A common hard drive fault that I think most of us have run in to at one time or another is : “You Need to Format the Disk in Drive:”. This problem seems to be even more prevalent with the popularity of portable external hard drives like the Seagate Goflex or the Western Digital My Passport. I attribute the problem to not safely removing the USB drive from the operating system before unplugging the drive. The reason this causes a problem is that Windows is always caching to the hard drive temporary files needed for operation, when you just pull the USB cord on these drives that data has no where to go and inevitably writes somewhere that is inconvenient.
Do not click on the format button this will only make recovery more difficult. In most cases this problem is being cause by a corrupt or missing boot sector (OS Boot Record). In other occasions it can be that it was modified or messed with in some way by a virus. This particular kind of virus is actually called a “boot sector virus”. One other major way the “format” hard drive problem can occur is that for some reason the wrong logic (math) for the partition size (logical drive) has been written to the partition sector (MBR or Master Boot Record). So, because so many things can cause this problem I am going to show you the steps to try to figure out which one it is. If you feel your technical prowess is just not suited for this kind of thing I would recommend downloading the Recover It All Software and just moving the data off and reformatting the hard drive for use after running the Windows Surface Scanner.
On the other hand if you are feeling up to the task then here we go.
First, let’s get ourselves a hex editor in order to look at the drives 0’s and 1’s. I prefer Winhex, so that is what I will use for this article. (Note: If you own a different hexadecimal editor please feel free to use that. WinHex is free to use for most of the features I am showing you right now.)
Here you will notice I am at sector 0 of the affected drive. Sector 0 has many names Master Boot Record, MBR, Partition Sector, or just simply Sector 0 (for this I will refer to it as the MBR). Take a look to the right and you will see that I have highlighted the ASCII of the sector. We are only viewing one sector. To me at first glance of the ASCII everything looks copacetic. A few different things tell me this, first and foremost would just be experience, the good news is though that even as a novice to this kind of low level recovery can look for a key pointer that should be present no matter what.
I want you to take a look at the MBR text, you will see that it really isn’t all foreign looking characters. In there you should be able to identify actual words and sometimes even a sentence. In the case of the MBR you are looking for the phrase “Invalid partition table. Error loading operating system. Missing operating system. “ This is a tell tale sign you are in the right place and the MBR is in good shape. The next thing we want to look at is the last entry in the sector. The actual hex should read 55 AA and in text it looks like a capital “U” and lower case “a”. (Note: If the MBR is blank then we have a different problem all together and please refer to my post on hard drives that are not showing up) If both of these look good the next thing we are going to want to do is apply an MBR template to the sector. What this does is convert the ASCII into something us humans can read and understand.
You will want to select the Master Boot Record template, in a different hex editor I am not sure they will call it a template.
Once you have the template applied you can then find out the partition type. This is going to be how the drive was formatted. This is a great place to find a list of all of the partition types. The most common ones for standard computer users to worry about will be:
|Partition ID (Hex)||Partition Type|
|DE||Dell Diagnostic Partition|
|EE||Microsoft EFI Partition|
|AB||Apple Boot Partition|
|AF||Apple HFS and HFS+|
Once you take note of the partition type you want to take a look at the sectors preceding partition. (Note: In most cases this number should be 63 or 2048 but not always.) Now that you know what the partition type is as well as what the partition offset is you can close the template. The next thing you want to do is navigate to the offset. So for the sake of this article mine was 2048 because I partitioned and formatted the drive in Windows 7.
As you can see there is nothing but zero’s where the MBR said the boot sector (OS Boot Record) should be. Usually this is something that would be caused almost exclusively by some kind of virus. The virus payload will whack the entire first sector of the boot sector rendering the drive un mountable. In order to make sure that this is indeed the right place for the boot sector to be we have a few things we can check. First lets try paging down you should see the the rest of the boot record.
As you can see from the screen grab there is a ton of information. If this is an NTFS drive there should be a reference to NTLDR. If you continue to page down and count you should see data for an additional 8 sectors including sector 2. If you see nothing as you page down then we are going to need to check one more place to make sure we are getting the right offset from the MBR.
Pull your scroll bar all the way to the end of the drive, so you are at the last sector. Now go ahead and open the find or search function.
In the text string area you need to type NTFS in all caps (if this is a FAT32 drive then type MSDOS), next be sure you check the box for “Match Case”. Select to search up and check the conditional: offset mod. In the boxes you want 512=3, this means that it will only look 3 bits into each sector for the text string you type in. This is extremely useful as all boot sectors must follow a certain standard in order for a machine to boot, so the information that identifies what kind of boot sector it is will be in the same place no matter what flavor of file system is being used.
Go ahead and begin the search which should end very quickly. If the back up boot sector is not found right away then this is a more serious problem and I recommend calling me at the office for possible remote support. Not having any sort of jump off point for the creation of a new boot sector can be very difficult to figure out and requires a certain level of educated guesses.
Now that we are at a boot sector lets test and see if the sector information looks good. You can go in and apply the template for NTFS or FAT 32 depending on which kind of boot sector you have found.
Now that we have the template up we can read the book sector information, note the “hidden sectors” that number should match the “sectors preceding partition” from the MBR. (Note: if these numbers do not match then again this makes the fix more difficult and you should call the office for help.) Next, let’s have a look at the total sectors, take the total millions in this case 488 and half it. This will give you a rough estimate to the partition size so about 240gb which for me would be correct also this number should match the total sectors from the MBR less 1. The reason it is one less is that the boot sector does not count itself but the MBR counts everything. Doing this little step helps to just check we are heading in the right direction, if that number does not come close to drive size then it could be we are not seeing the right boot sector. As for the last 3 numbers these are going to be used to figure out the start location of the Master File Table (MFT) and the Master File Table Mirror (MFTMirr).
Here is the equation we will use:
START C# $MFT x SECTORS PER CLUSTER + HIDDEN SECTORS = SECTOR FOR START OF MFT
For the start of the mirror it is the same math except use the start c# $mftmirr.
Here is the math:
786432 x 8 + 2048 = 6293504
6283504 is the next sector we are going to want to go to in order to make sure that the only problem with the drive is a corrupt OS boot record.
Before we move to that sector lets try and save some time by saving out this sector so we will not have to come back in the event it is what we were looking for. Now go ahead and go to the sector you got doing the math from above.
This is what the first record of the master file table looks like. It is a must that you see FILE0 in the upper left and then somewhere in the sector should be $MFT. If both of these items are not here try to page up or page down a few sectors to see if your math might have been off, also recheck you math. If you still can not find the master file table then I would recommend giving me a call at 727.345.9665 so I can either remote into the machine and try and help or at least try to walk you through something that may help.
Next thing you are going to want to do is figure out where the mirror is so here is that math for me:
2 x 8 + 2048 = 2064
Let’s go to sector 2064 and check that the mirror is intact.
If they match then it is finally time to try and fix the drive. Go back to where the boot sector should be and go ahead and paste the back up boot sector there. Make sure you have your cursor set at the very beginning you do not want to write into the next sector by accident. Once the boot sector is written to the drive you can close your hex editor and then go in to windows disk management. (right click on computer and go to manage from there click disk management) You should be able to refresh the drives and the affect drive should appear with a drive letter and may even auto play!
I hope this article has helped! And of course if you have any questions please call me I would love to be able to help with your problem.