.
Potential Threats to Data
1. Malicious programs: The most familiar malicious program to everyone is the virus. 2. Many people think that the impact of the virus on data is only the destructiveness of the virus. 3. This is incorrect. In fact, the infection of the virus itself is a kind of damage. No matter whether a virus modifies your boot sector, executable program or office document, it can change your normal data. Of course, you may give an extreme example of a benign accompanying virus. But there is no doubt that it also constitutes a threat to data. At least it reduces the available space of your hard disk. Malicious programs also include Trojan horses, logic bombs, etc. The damage they cause may be the most difficult to recover.
13. Other malicious damages: Even without the help of viruses or other tools, as long as you have sufficient permissions, any system has a certain "self-destruct" ability. For example, relying on normal system operations such as deletion, movement, formatting, etc. can lead to data damage. With the development of network technology, the threat is no longer limited to the local machine.
19. Mistaken operations: Many data losses originate from users' operation errors, such as mistaken deletion, mistaken formatting, etc.
22. Errors in the operating system or application software: As the code of the operating system and application programs increases exponentially, BUGs also continue to increase. The most commonly used desktop system WIN9X is a BUG king. Errors in the operating system and application software often bring some unexpected impacts to people's work. For example, a BUG in Frontpage 98 a while ago would delete all the files in your directory when triggered. In addition, for the famous game "Myth II", there are serious problems such as losing the extended partition if it is not installed in the default directory.
34. Encryption and permissions: Although encryption and permission settings are effective means to protect data, forgetting the password will also bring great problems.
36. Power failure: The consequence of the machine suddenly powering off may not only be the loss of memory data, but also the loss of disk data or the inability of the system to start normally.
40. Memory overflow: There are many reasons for causing low-level errors such as memory overflow or illegal process termination. It is like a power failure, which will make you lose the current work.
43. Upgrades: Software system upgrades sometimes bring some problems, and we will give corresponding examples later.
45. Hardware damage and theft: This may be one of the most serious threats. Sometimes it reduces the possibility of you recovering data to zero.
Various Logical Phenomena of Data Loss
The recovery of data is basically a logical processing. Only by making an accurate judgment of the situation can an accurate response be made. Generally speaking, it can be summarized into the following situations.
1. The hard disk cannot complete the correct boot: Logical damage caused by physical faults, boot sector faults, important sector crashes, etc. will all make the system unable to complete the normal boot process.
4. File loss: Intentional damage, mistaken deletion, etc. will all cause data loss. This classification not only includes the loss of one or several files, but also applies to the loss of directories, partitions or volumes.
9. Files cannot be opened normally: Due to virus infection, encryption, file header damage and other situations, files cannot be opened normally.
11. Data disorder: Due to the influence of various factors, the information in the database, text files, etc. may be completely distorted.
Brief Introduction to the System Working Mechanism
1. Composition of DOS (DOS-compatible system) hard disk data
The DOS disk system can manage the physical space according to the concept of logical partitions, and different partitions can load different OS systems.
Each partition of the FAT structure has an independent boot record, FDT table, FAT table, etc. At the same time, the system also has a most important master boot record, at cylinder 0, head 0, sector 1. In the future, we use CYL to represent cylinder, SIDE to represent head, and SEC to represent sector.
The following is a brief introduction to important parts:
The master boot record is also called the primary partition table, MBR, etc.: MBR occupies one sector, at CYL 0, SIDE 0, SEC 1, and is composed of a code area and a data area. Among them, the code area is a section of standard program, which completes the work between BIOS boot and OS BOOT, and makes the final preparation for OS startup. The standard code area can be rebuilt by FDISK/MBR, but the non-standard MBR for multi-system boot will be damaged by this operation. The data area of MBR records the partition situation.
System sectors: CYL 0, SIDE 0, SEC 1 - CYL 0, SIDE 0, SEC 63, a total of 62 sectors.
The boot sector is also called the BOOT area: CYL 0, SIDE 1, SEC 1, which was formerly called the DOS boot sector. It also occupies one sector.
Hidden sectors: CYL 0, SIDE 0, SEC 1. If it is FAT16, it occupies one sector. If it is FAT32, it occupies 32 sectors.
