Black Art Of Data Recovery: BIOS - MBR - Part Two
June 22, 2007
Let’s take a look at some of the boot code of a pretty standard MBR. The first thing we want to do is a little house keeping, then relocate the code we loaded at 0000:7C1B to 0000:061B. Which is spelled out in the First Part of - The Black Art Of Data Recovery: BIOS, MBR, Virus.
MOV SI,07C1B ;set SI (source index) to 7C1B
MOV DI,0061B ;set DI (destination index) to 061B
PUSH AX ;PUSH AX for segment for RETF to 0
PUSH DI ;PUSH DI for offset for RETF = 061B
MOV CX,01E5 ;1E5 bytes to copy
REP MOVSB ;Copy the MBR
RETF ;PULL 0000:061B off stack and JMP to MBR
Once we have the bootstrap code relocated we begin to scan the partition table for a bootable partition.The following figure is one record entry in a partition table. There can be a total of four entries in a partition table.
Partition Record Layout
|
Offset |
Size |
Description |
| 00h | Byte | Boot flag. 80h if partition is bootable, otherwise 0. |
| 01h | Byte | Starting head(0 to 254) |
| 02h | Word | Starting cylinder (0 to 1023) & sector (1 to 63) number |
| 04h | Byte | Partition type (07 NTFS, 06 FAT16, 0C FAT32) |
| 05h | Byte | Ending head number (0 to 254) |
| 06h | Word | Ending cylinder (0 to 1023) & sector (1 to 63) number |
| 08h | Dword | relative sectors to start of partition |
| 0Ch | Dword | Total number of sectors in partition |
Once a bootable partition is found, the boot code pointed to by the relative sectors field of the partition record is read into memory location 0000:7C00 and then an RETF is executed and the boot code for the operating system takes over. This type of boot system is called two phase because the MBR does not load the operating system, it only loads a loader.In other words, the MBR is a preloader for the OS boot loader.
During the boot process and the parsing of the partition records many things can go wrong.If there is not a boot flag set then the system may just hang with a blinking cursor in the upper left hand corner. You may get the message “Invalid partition table”, if the boot flag is set to something other than zero.You may also get the message “Missing operating system” in the AA55 magic number is not present in the OS boot loader. These errors can be fixed by hand. The following is a step by step approach to fixing the boot flag, as well as the OS magic number.
Repairing Boot Flag with WinHex
Each technician has his own set of tools that he relies on.In my case many of my tools are custom written since I am a software engineer. However, there are some tools that are just so good they cannot be improved upon.WinHex from X-Ways Software is such a tool.It has two attributes that are essential to a technician, one, it is extremely flexible, and two, it is very reliable. So, that being said fire up your copy of WinHex, and if you don’t have a copy, the download one, and let the boot flag repairing begin.First of all, as depicted in Figure A, the boot flag is located at offset 446, or 1BEh.In this particular case the boot flag is set to 80h, which is bit seven set. This is a normal partition record, in a single partitioned hard drive.
Figure A
In Figure B we can see what a multi partitioned drive looks like:
Finally, in Figure C we can see what bad boot flag value looks like. The bad boot flag value in Figure C is the value 65h. In order to fix this problem merely change the value to either 80h if you want it bootable, or 00h if you just want it mounted.
Figure C
As you can see, that hard part is knowing where the boot flags are, and then knowing which values you can place in them in order to mount the volume. I have given them both to you. Learn more about data recovery.
If you're new here, you may want to subscribe to our RSS feed.
Subscribe to DTI Data Recovery Resource Center by Email Thanks for visiting The DTI Data Recovery Resource Center!
The Black Art of Data Recovery: BIOS, MBR, VIRUS
June 13, 2007
Virus programmers, although destructive, were at one time some of the most innovative programmers in the industry. They exploited the very core of an operating system, and could do magic with the BIOS and MBR. The virus writer of present is just some hack script writer who has no understanding of the true nature of the relationship between the BIOS, and the MBR. These words try to shed some light on the boot up sequence, and the susceptibility we all share.
Over the years many things in the world of computers has changed. We have gone from command line, to GEM, to a windowed GUI type of operating system. A stick of memory used to be one hundred dollars for 1 MB, now its seventy five dollars for 1024 MB. A forty megabyte hard drive was $1000.00. Now you can get 750 gigabytes worth of hard drive for two hundred and fifty dollars. We have gone from 8 bit (XT), 16 bit (286) 32 bit (386), and finally 64 bit (EMT 64) central processing units.
With all of this obviously monumental progress, one of the most important functions of the computer has never changed. The boot sequence. Oh yes, it may have been enhanced, there may have been little items added here and there, but the focal point of the boot up process has never changed. Let’s take a quick look at the steps in booting a PC.
When you switch on your PC immediately the BIOS takes over. In its process it does what is called a POST (Power On Self Test). The POST is a set of diagnostics that will test the hardware of your computer. Examples would be memory, bus, CPU, ports, PCI bridge, and the like. Through the use of checksum, and data echoing the POST can tell if something is amiss in your hardware. If the POST finds something wrong, and considers it a fatal error, the boot process will be halted, and a series of beeps may be given. These beeps, depending upon the BIOS developer, will guide you in diagnosing your fatal error. The beeps are used because many times an error in the hardware will make it so the video cannot be used. The POST is much more comprehensive than is being presented here; however, this set of articles is about data recovery and not how to diagnose your POST process.