The file allocation table, also called FAT, is where the situation and connection relationship of file-occupied clusters are recorded. Generally, there are two FAT tables, which play a backup role. The first FAT table of FAT12 and FAT16 is generally at 0-1-2. The first FAT table of FAT32 is at 0-1-33. Since the FAT table records the place where file-occupied sectors are connected, if both FAT tables are damaged, the consequences will be unimaginable. Since the length of the FAT table is related to the size of the current partition, the address of FAT2 needs to be calculated.
Root directory area (ROOT, FOT): Here, the directory file items of the root directory, etc. are recorded. The ROOT area follows FAT2.
Data area: Follows the ROOT area. This is the actual data content.
In fact, the reconstruction of MBR, hidden sectors, and BOOT area is relatively easy. The key to data recovery is to recover data files. Since the FAT table records the linked list of sectors occupied by files on the hard disk, if both FAT tables are completely damaged, it is quite difficult to recover files, especially files occupying multiple consecutive sectors.
2. Brief description of the master boot record
The master boot record is the starting point of hard disk boot. Not much is said about the code area. In its data area, two marks are relatively important, 80H and 55AA. 80H is generally at offset 1BE. 80 is the mark of partition activation, indicating that the system can be booted, and there can be only one 80 mark in the entire partition table. The other is the ending mark 55AA, which is used to indicate that the master boot record is a valid record. In addition, the boot records of each partition themselves also end with 55AA, which is the mark for us to find partitions. When we introduce the master boot record later, an example of a complete partition table is given, and everyone can check it against it.
In the data area, one partition is represented by 10H bytes, and up to 4 partitions can be represented, starting from 1BE, 1CE, 1DE, 1EE respectively. The meaning of the corresponding address of the partition table entry is given later. Everyone can analyze the following partition situation correspondingly.
80 01 01 00 0B FE BF FC 3F 00-00 00 7E 86 BB 00
① ② ③ ④ ⑤ ⑥
1 Activation mark, 2 80 indicates a bootable partition.
4 The starting head number of the partition is 01, the starting sector number is 01, and the starting cylinder number is 00. Since the starting sector number is 6 bits in binary, and the starting cylinder number is 10 bits in binary, the high two bits of the byte used for the sector number should be added to the high two bits of the cylinder number.
9 The system type of the partition is FAT32 (0B), 01 is FAT12, 04 is FAT16, 06 is BIGDOS, 07 is NTFS, and others refer to the partition type table.
10 The ending head number of the partition is 254, the ending sector number is 63, and the ending cylinder number is 764.
11 The relative sector number of the first sector is 63.
12 The total number of sectors is 12289622.
Prerequisites for Data Recovery
As a process of data reproduction, data recovery must solve two problems: first, where to recover, and second, how to recover. Once these two problems are solved, we actually grasp data recovery. This part is to explore the problem of where to recover.
1. Effective and timely backup is the most reliable source of data recovery: In today's era when many people advocate backing up to seconds, I am afraid no one will doubt this. And some backup mechanisms are built-in in the system, such as two FAT tables.
11. The judgment of the actual validity of data is the key: For us, phenomena such as the hard disk being unable to boot, files not being found, files not being opened, etc. do not actually equate to data loss. Because at this time, it is often only logical loss. In the physical sense, it still exists or partially exists. The most obvious example is the case of file deletion. In fact, this is just changing the first byte of the file to 0E5, and the file body still exists.
23. Reversibility analysis of the data damage process: The changes to data are nothing more than two types, replacement and transformation. The former is irreversible, and the latter is reversible. Taking virus killing as an example, for most file viruses, for file viruses that infect in an appended rather than replaced manner, the ideal virus killing process is the reverse process of infection. This analysis is also applicable to the situation where important information is hidden, moved, or encrypted, but the analysis will be more complicated.
34. Whether the data itself is standard information: Some information is actually general or locally general. You don't need to consider how to rescue it from the local machine. As long as there are the same or similar system versions, it is okay. For example, the BOOT area, hidden sectors, WINDOWS DLL files, etc. A typical example is the partition table code area, which is a section of standard code. In fact, it is placed in your FDISK program, and you can extract it with DEBUG.
44. Whether the data itself can be regenerated from other information statistics: Some information is lost and there is no backup. But it can actually be indirectly obtained from other data. The most typical example is the partition information in the primary partition table. Even if you clear it, you don't have to be afraid because you can calculate and regenerate it from several partitions.
50. Completion degree of damage: In fact, FDISK and FORMAT will not completely destroy data. Generally, only low-level formatting and sector overwriting operations will completely destroy data. But sometimes, the damage process or the mistaken operation process cannot be completed due to manual termination,死机, etc. The most obvious example is the case of the CIH virus. Since CIH overwrites sectors in units of 1024 bytes, this is of course an irreversible process. So we initially thought that the damage was difficult to recover, unless it was manually terminated. In fact, when the virus overwrites some sectors, it will conflict with the WIN9X system, resulting in a system crash and protecting the data.
Common Basic Operations
1. Read out the master boot record: This is one of the programs that may be involved most in system-level data recovery.
Example:
DEBUG
-a100; Start assembly from here
126C:0100 MOV ax,201; Read one sector
126C:0103 mov bx,300; Send to address 300
126c:0106 mov cx,1; Cylinder 0, head 0, sector 1
126c:0109 mov dx,80; 80H is the hard disk, head 0
126c:010c int 13
126c:010e int 3
126c:010f
-g=100; Execute
AX=0050 BX=0300 CX=0001 DX=0080 SP=FFEE
BP=0000 SI=0000 DI=0000
DS=126C ES=126C SS=126C CS-126C IP=010E
NV UP EI PL NZ NA PO NC
Here, the I/O interrupt 13 is used. The meanings of the involved registers are:
ah, operation mode, 02H is read, 03H is write
al, number of sectors to send
bx, memory offset address to load the sector
cx, from which cylinder and sector to start. We generally change cx to read and write different logical sectors of a logical disk
dx, send the drive number and head number
int 3 is a breakpoint interrupt, which stops the program from running here.
2. Display the content of the boot sector: We read the sector to a certain memory address not to see its content. The D command in DEBUG can conveniently view the content of memory units.
Continuing the previous example, if we want to see the content of the master boot sector, since it is loaded to 300.
-d300 1200 can be used to view it. An image of a boot sector can intuitively see the code area and data area mentioned earlier.
3. Disassemble the content of the master boot sector: To determine whether the code area of MBR is normal, for the basic situation of the data area, we can draw a conclusion through intuitive observation. But for boot viruses or the situation where abnormal code appears in the boot sector, we may need to analyze the instructions in the code area of MBR. This generally requires disassembling the boot sector that has been read into memory. Disassembly is done with the U instruction.
Continuing the previous example:
-u300 115D; Disassemble the content of the master boot sector code area
126C:0300 33C0 XOR AX,AX
126C:0302 8ED0 MOV SS,AX
..................
126C:045C 65 DB 65
126C:045D 6D DB 6D
4. Write to memory units: In our previous example, the primary partition type is 0B, which is FAT32. Assuming this type is actually NTFS, how should we modify it? Since the offset of the primary partition type is 4C3H, we can use the E command to write to the memory unit. From the attached table, the type of NTFS is found to be 07. Therefore, -e4c3 7
For another example, assuming we want to clear the invalid partition table, then we should use another command F, which can fill a memory address range. The operation of clearing the partition table is -f4be 4ff 00. The following two operations are also relatively common.
Reset the 80 mark, -e4be 80
Reset the 55AA mark, -f4ff 4fe 55 aa
Don't forget that at this time, only the data in memory has been modified, and it has not been written to the hard disk. Therefore, the int 13 interrupt is needed to write the modified result back to the hard disk.
Continuing the previous example,
-a100
126c:0100 mov ax, 301 ; Write one sector
-g=100; Execute
In fact, we have modified the previously input program for reading the master boot sector, making the program become.
126C:0100 mov ax ,301; Write one sector
126C:0103 mov bx ,300; From memory address 300
126C:0106 mov cx,1 ; Cylinder 0, head 0, sector 1
126C:0109 mov dx,80 ; 80H is the hard disk, head 0
126C:010C int 13
126C:010E int 3 ; Breakpoint
5. Reading and writing of absolute disk content: Similar operations are relatively common in the repair of CIH-damaged FAT32 structure hard disks. The basic idea of recovery mentioned later is to overwrite the first FAT table with the second FAT table. Then it is necessary to read the content of the second FAT table and write it back to the position of the first FAT table. Generally speaking, it is very convenient to read and write a large number of consecutive sectors with DiskEDIT. If done with DEBUG, a subroutine needs to be written. However, the main skill of the program is to use the int 25 absolute disk read interrupt to read the content and the int 26 absolute disk write interrupt to write the content.