Master Boot Record
The BIOS has found a HDD that is in the list of bootable devices. The BIOS will then load the first sector of that HDD into memory. Just as a point reference a sector is defined as 512 bytes of data. So, once again, the sector is loaded into memory. You may ask yourself, “Self, where exactly in memory does the BIOS load the MBR?”. An excellent question! From nearly the beginning of the PC industry. From the dawn of the BIOS, it has been scribed by the ancients that the MBR will be loaded into memory location 0000:7C00. (Drum Roll, cut to Yul Brenner laughing maniacally shouting “So let it be written, so let it be done!”. He was a good Ramses but Charlton Heston was a great Moses!)
In addition, there are some BIOS’ that will perform a small test on the MBR to see if it is valid. The test is to make sure there is a 0×55, and a 0xAA in bytes 510, and 511 respectively. If those bytes are not present, some BIOS will stop the boot process for that HDD and continue onto an alternative device. If all devices fail, then an appropriate error message will be displayed.
Boot Failure: System Halted is the choice of Award BIOS. If , however, the MBR is loaded and passes all of the BIOS testing INT 0×19 is called and a jump to memory location 0000:7C00 is performed. There, control of the entire PC is passed to the MBR. Awesome!
The Black Art Of Data Recovery
May 25, 2007
Over the next several weeks we are going to take an in depth look at how data recovery in all of its phases is applied to the Microsoft NTFS file system. You may consider this a class in the data recovery of an NTFS file system as well as a mini course in hard drive design repair.
The knowledge that I will impart over the next several weeks is not for the faint of heart. Although I will use plain language, as well as diagrams where needed, the application of the information is meant for technicians and software engineers. However, everyone I am sure will come away with a better understanding of the NTFS file system.
The following are the topics that will be covered on a week by week basis. Hopefully, I will be able to maintain the weekly schedule, however if life and my work get in the way, some weeks I may have to skip until the following week.
Week 1:
Boot Up Sequence: This will include how the BIOS determines a boot device. Once a boot device is determined how the BIOS hands over the boot sequence to the Master Boot Record. The layout of the Master Boot Record and how the boot code determines the boot partition. What can go wrong during the boot sequence and some ways you can fix those problems.
Week 2:
Continuing the Boot Sequence: This will cover how the Master Boot Record hands over the booting of the operating system to the OS Boot Record. This will include the layout of the BIOS Parameter Block, and how its data elements relate to data storage. A brief explanation of the NTLDR. I will also cover the problems that can arise during the OS boot and how you can possibly repair the problem.
Week 3:
Data Storage Part I: Understanding how data is stored is critical if you want to have even a remote chance of file recovery. Discussion on clusters, why they are used, how they are allocated. How the operating system stores the data on the physical media. Logical and physical sector addressing arithmetic will be explained. Fragmentation, the enemy of data recovery will also be explored.
Week 4:
Data Storage Part II: Once we have covered how the data is stored, we will need to then understand how NTFS handles keeping track of file and folder placement. The Master File Table will be discussed in great detail. Where it is placed, many of the components of the record will be discussed and how they relate to what we see translated into the file explorer.
Week 5:
Data Storage Part III: This week will be totally dedicated to run lists. This component is the key to breaking down how the clusters are stored. The method that Microsoft uses to track clusters is very complicated so I want to give this subject a full week.
Week 6:
Data Storage Part IV: Now that we have all of the theory of the MFT, this week we will cover how to recover data using a damaged MFT.
Week 7:
Hard drive theory: This will be a brief overview of hard drive design from a data recovery specialist’s point of view. Sector mapping, system area design. Permanent Defect tables. Growing Defect tables. Bad sectors, and how that relates to performance. How the operating system reacts to a bad sector. S.M.A.R.T early warning technology.
Week 8:
JPEG File recovery: The JFIF file format and how that relates to raw data recovery. Data mining, file carving and techniques used to extract data from a totally destroyed file system.
Week 9:
MP3 File recovery: The MPEG III file format will be covered and how that relates to file recovery. How data mining and file carving techniques may be used to recover the file. The ID3 data tag format and how that can be used to recover a more complete MP3 file.
Week 10:
Scenario: Hard drive has been fdisked, how do I recover?
Week 11:
Scenario: Hard drive has been formatted, how do I recover?
Week 12:
Scenario: Files have been deleted, how do I recover?
Week 13:
Scenario: I used the restore function from the manufacturer, how do I recover?
Week 14:
Scenario: Multiple partitioned drive made into single partition, how do I recover second partition?
Week 15:
Scenario: USB hard drive cannot be addressed, how do I recover?
Week 16:
Scenario: I lost all of my Canon CR2 Raw format pictures, how do I Recover from the flash chip?
Week 17:
Scenario: Hard Drive has reached maximum capacity and file system as well as the operating system have become inoperable. How do I recover?
Week 18:
Scenario: Malware virus attack on the Master Boot Record, or the operating system boot record. How do I get my operating system online?
Week 19:
Scenario: Drive has been formatted, and the operating reloaded. How do I recover data from the drive?
Week 20:
Scenario: Deleted email from my Outlook Express mail handler. How do I recover the deleted emails?
Week 21:
Scenario: Outlook PST file has exceeded the two gigabyte limit. How do I recover my email file without damaging all of my data?
Week 22:
Scenario: Reloaded Windows over the top of an existing Windows setup and lost my access Documents and Settings folder. How do I gain access to the folder?
Week 23:
Scenario: Hard drive has exhibited symptoms of possible bad sectors. How do I safely recover my data without compromising the physical attributes of the hard drive?
Week 24:
The future of data storage and what is needed in order to safeguard the data on your system. I am going to cover a great deal of material in the next six months. As I reveal each secret hopefully that information will help you recover and safe guard your data. If you have any questions please feel free to call or drop me an email.
Dick Correa
dickc AT dtidata.com
(727)345-9665 Ext 203