Recovery Example
The recovery process can show a certain idea, not just pure technical means. It is not particularly complicated. It can generally be understood without the appearance of assembly programs. But the recovery itself is not perfect. Some mistakes may be made in the middle, and some may even fail locally.
Example of CIH-damaged hard disk recovery
Hard disk situation: CIH occurs, the screen turns blue and the system crashes. The repair with KV300 F10 is not successful, and the saved MBR is restored.
Repair tools: Prepare 3 floppy disks DISK1 - WIN98 boot disk (with DEBUG); DISK2 - DiskEDIT and other tools; DISK3 - DOS-based CIH-killing tool
Basic idea:
1. If FAT2 is not damaged, use FAT2 to overwrite FAT1.
3. If FAT2 is also damaged, generally only expect to retrieve some key files.
What we most expect is that these files are continuous. If they are not continuous, it is not impossible, but this often also requires knowing some details of the files, including understanding the connection structure of some files themselves. If FAT2 is not completely damaged, it is of certain use. In addition, generally speaking, for FAT16 hard disks, because the FAT table is damaged more seriously at the front, if both FAT tables are damaged, it is difficult to recover even for small hard disks.
Repair process:
Power on, enter SETUP, detect the hard disk, and record the parameters - CLY 620 HEAD 128 PRECOMP 0 LANDZ 4959 SECTOR 63 MODE LAB.
Boot with the prepared floppy disk:
A:>C:
Display Invalid drive specification
Rebuild the master boot record with FDISK/MBR (this is a habit). Boot with the new floppy disk (may not be necessary). At this time, the C: hard disk can be seen. Start DiskEdit. During the startup process, Invalid media type reading DRIVER C is displayed. First, use DEBUG to clear the partition table and set the 80 and 55AA marks. Restart, then run DISKEDIT. It is displayed as SET READ ONLY. Remove the read-only option in TOOLS/CONFIGURATION, save the settings, and now it can be edited.
Since there were multiple hard disks connected at that time, I regarded this one as having only the C partition, so I didn't look at other things. We expect that FAT2 is not damaged, so as to use FAT2 to overwrite FAT1. At this time, DiskEDIT is much easier than DEBUG. In FIND OBJECT, select FAT, check the starting sector. Okay, at CYL 0 SIDE68 SEC 14, 0000H, F8 FF FF 0F (FAT32). Okay, FAT2 is not damaged. In fact, if DiskEDIT is not used, a small program can be used to check. The offset 0000 is F8 FF FF.
Since it was thought that there was only the C partition, I directly searched for IO SYS (there should be six spaces between IO and SYS) in FIND to find the ROOT area. After finding it, observe whether there are common files under C:\. Okay, the ROOT area is not damaged. Record the CYL 0, SIDE 68, SEC 14 of this sector for later use.
FAT1 is generally damaged in the front, but the latter should still be there, which can be used as a check. Because it is 32-bit, FAT1 is generally at CYL 0 SIDE1 SEC 33. Since there is the ROOT area, then the length of the FAT table should be calculated. Because FAT2 ends at the previous sector of the ROOT area, it is very simple. Then FAT2 can be used to overwrite FAT1. Here, either DEBUG or DiskEDIT can be used. If using DEBUG, generally use the INT 25 absolute sector read, and then use INT 26 to write. If using DiskEDIT, it is relatively simple.
Then the master boot record, hidden sectors, and BOOT area can be recovered. NDD can be used to repair the partition table first. Other things can be considered to be covered with the standard method. If you hope that NORTON UTILITIES will take over the next step, these can not be done. I took the corresponding parts from another FAT32 machine and wrote them in. At this time, a D drive was found. First, take a look. Power off and connect the hard disk in series. Use NORTONUTILITIES 4 to scan the C drive. The files are basically recovered. Kill the virus on the C drive. WHY, no virus is found. Change to 2 kinds of antivirus software, still no virus. Now it is displayed that the C drive is 948M, and there is a D drive, but it cannot be browsed under 95, and there are garbled characters under DOS. Then repair the D drive. Then return to DOS. Use DEBUG to find the sector with the ending mark 55AA, and then determine whether it is an extended partition according to whether there is FAT behind it. At this time, the size can be calculated to revise the primary partition table. Of course, many tools can also complete this work very well. If you are not sure, just let them complete it. In fact, I did it with RE. Otherwise, it is really too troublesome to do manually.
|
